FTP Inspection
The FTP protocol requires some special handling due to its use of two ports per FTP session.
The FTP protocol uses two ports when activated for transferring data: a control channel and
a data channel using ports 21 and 20, respectively. The user, who initiates the FTP session
over the control channel, makes all data requests through that channel. The FTP server will
then initiate a request to open a port from server port 20 to the user’s computer. FTP will
always use port 20 for data channel communications. If FTP inspection has not been enabled
on the Security Appliance, this request will be discarded and the FTP session will not transmit
any requested data. If FTP inspection is enabled on the Security Appliance, the Security
Appliance will monitor the control channel, trying to recognize a request to open the data
channel. The FTP protocol embeds the data-channel port specifications in the controlchannel
traffic, requiring the Security Appliance to inspect the control channel for data-port
changes. If the Security Appliance recognizes a request, it temporarily creates an opening for
the data-channel traffic that lasts for the life of the session. In this way, the FTP inspection
function monitors the control channel, identifies a data-port assignment, and allows data to
be exchanged on the data port for the length of the session.
The Security Appliance inspects port 21 connections for FTP traffic by default through the
global-inspection class-map. The Security Appliance will also recognize the difference
between an active and a passive FTP session. If the FTP session supports passive FTP data
transfer, the Security Appliance, through the inspect ftp command, will recognize the data
port request from the user and open the new data port greater than 1023. The FTP inspection
inspects the FTP sessions and performs four tasks:
■ Prepares dynamic secondary data connections
■ Tracks ftp command-response sequence
■ Generates an audit trail
■ NATs embedded IP addresses
The inspect ftp strict option can be enabled, which will cause the Security Appliance to track
each ftp command and response sequence for anomalous activity.
FTP inspection also supports FTP deep packet inspection. This will allow a security
administrator greater control over what a user can do through an FTP session by restricting
specific FTP request commands. An FTP session is closed if a user attempts to use a blocked
FTP request command, such as the command to remove a file. The following commands can
be blocked through FTP deep packet inspection:
■ appe—Append to a file
■ cdup—Change to parent of current directory
■ dele—Delete a file
■ get—Retrieve a file
■ help—Remote help information from server
■ mkd—Create a directory
■ put—Store a file
■ rmd—Remove a directory
■ rnfr—Rename from
■ rnto—Rename to
■ site—Specify server specific command
■ stou—Store a file with a unique name
Filtering FTP commands must be done through a special ftp-map command in the globalconfiguration
mode. Once created, you must assign the ftp-map to a class-map to identify the
proper FTP traffic flows. When configuring the actions in an ftp-map, use the request-cmd
deny command to restrict specific FTP request commands. Multiple FTP request commands
can be restricted with a single request-cmd deny command:
ftp-map [map_name]
request-cmd deny { appe | cdup | dele | get | help | mkd | put | rmd | rnfr | rnto | site | stou}