2.5 TECHNICAL NOTE FTP

Transcription

1 Version 2.5 TECHNICAL NOTE FTP Protocol Agent Overview Stonesoft Corp. Itälahdenkatu 22A, FIN Helsinki Finland Tel (9) Fax (9) Copyright 2002 Stonesoft Corp. All rights reserved. All trademarks or registered trademarks are property of their respective owners.

2 Protocol Overview File Transfer Protocol (FTP) is a well-known protocol, defined by RFC 959. There are, however, some extensions to the protocol. Please see section Related Standards below for more information about the extensions. FTP is platform independent. Communication Model FTP uses one control connection, to standard port 21. For transmitting data, FTP uses data connections. The port and IP address for the data connection are negotiated within the control connection. There are two modes for the data connection: active and passive. The active connection is taken from server to client, and the passive from client to server. Active Connection The client sends a PORT command within the control connection, telling where the server should open the data connection to (destination IP and port). According to RFC 959, the server should use port 20 as the source port. In fact, the source port is defined to be one below the port listening to the control connections. However, there are server implementations with a non-standard source port. Passive Connection The client sends a PASV command within the control connection, asking where server is listening to data connections. The server replies with an IP address and port. There are no specifications about source port for the client to use. Related Standards Based on RFC 959. Extended commands: MDTM, TVFS, MLST, and MLSD specified in Internet draft at Extended commands: OPTS, LANG, and FEAT specified in RFC 2640 and RFC TECHNICAL NOTE 2

3 Protocol Agent Description The main purpose of the FTP PA is to open the related data connection by PORT command or PASV reply. The PA transforms the IP addresses of the data connection in a same way that on the parent (control) connection. Commands carrying IP and port data are altered as well. This ensures that the FTP connections are correctly routed. The FTP agent is fully transparent to the user. Validity of the Protocol The FTP agent also inspects protocol validity. There are two selectable levels of inspection: strict and loose; loose being the default. FTP uses TCP/IP protocol, and sending any other protocol to FTP PA is a fatal error and is treated as such: the connection is terminated and the error logged. General Requirements The most critical requirement is that a command should terminate with <CR><LF> (i.e., carriage return, linefeed). This requirement is derived from the fact, that the FTP control stream must comply with the telnet protocol. Additionally, the address data containing the PORT command or the PASV response must be contained in one packet. There is also a requirement that the requested data connection port is from the range Moreover, there cannot be any third party IP address involved in the exchange of data. As mentioned earlier, there are two basic cases of FTP data connections: active and passive. The FTP PA allows a data connection immediately when it sees a valid PORT command or a successful reply to a PASV command. TECHNICAL NOTE 3

4 Loose Mode In loose mode, the Protocol Agent tries only to identify information for allowing a data connection. For that, command - reply pairs of the protocol must match. For example, opening passive command requires identifying PASV -command and according reply. In loose mode, the recognized passive reply has to be in form: 227<SPACE>*<x,x,x,x,y,y>*<LF>, where * is a string, which does not contain neither <CR> or <LF> nor a digit number. Related connection is allowed to establish immediately after address data is found. Strict Mode Strict mode tries to enforce protocol integrity. The basic idea is that all command - response pairs are understood and checked that they comply with RFC 959. Connections containing commands that do not comply with the RFC are dropped. This means only partial understanding and checking. A more precise checking would create unnecessary overhead. The following lists the recognized passive reply forms: 227 Entering Passive Mode (<x,x,x,x,y,y,>*<lf> 227 Entering Passive Mode(<x,x,x,x,y,y,>*>LF> 227 Passive Mode Entered <x,x,x,x,y,y>*<lf> 227 Passive Mode (<x,x,x,y,y,>*<lf> * denotes a string, which does not contain <CR> neither <LF> nor digit number. Related connection is opened immediately after address data is found. TECHNICAL NOTE 4

5 The following lists violations detected in strict mode: A client sends a command that is not recognized by FTP PA A new command is sent before receiving the reply of the previous command A reply must contain at least 3+1 characters, i.e. reply code + one termination character. All these characters must be in one packet A reply must always contain a valid reply code that must be from 100 to 599 A spontaneous reply, i.e. a reply with no command Command from Client Only known commands are accepted. See the command list in section Supported FTP Commands on page 13. Reply from Server The replies are checked for invalid form. There are several rules: Reply must contain at least four characters Reply code must be from 100 to 599 Reply must match a command. Reply must be as expected. Most responses are not checked beyond the reply code validity. CIS Redirection The FTP PA is capable of redirecting the FTP connections. This feature is used to redirect the control and data connections to go through a Content Inspection Server (CIS), which will act as FTP proxy. First, the control connection is directed to the CIS instead of the original destination. Then, the original destination address is appended to the USER command. So, the USER command is changed into form: USER username@origip. The PA takes care about NAT, so redirection is totally transparent to the client. After the content screening, the CIS forwards the traffic back to StoneGate, if deemed acceptable. Another FTP Protocol Agent then simply allows the traffic to TECHNICAL NOTE 5

6 pass to the FTP server. When the data connection is opened, it will be handled in a similar manner. Redirection is not a feature specified by RFC. Compatibility with all content inspection servers is not guaranteed. Redirection of outbound FTP traffic The Figure 1.1 illustrates how an outbound FTP connection is redirected to the CIS. The FTP client and the CIS have to be in separate networks. In the example, the client is located on the internal network and the server on the Internet. FIGURE 1.1 Outbound FTP redirection to CIS Internal FTP client SG Internet FTP server PA #1 PA #2 CIS TECHNICAL NOTE 6

7 1. The client initiates an FTP control connection to the server public IP address, port 21. StoneGate matches the control connection against its rule base, and in case the connection is allowed, proceeds with it. 2. StoneGate activates automatically the Protocol Agent associated with the service (FTP). 3. The FTP Protocol Agent (PA #1 in the figure) redirects the control connection to a specified content inspection server (CIS) to have the validity of the contents checked. The CIS is typically located on a separate internal network. The PA #1 performs NAT on the packets belonging to the connection to change the source and destination addresses. The destination IP is changed from the address of the FTP server to the address of the CIS, and the source from the client address to another address, as specified in the Protocol Agent properties. The source NAT address can be any address that will be routed back through StoneGate. In addition, the original destination IP (FTP server s public IP) is appended to the USER command in the packet (i.e., it is of the form USER username@origip ). 4. CIS receives the packets and examines the validity of their contents. 5. CIS sends the validated packets back to the source address specified in the Protocol Agent properties. 6. In case the connections from the CIS are routed back through StoneGate, the FTP Protocol Agent (PA #2) in StoneGate handles the control connection from there on. The rule allowing those connections should have an FTP PA defined, but without the redirection parameter. It sees that the connection comes from the CIS and it allows it to pass to its final destination. 7. Whether and when the client gets a reply from the server, the data connection can then be established according to the mode selected (active or passive). It is handled in a similar manner. Redirection of inbound FTP traffic The Figure 1.2 illustrates the redirection of the FTP traffic from the internal networks point of view. The FTP client and the CIS have to be in separate networks. In the example, the server is located on the internal network (DMZ) and the client on the Internet. TECHNICAL NOTE 7

8 FIGURE 1.2 Inbound FTP redirection to CIS Public FTP server on DMZ SG Client on the Internet PA #2 PA #1 CIS 1. The client initiates an FTP control connection to the server s public IP address, port 21. StoneGate matches the control connection against it rule base, and in case the connection is allowed, proceeds with it. 2. StoneGate activates automatically the Protocol Agent associated with the service (FTP). 3. The FTP Protocol Agent (PA #1 in the figure) redirects the control connection to a specified content inspection server (CIS) to have the validity of the contents checked. The CIS is typically located on a separate internal network. The PA #1 performs NAT on the packets belonging to the connection to change the source and destination addresses. The destination IP is changed from the address of the FTP server to the address of the CIS, and the source from the client address to another address, as specified in the Protocol Agent properties. The source NAT address can be any address that will be routed back through StoneGate. In addition, the original destination IP (FTP server s public IP) is appended to the USER command in the packet (i.e., it is of the form USER username@origip ). 4. CIS receives the packets and examines the validity of their contents. TECHNICAL NOTE 8

9 5. CIS sends the validated packets back to the source address specified in the Protocol Agent properties. 6. In case the connections from the CIS are routed back through StoneGate, the FTP Protocol Agent (PA #2) in StoneGate handles the control connection from there on. The rule allowing those connections should have an FTP PA defined, but without the redirection parameter. It sees that the connection comes from the CIS and it allows it to pass to its final destination. 7. Once the server replies to the client, the data connection can then be established according to the mode selected (active or passive). It is handled in a similar manner. Logging The purpose of logging is to report about successful events and possible errors (both protocol and internal). In the diagnostic mode of StoneGate, there are three cases where a successful event is being logged as regards FTP connections: new control connection new active mode data connection new passive mode data connection. All strict mode violations are logged only in a strict mode. Such violations are not mentioned in loose mode. Exceptions, Limitations and Assumptions Currently, it is not being checked if a user is successfully logged in before accepting commands for opening a data connection. According to the FTP protocol definition, the number of data connections is not limited, so by using a PORT command or PASV response pair it's possible to open an arbitrary number of data connections between the FTP server and client. A data connection can only be created between the hosts forming the control connection. No third party IP addresses can be involved. TECHNICAL NOTE 9

10 Current Protocol Agents do not support the use of ports in load balancing (setting in Cluster Properties) if a NAT is applied to the connection where the PA is attached. Enabling the port setting leads to a connection drop. Known Issues Supporting non-standard and standard server data connection ports in such a way that either port range like ( ) or standard port (usually 20) would be accepted, is not possible with a single instance of the PA. You can configure several instances to be used with different connections that can be matched with rules. When defining a NAT rule, the following limitations should be taken into account. Otherwise, the FTP PA won t allow the data connection to pass the firewall and a log error will be generated. For all types of data connections the PA performs the NAT IP address exactly in the same way than the case of a control connection. Active mode data connection in case of standard FTP server (also with CIS redirection): NAT Destination Port is constrained to range Passive mode data connection (also with CIS redirection): NAT Source Port is constrained to the same port value than the original destination port The most typical reasons why a data connection allowance is unsuccessful are: a NAT rule matches the control connection but conflicts with the NAT limitations mentioned above a NAT rule only matches the data connection but conflicts with the NAT limitations mentioned above. This limitation only concerns versions up to 2.1. TECHNICAL NOTE 10

11 Security Benefits The integrity of the protocol is enforced by the FTP PA, when the strict mode is being used. Please see section Validity of the Protocol on page 3 for more information about checking, including checks made in the loose mode. Fail-over Transparency If a clustered node fails or crashes, it's possible that the PA's last state is not synchronized, and thus, the agent taking the connection over is left with an outdated state. In such case, the agent might cut the connection as an invalid one, especially when the strict mode is being used. TECHNICAL NOTE 11

12 Configuration Options TABLE 1.1 Allow active mode Values Description Yes; No (default) Active mode allowed TABLE 1.2 Allow passive mode Values Description Yes; No (default) Passive mode allowed TABLE 1.3 Control data inspection module Values Description Strict; Loose (default) Selection of protocol inspection level TABLE 1.4 Redirect connections to CIS Values Description A CIS server defined in Server section in Network Element Manager or none to disable redirection (default) Selection of the CIS to which the connection is redirected TABLE 1.5 Highest/lowest allowed non-standard source port number of active mode data connection from server Values Valid values: or 0 for both (default 0-0) Description Port range of accepted non-standard server source port in active mode. Valid range is Value 0 means that non-standard port is not accepted. TECHNICAL NOTE 12

13 Supported FTP Commands Highlighted commands are extended, and thus, unrecognized by RFC 959. For the extensions, see the links in section Related Standards on page 2. TABLE 1.6 FTP commands ABOR ACCT ALLO APPE CDUP CWD DELE FEAT HELP LANG LIST MDTM MKD MLSD MLST MODE NLST NOOP OPTS PASS PORT PASV PWD QUIT REIN REST RETR RMD RNFR RNTO SITE SMNT STAT STOR STOU STRU SYST TVFS TYPE USER TECHNICAL NOTE 13