FTP

“IPS” tab

The FTP plugin supports the main RFC [RFC959] as well as many extensions.

Enabling this plugin allows the prevention of large families of FTP-based application attacks. This plugin performs various analyses such as the RFC compliance analysis, checks on FTP command parameter size or restrictions on the protocol (SITE EXEC for example). These analyses therefore allow stopping attacks such as FTP Bounce, FTP PASV DoS, Buffer overflow, etc.  This plugin is indispensable when allowing FTP traffic to pass through the firewall and to dynamically manage FTP data connections.

Automatically detect and inspect the protocol

If this protocol has been enabled, it will automatically be used for discovering corresponding packets in filter rules.

Authentication

Allow SSL authentication

Enables SSL authentication for the protocol (FTP only). By selecting this option, personal data such as the login and password may be encrypted and therefore, protected.

Do not scan the FTP authentication phase

No data scans will be performed

Size of elements (in bytes)

Imposing a maximum size for elements (in bytes) allows countering buffer overflow attacks.

Username

Maximum number of characters that a user name can contain. This value must be between 10 and 2048 bytes.

User password

Maximum number of characters for the FTP password. This value must be between 10 and 2048 bytes.

Path (directory + filename)

Maximum number of characters of the path taken by the program execution, or the path taken in the directory to reach the FTP file. This value must be between 10 and 2048 bytes.

SITE command

Maximum number of characters that the SITE command can contain (between 10 and 2048 bytes).

Other commands

Maximum number of characters that additional commands can contain (between 10 and 2048 bytes)

Support

Disable intrusion prevention

When this option is selected, the scan of the FTP protocol will be disabled and traffic will be authorized if the filter policy allows it

Log each FTP request

Enables or disables the reporting of FTP logs.

 

“Proxy” tab

Filter the welcome banner sent by the FTP server

If this option is selected, the server’s banner will no longer be sent during an FTP connection.

Block FTP bounce

Allows the prevention of IP address spoofing. By executing the PORT command and by specifying an internal IP address, an external host may access confidential data by exploiting vulnerabilities in an FTP server or a host that is vulnerable to bounces.

Connection

Keep original source IP address

When a request is made by a web client (browser) to the server, the firewall will intercept it and check that the request complies with URL filter rules and then relays the request.

 

If this option is selected, the new request will use the original source IP address of the web client that sent the packet. Otherwise, the firewall’s address will be used.

Authorized transfer modes

Between the client and the proxy

When the FTP client sends a request to the server, the proxy will first intercept the request in order to analyze it. From the FTP “client”’s point of view, the proxy corresponds to the server. This option allows defining the authorized transfer mode.

 

If Active only is specified, the FTP client will determine the connection port to use for transferring data. The FTP server will then initialize the connection from its data port (port 20) to the port specified by the client.

 

If Passive only is specified, the FTP server will determine the connection port to use for transferring data (data connection) and will transmit it to the client.

 

If Active and passive is specified, the FTP client will be able to choose between both transfer modes when configuring the firewall.

Between the proxy and the server

When the proxy has finished scanning the client request, it will transfer it to the FTP server, which will then interpret the proxy as the FTP client. Since the proxy has an intermediary role, it is transparent.

 

The authorized transfer modes are the same as for the previous option.

“Commands FTP” tab

Proxy

Main commands

Modify write commands button: This button allows you to Pass without scanning, Block or Scan the syntax and check that the command complies with the RFCs in force, for write commands.

Modify all commands button: This button allows you to Pass without scanning, Block or Scan the syntax and check that the command complies with the RFCs in force, for generic commands as well as modification commands.

 

Command

Name of the command.

Action

3 authorizations possible from “Pass without scanning”, “Scan” and “Block”.

Command type

Indicates the type of command. “Writing” FTP commands defined in the RFCs can cause changes in the server, such as the deletion of data or even the creation of folders. These commands operate in the same way as for “generic” commands – you can authorize or prohibit a command or check that the command syntax complies with the RFC in force.

Other commands allowed

Additional commands, limited to 21 characters, can be added and deleted when necessary.

IPS

Authorized FTP commands

RTCP commands can be defined in the intrusion prevention module, by clicking on Add. They are limited to 115 characters and can be deleted when needed.

Prohibited FTP commands

FTP commands, limited to 115 characters, can be prohibited in the intrusion prevention module.

List of generic FTP commands and details of filtering

  • ABOR: Command that interrupts the transfer in progress. This command does not accept arguments. By default, a scan will be performed to check RFC compliance.
  • ACCT: Command that specifies the account to be used for connecting. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • ADAT: Command that sends security data for authentication. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • AUTH: Command that selects the security mechanism for authentication. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • CCC: Command that allows unprotected messages.
  • CDUP: Command that modifies the parent working folder. This command does not accept arguments . By default, a scan will be performed to check RFC compliance.
  • CONF: Command that specifies the “confidential” message used for authentication.
  • CWD: This command modifies the working folder. This command accepts one or several arguments. By default, a scan will be performed to check RFC compliance.
  • ENC: This command specifies the “private” message used for authentication. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • EPRT: This command enables the extended active transfer mode. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • EPSV: This command selects the extended passive transfer mode. This command has to be executed with at most one argument. This command is blocked by default.
  • FEAT: This command displays the extensions supported by the server.  It does not accept arguments. The result of this command is filtered by the proxy if filtering has been requested on the FEAT command.
  • HELP: This command returns the details for a given command. This command has to be executed with at most one argument. By default, a scan will be performed to check RFC compliance.
  • LIST: This command lists the contents of a data location in a friendly way.
  • MDTM: This command displays the date of the last modification for a given file. This command accepts one or several arguments. By default, a scan will be performed to check RFC compliance.
  • MIC: This command specifies the “safe” message used for authentication. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • MLSD: This command displays the contents of the normalized folder. By default, a scan will be performed to check RFC compliance.
  • MLST: This command displays the information of the normalized folder. By default, a scan will be performed to check RFC compliance.
  • MODE: This command specifies the transfer mode. By default, a scan will be performed to check RFC compliance. This command is the object of a greater filter. It is only allowed with the arguments S, B, C and Z. If the antivirus analysis has been enabled, only argument S will be allowed.
  • NLST: This command lists the contents of a data location of the computer in a friendly way. By default, a scan will be performed to check RFC compliance.
  • NOOP: This command does not do anything. It does not accept arguments. By default, a scan will be performed to check RFC compliance.
  • OPTS: This command specifies the status options for the given command. This command accepts one or several arguments. By default, a scan will be performed to check RFC compliance.
  • PASS: This command specifies the password used for the connection. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • PASV: This command selects the passive transfer mode. This command does not accept arguments. By default, a scan will be performed to check RFC compliance.
  • PBSZ: This command specifies the size of encoded blocks. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • PORT: This command selects the active transfer mode. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • PROT: This command specifies the level of protection. By default, a scan will be performed to check RFC compliance. This command is the object of a greater filter. It is allowed only with the arguments C, S E and P.
  • PWD: This command displays the current working folder. This command does not accept arguments. By default, a scan will be performed to check RFC compliance.
  • QUIT: This command terminates the session in progress and the connection. By default, a scan will be performed to check RFC compliance.
  • REIN: This command terminates the session in progress (initialized with the user). By default, a scan will be performed to check RFC compliance.
  • REST: This command specifies the offset with which the transfer has to catch up. By default, a scan will be performed to check RFC compliance. This command is the object of a greater filter. It is prohibited if the antivirus scan is running. Otherwise, the proxy will check that a single argument is present.
  • RETR: This command retrieves a given file. This command accepts one or several arguments. By default, a scan will be performed to check RFC compliance
  • SITE: This command executes a command specific to the server. This command accepts only a single argument. By default, a scan will be performed to check RFC compliance.
  • SIZE: This command displays the transfer size for a given file. This command accepts one or several arguments. By default, a scan will be performed to check RFC compliance.
  • SMNT: This command modifies the data structure of the system in progress. This command accepts one or several arguments. By default, a scan will be performed to check RFC compliance.
  • STAT: This command displays the current status. By default, a scan will be performed to check RFC compliance.
  • STRU: This command specifies the structure of transferred data. By default, a scan will be performed to check RFC compliance. This command is the object of a greater filter. It is allowed only with the arguments  F, R and P.  If the antivirus scan has been enabled, only the argument F will be allowed.
  • SYST: This command displays the information about the server’s operating system. This command does not accept arguments. By default, a scan will be performed to check RFC compliance.
  • TYPE: This command specifies the type of data transferred. By default, a scan will be performed to check RFC compliance. This command is the object of a greater filter. It is allowed only with the arguments ASCII, EBCDIC, IMAGE, I, A, E and L. If the antivirus scan has been enabled, only the arguments ASCII, IMAGE, I and A will be allowed. The option L may be followed by a digital argument. The option L may be followed by a digital argument. The options E, A, EBCDIC and ASCII accept the following arguments: N, C and T.
  • USER: This command specifies the name of the user for connecting.
  • XCUP: This command modifies the parent working folder. This command does not accept arguments. By default, a scan will be performed to check RFC compliance.
  • XCWD: This command modifies the working folder. This command accepts one or several arguments. By default, a scan will be performed to check RFC compliance.
  • XPWD: This command displays the current working folder. This command does not accept arguments. By default, a scan will be performed to check RFC compliance.

List of FTP modification commands and details of filtering

  • ALLO: This command allocates the storage space on this server. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • APPE: This command adds (or creates) to the data location. This command is the object of a greater filter. Indeed, this command is prohibited if the antivirus scan has been enabled (risk of bypass). Otherwise, the presence of at least one argument will be checked for.
  • DELE: This command deletes a given file. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • MKD: This command creates a new folder. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • RMD: This command deletes the given folder. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • RNFR: This command selects a file that has to be renamed. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • RNTO: This command specifies the new name of the selected file. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • STOR: This command stores a given file. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • STOU: This command stores a given file with a unique name. This command does not accept arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • XMKD: This command creates a new folder. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.
  • XRMD: This command deletes the given folder. It accepts one or several arguments. By default, a scan will be performed to check RFC compliance if the option “Enable modification commands” has been enabled. Otherwise, the command will be blocked.

« FTP Users » tab

List of users

Allowed users

FTP users can be defined in the intrusion prevention module (limited to 127 characters) by clicking on Add. They are limited to 115 characters and can be deleted when needed.

Denied users

FTP users can be prohibited in the intrusion prevention module (limited to 127 characters) by clicking on Add. They are limited to 115 characters and can be deleted when needed.

“Analyzing files” tab

Maximum size for antivirus and sandboxing scan (KB)

In this field, the maximum size used for scanning files can be determined.

You can also configure the action to perform if the file exceeds the authorized size.

WARNING

When manually defining a size limit for analyzed data, ensure that all values are coherent. The total memory space corresponds to a common space for all the resources reserved for the Antivirus service. If you define the size limit for analyzed data on FTP as 100% of the total size, no other files can be analyzed at the same time.

 

The default size depends on the firewall model:

  • S model (U30S, U70S, SN150, SN160(W), SN200, SN210(W), SN300 and SN310): 4000 Ko.
  • M model (U150S, U250S, V50, V100, SN500, SN510, SN700, SN710 and SNi40): 4000 Ko.
  • L model (U500S, U800S, SN900 and SN910): 8000 Ko.
  • XL model (VS5, VS10, VS-VU, SN2000, SN2100, SN3000, SN3100, SN6000 and SN6100): 16000 Ko.
Analyzing files

This option allows choosing the type of file that needs to be scanned: “downloaded and sent” files; “downloaded only” or “sent only” files.

Actions on files

When a virus is detected

This field contains 2 options. "Pass" and "Block". By selecting “Block”, the analyzed file will not be sent. By selecting “Pass”, the antivirus will send the file in its original form.

When the antivirus scan fails

This option defines the behavior of the antivirus module if the analysis of the file it is scanning fails.

Example

The file could not be scanned as it has been locked.

If Block has been specified, the file being scanned will not be sent.

If Pass without scanning has been specified, the file being scanned will be sent.

When data collection fails

This option defines the behavior of the antivirus module when certain events occur. It is possible to Block traffic when information retrieval fails, or Pass without scanning.

"Sandboxing" tab

Sandboxing

Status

This column displays the status (Enabled/Disabled) of sandboxing for the corresponding file type. Double-click on it to change its status.

File types

The sandboxing option allows scanning four types of files:

  • Archive: these include the main types of archives (zip, arj, lha, rar, cab, etc)
  • Office document (Office software): all types of documents that can be opened with the MS Office suite.
  • Executable: files that can be run in Windows (files with the extension ".exe",".bat",".cmd",".scr", etc).
  • PDF: files in Portable Document Format (Adobe).
  • Flash (files with the extension ".swf").
  • Java (compiled java files. Example: files with a ".jar" extension).
Max size of scanned files (KB) This field allows defining the maximum size of files that need to be sandboxed. By default, this value is equal to the one in the Maximum size for antivirus and sandboxing scan (KB) field in the File analysis tab. This value cannot be exceeded.

Actions on files

When known malware has been identified This field contains 2 options. By selecting “Block”, the analyzed file will not be sent. By selecting “Pass”, the file will be sent in its original form.
When sandboxing fails

This option defines the behavior of the sandboxing option if the file scan fails.

 

If Block has been specified, the file being scanned will not be sent.

If Pass without scanning has been specified, the file being scanned will be sent.