Re: [fw-wiz] Active to Passive FTP translator?
From: Mikael Olsson (mikael.olsson@clavister.com)
Date: 11/25/02
- Next message: Magosányi Árpád: "Re: [fw-wiz] Active to Passive FTP translator?"
- Previous message: Don Goldstein: "RE: [fw-wiz] (no subject)"
- In reply to: Dawes, Rogan (ZA - Johannesburg): "[fw-wiz] Active to Passive FTP translator?"
- Next in thread: Magosányi Árpád: "Re: [fw-wiz] Active to Passive FTP translator?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Mikael Olsson <mikael.olsson@clavister.com> To: "Dawes, Rogan (ZA - Johannesburg)" <rdawes@deloitte.co.za> Date: Mon Nov 25 16:56:02 2002
Rogan,
"Dawes, Rogan (ZA - Johannesburg)" wrote:
>
> c) invent/discover an FTP proxy that translates client PASV requests into
> server Active requests.
>
> This has all the benefits of b), plus it does not allow an attack on the
> proxy to repeat through to the internal network. Does such a beast exist?
Yes, I believe it's been done for fwtk as a pure proxy, and we've done
it in our firewall as a full proxy for the command channel and SPF for
the data channel. There _might_ of coruse be more implementations, but I
personally haven't heard of any.
> Are there any fundamental problems with the approach that I'm not seeing?
> As I see it, the proxy would simply wait for the server to make an incoming
> connection, the client to make an incoming connection, and tie the two
> together. That should also work for uploads, I think?
It works perfectly for all kinds of transfers, and can indeed protect
against all data channel attacks, even 100% RFC compliant evil java
applets, but there are a couple of gotchas:
- You need to be able to _selectively_ enforce FTP modes for the
client and server end. You don't want to apply the same controls
for everyone and e.g. keep clients coming in across the internet
from speaking active mode. It's not your job to protect them, and
they might not even be capable of speaking passive mode.
- It basically can't fail for protecting the server, as active mode is
the best mode for the server and they all support it. It CAN however
"fail" for the client, since there are clients that don't speak
passive mode. Legacy financial systems and remote antivirus updates
are notorious in this area. &#%¤&%#¤
-- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com
- Next message: Magosányi Árpád: "Re: [fw-wiz] Active to Passive FTP translator?"
- Previous message: Don Goldstein: "RE: [fw-wiz] (no subject)"
- In reply to: Dawes, Rogan (ZA - Johannesburg): "[fw-wiz] Active to Passive FTP translator?"
- Next in thread: Magosányi Árpád: "Re: [fw-wiz] Active to Passive FTP translator?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
