Firewall Wizards mailing list archives

Re: Active to Passive FTP translator?

From: Mikael Olsson <mikael.olsson () clavister com>
Date: Mon, 25 Nov 2002 22:09:50 +0100


Rogan,

"Dawes, Rogan (ZA - Johannesburg)" wrote:


c) invent/discover an FTP proxy that translates client PASV requests into
server Active requests.

This has all the benefits of b), plus it does not allow an attack on the
proxy to repeat through to the internal network. Does such a beast exist?


Yes, I believe it's been done for fwtk as a pure proxy, and we've done
it in our firewall as a full proxy for the command channel and SPF for
the data channel.  There _might_ of coruse be more implementations, but I 
personally haven't heard of any.

Are there any fundamental problems with the approach that I'm not seeing? 
As I see it, the proxy would simply wait for the server to make an incoming
connection, the client to make an incoming connection, and tie the two
together. That should also work for uploads, I think?


It works perfectly for all kinds of transfers, and can indeed protect
against all data channel attacks, even 100% RFC compliant evil java
applets, but there are a couple of gotchas:

- You need to be able to _selectively_ enforce FTP modes for the
  client and server end.  You don't want to apply the same controls
  for everyone and e.g. keep clients coming in across the internet 
  from speaking active mode. It's not your job to protect them, and 
  they might not even be capable of speaking passive mode.

- It basically can't fail for protecting the server, as active mode is
  the best mode for the server and they all support it. It CAN however
  "fail" for the client, since there are clients that don't speak
  passive mode.  Legacy financial systems and remote antivirus updates 
  are notorious in this area.  &#%Â¤&%#Â¤



-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 Ă–RNSKĂ–LDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Active to Passive FTP translator? Dawes, Rogan (ZA - Johannesburg) (Nov 25)
- Re: Active to Passive FTP translator? Mikael Olsson (Nov 25)
- Re: Active to Passive FTP translator? Magosányi Árpád (Nov 25)
- <Possible follow-ups>
- RE: Active to Passive FTP translator? Scott, Richard (Nov 26)
  - Re: Active to Passive FTP translator? David Pick (Nov 26)
  - Re: Active to Passive FTP translator? Mikael Olsson (Nov 26)
    - Re: Active to Passive FTP translator? Mikael Olsson (Nov 27)