FTP Through Firewalls

    Various FTP forms:

    1) Normal FTP
    2) SFTP - SSH File Transfer Protocol
    3) FTPS - FTP over SSL
    i> Implicit FTPS
    ii> Explicit FTPS

    It has been assumed that FTP inspection is disabled on ASA in scenarios below.

     

    ===========
    Normal FTP:
    ===========

     

    File Transfer Protocol (FTP) is a network protocol used to transfer  data from one computer to another through a network, such as the  Internet.

     

    -> Inbound FTP Scenarios:

    Server—-I(ASA)O—-client

     

    a) Passive Client [####FAILS####]

    Client connects to server’s public IP on port 21, authenticates.  After this client enters passive mode using PASV command. When server  receives PASV command, it generates a message in which client is  informed about the port it needs to connect to for data transfer.  However, server uses its own private IP address in the communication and  because firewall is not doing FTP inspection, it will not  modify/translate the payload to the public IP of server. Hence, client  receives private IP address of the server and is unable to connect for  data connection.

    Solution: Enable FTP inspection.

     

    b) Active Client [####WORKS####]

    Client connects to server public IP on port 21, authenticates. Then  client sends a PORT command. Server calculates the port to which it  needs to connect to the client and initiates the connection to the port  from source-port TCP/20 (ftp-data). Outbound connection works fine  because, by default outbound traffic is permitted on ASA.

    FTP Inspection required: NO.

     

    -> Outbound FTP Scenarios:

    client—-I(ASA)O—-Server

     

    a) Active Client [####FAILS####]

    Client connects to server public IP on port 21, authenticates. Then  client sends a PORT command. However, PORT command is being sent using  clients private IP address and because firewall is not doing FTP  inspection, it will not modify/translate the payload to the public IP of  server , server receives a Private IP address of the Client. Due to  this, server is unable to initiate data connection to the Client and FTP  fails.

    Solution: Enable FTP inspection.

     

    b) Passive Client [####WORKS####]

    Client connects to server public IP on port 21, authenticates. After  this client enters passive mode using PASV command. When server receives  PASV command, it generates a message in which client is informed about  the port it needs to connect to for data transfer. Client calculates  this port and initiates a outbound connection on this new port and  establishes SSL connection for data transfer. As this is an outbound  connection, everything works fine.

    FTP Inspection required: NO.

    Refer to following link for detailed explanation of Active/Passive FTP:

    http://slacksite.com/other/ftp.html

     

    ==================
    SFTP - FTP over SSH:
    ==================

     

    SFTP (SSH File Transfer Protocol), sometimes called Secure File  Transfer Protocol is a network protocol that provides file transfer and  manipulation functionality over any reliable data stream. It is  typically used with version two of the SSH protocol (TCP port 22) to  provide secure file transfer.

    SFTP is **not** FTP run over SSH, but rather a new protocol designed  from the ground up by the IETF SECSH working group. The protocol is not  yet an Internet standard.

    Port used: 22(TCP)

     

    Firewall Perspective of SFTP-
    ——————————————–

    Now, this is a firewall friendly stuff, reason being, all  communication is happening over port 22 (TCP). Hence, depending on  setup, don’t need to configure much on firewall-

     

    Server—-I(ASA)O—-client

    Server inside, client outside, normally, need to have static mapping  for the server and open port 22 to the server’s mapped IP for traffic to  flow through.

     

    client—-I(ASA)O—-Server

    Client inside, server outside, just need to open outbound access and client should be able to access SFTP server.

    FTP Inspection required: NO (Not a FTP protocol).

     

    ==================
    FTPS - FTP over SSL:
    ==================

     

    FTPS (S after FTP) is a super-set of the same FTP protocol, as it  allows for encryption of the connection over an SSL/TLS encrypted  socket. There are two modes this can be achieved-

    i> Implicit FTPS
    ii> Explicit FTPS

    FTPS as a whole is not firewall friendly, refer to following scenarios to understand why.

     

    ————————-
    (I) Implicit FTPS-
    ————————-

    In Implicit FTPS, basically it is a SSL encrypting socket wrapped  around the entire communication from the point of connection initiation.  To separate this from normal FTP, IFTPS was assigned a standard port  990(TCP), compared to normal FTP which uses 21(TCP). Note that this mode  is far less common than the explicit mode.

     

    -> Inbound IFTPS Scenarios:

     

    Server—-I(ASA)O—-client

     

    a) Inbound Implicit FTPS, Passive Client [####FAILS####]

    Client connects to server’s public IP on port 990, authenticates over  TLS (AUTH command). After authentication for data protection, client  uses command PROT. After this client enters passive mode using PASV  command. When server receives PASV command, it generates a message in  which client is informed about the port it needs to connect to for data  transfer. However, server uses its own private IP address in the  communication and because this goes over encrypted session, firewall  cannot modify/translate the payload to the public IP of server. Hence,  client receives private IP address of the server and is unable to  connect for data connection.

    Inspection Required: No, will not help anyways.
    Can we make this work through ASA: No (Opening all the ports to the server will not make this work).
    Workaround: Use Active client, see below.

     

    b) Inbound Implicit FTPS, Active Client [####WORKS####]

    Client connects to server public IP on port 990, authenticates over  TLS (AUTH). After authentication for data protection uses command PROT,  then client sends a PORT command over the encrypted session. Server  calculates the port to which it needs to connect to the client and  initiates the connection to the port from source-port TCP/989  (ftps-data), in normal FTP port TCP/20 (ftp-data). Outbound connection  works fine because, by default outbound traffic is permitted on ASA.

    Inspection Required: No.

     

    -> Outbound IFTPS Scenarios:

     

    client—-I(ASA)O—-Server

     

    a) Outbound Implicit FTPS, Active Client [####FAILS####]

    Client connects to server public IP on port 990, authenticates over  TLS(AUTH). After authentication for data protection uses command PROT,  then client sends a PORT command over the encrypted session. However,  because this PORT command is being sent over encrypted session, server  receives a Private IP address of the Client. Due to this, server is  unable to initiate data connection to the Client and FTP fails.

    Inspection Required: No, will not help anyways.
    Can we make this work through ASA: No (Opening all the ports to the server will not make this work).
    Workaround: Use Active client, see below.

     

    b) Outbound Implicit FTPS, Passive Client [####WORKS####]

    Client connects to server public IP on port 990, authenticates over  TLS(AUTH). After authentication for data protection uses command PROT.
    After this client enters passive mode using PASV command. When server  receives PASV command, it generates a message in which client is  informed about the port it needs to connect to for data transfer. Client  calculates this port and initiates a outbound connection on this new  port and establishes SSL connection for data transfer. As this is an  outbound connection, everything works fine.

    Inspection Required: No.

     

    ————————-
    (II) Explicit FTPS-
    ————————-

    Soon after FTPS was in use some smart people decided it would be best  if we could have an FTP server that could support unencrypted as well  as encrypted connections, and do it all over the same port. To  accommodate this the “explicit” FTPS protocol connection begins as a  normal unencrypted FTP session over FTP’s standard port 21. The client  then explicitly informs the server that it wants to encrypt the  connection by sending an “AUTH TLS” command to the server. At that point  the FTPS-enabled server and the client begin the SSL or TLS handshake  and further communications happen encrypted. Note that most (if not all)  explicit FTPS servers can be optionally configured to require  encryption, so it will deny clients that attempt to transfer

    data  unencrypted. Often this can be configured on a user by user basis.

     

    -> Inbound EFTPS Scenarios:

     

    Server—-I(ASA)O—-client

     

    a) Inbound Explicit FTPS, Passive Client [####FAILS####]

    Client connects to server public IP on port 21, authenticates over  TLS(AUTH). After authentication for data protection uses command PROT.  After this client enters passive mode using PASV command. When server  receives PASV command, it generates a message in which client is  informed about the port it needs to connect to for data transfer.  However, server uses its own private IP address in the communication and  because this goes over encrypted session, firewall cannot  modify/translate the payload to the public IP of server. Hence, client  receives private IP address of the sever and is unable to connect for  data connection.

    Can we make this work through ASA: Yes. See details below-

    If client in this scenario are capable of using CCC (Clear channel  command), the FTP client connects to the server, negotiates a secure  connection, authenticates (sends user and password) and reverts back to  plaintext(control-channel). Next, enable FTP inspection. Now, when  server responds with the port client needs to connect to, firewall would  be able to intercept it and translate IP address in payload and also  open the connection accordingly.

    Note: Not all FTP clients/servers might support CCC command.

    Inspection Required: Yes, along with CCC command from client.
    Workaround: See above.

     

    b) Inbound Explicit FTPS, Active Client [####WORKS####]

    Client connects to server public IP on port 21, authenticates over  TLS(AUTH). After authentication for protection uses command PROT, then  client sends a PORT command over the encrypted session. Server  calculates the port to which it needs to connect to the client and  initiates the connection to the port from source-port 20 (ftp-data).  Outbound connection works fine because, by default outbound traffic is  permitted on ASA.

    Inspection Required: No.

     

    -> Outbound EFTPS Scenarios:

     

    client—-I(ASA)O—-Server

     

    a) Outbound Explicit FTPS, Active Client [####FAILS####]

    Client connects to server public IP on port 21, authenticates over  TLS. After authentication for protection uses command PROT P, then  client sends a PORT command over the encrypted session. However, because  this PORT command is being sent over encrypted session, server receives  a Private IP address of the Client. Due to this, server is unable to  initiate data connection to the Client and FTP fails.

    Can we make this work through ASA: Yes, see explanation of workaround for “Inbound Explicit FTPS, Passive Client”
    Inspection Required: See “Inbound Explicit FTPS, Passive Client”
    Workaround: See “Inbound Explicit FTPS, Passive Client”

     

    b) Outbound Explicit FTPS, Passive Client [####WORKS####]

    Client connects to server public IP on port 21, authenticates over  TLS. After authentication for protection uses command PROT P. After this  client enters passive mode using PASV command. When server receives  PASV command, it generates a message in which client is informed about  the port it needs to connect to for data transfer. Client calculates  this port and initiates a outbound connection on this new port and  establishes SSL connection for data transfer. As this is an outbound  connection, everything works fine.

    Inspection Required: No.

    For more details about FTP AUTH, PROT, PBSZ, and CCC commands, refer to following link:

    http://tools.ietf.org/html/rfc2228