topic Removing FTP from Global service policy in Network Security

Removing FTP from Global service policy

mahesh18 — Tue, 12 Mar 2019 01:53:07 GMT

Hi Everyone,

I removed FTP from global service policy.

I have no ACL that permits or deny FTP traffic.

But my understanding was if we remove some inspect from global service policy it does not work.

But i am still able to access FTP websites?

Is this default behaviour with global policy?

Regards

MAhesh

Removing FTP from Global service policy

Jouni Forss — Wed, 05 Jun 2013 03:51:20 GMT

Hi Mahesh,

I guess if it has an effect on your FTP connections depends on the type of FTP connection used, Active or Passive.

To my understanding the "inspect ftp" mainly helps with the Active FTP where the Client first connects to the FTP server with Control port TCP/21 and then the server open the Data connection to the Client with the source Data port of TCP/20. So in this case the firewall has to first allow the FTP Control connection (TCP/21) from the Client to the Server. This is usually allowed by your normal ACL rules or if you are using "security-level" configurations only it should also be allowed like any other TCP traffic.

Now when the Server starts to open the Data connection with a source port TCP/20 towards the destination port that the Client told the server over the Control connection we might then run into problems.

So essentially the firewall will be seing an connection attempt coming from the "outside" with the source port TCP/20 and with a destination port TCP/xxxxx. Without "inspect ftp" to my understanding this should be blocked like any other TCP connection you have not allowed.

So the "inspect ftp" configurations purpose is to dynamically allow the FTP Data connection through the firewall when this Data connection is being built from the "outside" to the "inside".

The reason why your FTP connection keeps working even after removing the "inspect ftp" is probably because you are using Passive FTP. In Passive FTP and Client opens both Control and Data connection to the server so there usually isnt anything on the firewall blocking the Client from opening both of these connections. Also we dont need anything on the firewall telling about the Data connections ports because they are being opened from the "inside" of the firewall so the firewall doesnt have to allow any connection initiation from the "outside" like with Active FTP.

Here is one site explaining the 2 FTP types:

http://slacksite.com/other/ftp.html

Here is the ASA Command Reference section explaining the use of "inspect ftp"

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1744171

Here is also some more information related to it

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1234738

- Jouni

Removing FTP from Global service policy

Julio Carvajal — Wed, 05 Jun 2013 04:05:04 GMT

Hello Mahesh,

There is a lot to talk when we referred to FTP and firewalls as this traffic (as many other) relies on opening dynamically Pinholes/data channel for the data traffic.

I am going to be brief on this one but here is an example of how it matters

Imagine the following:

Inside Client----ASA----Outside server running on Active FTP mode:

The inside client will connect to the outside server (From In to Out. Traffic will be allowed) for the managment connection

Then the client will let the Server on which port to connect, so they can start the data exchange (data channel). The connection will be innitiated from the server side (From out to in)

If the ASA is not able to inspect the FTP session , how is it supposed to open the secondary channel? So inspection NEEDED

FTP SERVER ACTIVE---ASA--OUTSIDE CLIENT

If the FTP server it's on the inside interface running active FTP mode, you will be fine as long as you permit from out-in TCP traffic to port 21 to the server, the server will then innitiate the connection to the outside( From in to outside allowed by default) No inspection needed

Now, if we talked about Passive FTP: (Where the client innitiate both connections to the server,)

Inside Client-ASA--Outside Server on passive FTP mode

A beauty for a firewall as the client will innitiate both connections. NO inspection Needed

Inside Server running passive mode--ASA---Outside Client

In this scenario, the client will innitiate both connections, we will allow on the ACL only traffic from the client to the server on port 21..The secondary channel will use a random port, that will be open dynamically.. If we do not have an inspection how is the firewall going to allow the communication.. So Inspection Needed,

Now, if we talked about SFTP or FTPS the discussion would keep going

Hope you have a better idea now,

Regards

Julio Carvajal

Removing FTP from Global service policy

david.tran — Wed, 05 Jun 2013 12:20:39 GMT

jcarvaja wrote:

Inside Client-ASA--Outside Server on passive FTP mode

A beauty for a firewall as the client will innitiate both connections. NO inspection Needed

Isn't that a "security risk"? best practice is to apply ACL on the "inside" interface as well. Otherwise, let say a host on the "inside" interface is compromised/hacked and it will send sensitive information over the Internet to hackers. So this is NOT recommended

Inside Server running passive mode--ASA---Outside Client

Or in this scenario, you can allow inbound tcp high-port (1024-65535) to the destination FTP server if you do not have ftp inspection.

That being said, FTP inspection should be enabled because even with the workaround, without FTP inspection, you will run into especially when FTP client starts using EPSV (enhanced passive mode).

my 2c

Removing FTP from Global service policy

Julio Carvajal — Wed, 05 Jun 2013 15:22:29 GMT

Of course.... If your network has more access-control policies is going to be more secure,

We are talking here about why the inspection is needed or not needed, this discussion is not related about what is more secure....

Removing FTP from Global service policy

mahesh18 — Wed, 05 Jun 2013 19:39:07 GMT

Hi Everyone,

Thanks to all of you for answering the question.

Its lot of info about FTP and i will go through it.

Best regards

Mahesh