Active vs. Acquiescent Mode

Active vs. Acquiescent Mode

The aboriginal FTP servers and audience acclimated alive mode, area a book alteration happens

as apparent in Figure 4.3 and declared here:

1. Aback the applicant (already affiliated to the server’s FTP ascendancy anchorage and

logged in) needs to accept a book from the server, it sends a PORT

A1,A2,A3,A4,a1,a2 command, area A1,A2, A3, and A4 are the four

octets of the client’s IP abode and a1 and a2 are the anchorage numbers on

which it will accept for connections.This anchorage cardinal is an arbitrary

value and is affected as a1*256+a2.

2. Afterwards accepting a 200 OK acknowledgment from the server, the applicant sends the

RETR command to alpha the transfer.

3. The server opens a affiliation to the anchorage that the applicant defined and

pipes the file’s capacity into this connection. Afterwards the book is transferred,

this abstracts affiliation is closed, while the ascendancy affiliation stays open

until the applicant disconnects from the server.The antecedent anchorage of this connection

is “ftp-data,”TCP anchorage 20.

www.syngress.com

142 Chapter 4 • Advanced PIX Configurations

Now, if the applicant is abaft a firewall (or, in PIX terms, is on a higher

security-level interface than the server), the affiliation from the server is likely

to be banned unless the firewall permits entering admission to all aerial ports on

the applicant side, which is of advance not good.The PIX firewall can adviser FTP

control connections, so aback it discovers a PORT command issued by the client,

it briefly permits entering admission to the anchorage requested by the applicant in

this command.

The added affair actuality is that aback NAT or PAT are used, the PIX additionally translates

the abode and anchorage cardinal (A1.A2.A3.A4:a1a2) central this command to

the NATted IP and port. For example, if the client’s abode is 10.0.0.1 and it is

translated to 1.2.3.4, the PORT 10,0,0,1,4,10 command the applicant issued (which

says that the applicant is accessible to accept admission to 10.0.0.1:1034) during its

transit through the PIX will be translated to article like PORT 1,2,3,4,8,10,

so that the server will accessible the abstracts affiliation to 1.2.3.4:2058.This destination

will be appropriately translated by the PIX to 10.0.0.1:1034 appliance its centralized tables.

The additional approach of FTP operation is acquiescent mode. In this mode, a file

transfer happens as apparent in Figure 4.4 and declared here:

1. Soon afterwards abutting to the server’s FTP ascendancy anchorage and logging in,

the applicant sends the PASV command, requesting the server to admission the

passive approach of operation.

2. The server responds with “227 Entering Acquiescent Approach A1,A2,A3,A4,a1,

a2.”This acknowledgment agency that the server is now alert for abstracts connections

on the IP abode and anchorage it has defined in the reply.

www.syngress.com

Figure 4.3 Alive FTP Affiliation Flow

client port

1050

server

command

port 21

"PORT 1,2,3,4,4,40"

"220 OK"

server data

port 20

client port

1064

The applicant tells the server to

connect aback to port

1064 = 4 * 256 + 40

The server establishes a

connection and sends the

requested file.

Advanced PIX Configurations • Chapter 4 143

3. The applicant connects to the defined anchorage and sends the RETR

command to alpha the transfer.

4. The server sends the file’s capacity over this additional (data) connection.

This approach of operation does not account a botheration aback the applicant is on a

more defended interface, back by absence the applicant is acceptable to admit any outbound

connections. Unfortunately, there is a botheration aback the server is on a

more defended interface than the client; the firewall will about not acquiesce the

client to accessible an entering affiliation on an approximate port.To affected this

problem, the PIX firewall monitors PASV commands and “227” replies, temporarily

permits an entering affiliation to the defined port, and modifies IP

addresses and anchorage numbers to accord with NATted ones.

The declared behavior of the PIX firewall is angry on by default; it inspects

inbound and outbound admission to FTP ascendancy anchorage 21.To about-face it off or

modify the anchorage numbers on which it should accomplish inspection, use the fixup

protocol ftp command in agreement mode.The syntax of this command is as

follows:

[no] fixup agreement ftp [strict] []

Here, anchorage is the anchorage cardinal acclimated for ascendancy connections, PORT commands,

and “227” replies.The absence accompaniment of FTP analysis is according to:

fixup agreement ftp 21

www.syngress.com

Figure 4.4 Acquiescent FTP Affiliation Flow

client port

1050

server

command

port 21

"PASV"

"227 Entering passive

mode 2,3,4,5,4,40"

server

passive data

port 1064

client port

1051

The applicant asks the server to

enter acquiescent mode.

The applicant establishes and

receives the requested file.

The server replies with the

port cardinal to affix to.

144 Chapter 4 • Advanced PIX Configurations

If you admission added fixup commands, the ports defined in them are inspected

simultaneously for admission and approachable FTP ascendancy connections. For

example, if you admission fixup agreement ftp 2100, both absence the absence anchorage (21) as

well as anchorage 2100 will be inspected.The command no fixup agreement ftp [port] disables

the ahead entered fixup command. For example, to accredit processing of

only admission to anchorage 2100, you charge to configure the following:

PIX1(config)# fixup agreement ftp 2100

PIX1(config)# no fixup agreement ftp 21

It is accessible to attenuate analysis of FTP admission using:

no fixup agreement ftp

The aftereffect will be that central users are able to admit FTP admission to outside

hosts alone in acquiescent mode, not alive mode. Outside audience will be able to initiate

FTP admission to central servers in alive approach alone (assuming there is a

static NAT admission and an admission account or aqueduct in place), not acquiescent mode.To

reset appliance analysis to the accepted anchorage settings for all protocols at the

same time, use the bright fixup command.

The abounding functionality of FTP appliance analysis consists of the following

tasks:

1. Tracking of FTP command and acknowledgment arrangement (PORT and PASV

commands and “227” replies).

2. Creating a acting aqueduct for the abstracts admission based on the

result of this tracking (if necessary).

3. NATting of IP addresses central the commands and replies.

4. Generating an analysis trail.

An analysis aisle is generated in the afterward cases:

 An analysis almanac 302002 is generated for anniversary uploaded or downloaded

file.

 Anniversary download (RETR) or upload (STOR) command is logged.

 Book operations are logged calm with the FTP username, antecedent and

destination IP addresses, and NAT address.

 An analysis almanac 201005 is generated if the firewall bootless to admeasure a

secondary approach due to anamnesis shortage.

www.syngress.com

Advanced PIX Configurations • Chapter 4 145

In the aboriginal implementations of FTP inspection, the activity of attractive for the

relevant commands/replies in IP packets was actual simple:The PIX alone looked

for a cord such as PORT central the packet and approved to adapt it as a corresponding

command. Of course, assorted attacks were advised to fool the firewall

into aperture an added anchorage by sending artificial commands and replies from the

client or the server (see www.cisco.com/warp/public/707/pixftp-pub.shtml).

Since then, the analysis activity has been abundantly improved, and another

option, strict, has been alien to accomplish abundant added accurate checks on the

command/response stream. If you use this advantage in agreement of FTP

inspection—for example, fixup agreement ftp austere 21—the firewall imposes much

more accurate restrictions on the command/response flow.These restrictions can

sometimes breach applications that are not absolutely RFC compliant. If one of the following

problems is encountered, the affiliation is denied or dropped:

 Audience are prevented from sending anchored commands.The connection

that tries to use these commands is closed.This activity is performed

by blockage how abounding characters are present in the PORT or PASV

command afterwards the IP abode and anchorage number. If there are added than

eight characters, it is affected that it is an attack to add addition command

at the end of the line, and the affiliation is dropped.

 Before a new command is allowed, the server should accelerate a acknowledgment to

each command received.

 Alone servers can accomplish “227” letters (protection adjoin reply

spoofing) and alone audience can accomplish PASV and PORT commands

(protection adjoin command spoofing).The acumen actuality is that without

strict, a applicant can accelerate any debris to the server, including affected “227”

messages—for example, 227 foobar A1,A2,A3,A4, a1, a2, and although

the server replies with an absurdity message, the firewall could be bamboozled into

permitting the affiliation with the ambit specified.

 Added blockage of “227” and PORT commands is performed to ensure

that they are absolutely commands/replies, not a allotment of some absurdity message.

 Truncated commands; PORT and PASV commands are arrested for the

correct cardinal of commas in them. Anniversary should accommodate alone five

commas (see antecedent examples).

 Size of RETR and STORE commands; their breadth (including the filename

for download/upload) should not be greater than an anchored constant.

This is done to accommodate aegis adjoin accessible absorber overflows.

www.syngress.com

146 Chapter 4 • Advanced PIX Configurations

 Invalid anchorage negotiation; the anchorage cardinal acclimated for the abstracts connection

must be a aerial anchorage (that is, a anchorage with cardinal greater than 1024).

 Every FTP command beatific by the applicant charge end with

characters, as defined by RFC 959.