06-04-2013 08:14 PM - edited 03-11-2019 06:53 PM
Hi Everyone,
I removed FTP from global service policy.
I have no ACL that permits or deny FTP traffic.
But my understanding was if we remove some inspect from global service policy it does not work.
But i am still able to access FTP websites?
Is this default behaviour with global policy?
Regards
MAhesh
Solved! Go to Solution.
06-04-2013 08:51 PM
Hi Mahesh,
I guess if it has an effect on your FTP connections depends on the type of FTP connection used, Active or Passive.
To my understanding the "inspect ftp" mainly helps with the Active FTP where the Client first connects to the FTP server with Control port TCP/21 and then the server open the Data connection to the Client with the source Data port of TCP/20. So in this case the firewall has to first allow the FTP Control connection (TCP/21) from the Client to the Server. This is usually allowed by your normal ACL rules or if you are using "security-level" configurations only it should also be allowed like any other TCP traffic.
Now when the Server starts to open the Data connection with a source port TCP/20 towards the destination port that the Client told the server over the Control connection we might then run into problems.
So essentially the firewall will be seing an connection attempt coming from the "outside" with the source port TCP/20 and with a destination port TCP/xxxxx. Without "inspect ftp" to my understanding this should be blocked like any other TCP connection you have not allowed.
So the "inspect ftp" configurations purpose is to dynamically allow the FTP Data connection through the firewall when this Data connection is being built from the "outside" to the "inside".
The reason why your FTP connection keeps working even after removing the "inspect ftp" is probably because you are using Passive FTP. In Passive FTP and Client opens both Control and Data connection to the server so there usually isnt anything on the firewall blocking the Client from opening both of these connections. Also we dont need anything on the firewall telling about the Data connections ports because they are being opened from the "inside" of the firewall so the firewall doesnt have to allow any connection initiation from the "outside" like with Active FTP.
Here is one site explaining the 2 FTP types:
http://slacksite.com/other/ftp.html
Here is the ASA Command Reference section explaining the use of "inspect ftp"
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1744171
Here is also some more information related to it
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1234738
- Jouni
06-04-2013 09:05 PM
Hello Mahesh,
There is a lot to talk when we referred to FTP and firewalls as this traffic (as many other) relies on opening dynamically Pinholes/data channel for the data traffic.
I am going to be brief on this one but here is an example of how it matters
Imagine the following:
Inside Client----ASA----Outside server running on Active FTP mode:
The inside client will connect to the outside server (From In to Out. Traffic will be allowed) for the managment connection
Then the client will let the Server on which port to connect, so they can start the data exchange (data channel). The connection will be innitiated from the server side (From out to in)
If the ASA is not able to inspect the FTP session , how is it supposed to open the secondary channel? So inspection NEEDED
FTP SERVER ACTIVE---ASA--OUTSIDE CLIENT
If the FTP server it's on the inside interface running active FTP mode, you will be fine as long as you permit from out-in TCP traffic to port 21 to the server, the server will then innitiate the connection to the outside( From in to outside allowed by default) No inspection needed
Now, if we talked about Passive FTP: (Where the client innitiate both connections to the server,)
Inside Client-ASA--Outside Server on passive FTP mode
A beauty for a firewall as the client will innitiate both connections. NO inspection Needed
Inside Server running passive mode--ASA---Outside Client
In this scenario, the client will innitiate both connections, we will allow on the ACL only traffic from the client to the server on port 21..The secondary channel will use a random port, that will be open dynamically.. If we do not have an inspection how is the firewall going to allow the communication.. So Inspection Needed,
Now, if we talked about SFTP or FTPS the discussion would keep going
Hope you have a better idea now,
Regards
Julio Carvajal
06-05-2013 05:20 AM
jcarvaja wrote:
Inside Client-ASA--Outside Server on passive FTP modeA beauty for a firewall as the client will innitiate both connections. NO inspection Needed
Isn't that a "security risk"? best practice is to apply ACL on the "inside" interface as well. Otherwise, let say a host on the "inside" interface is compromised/hacked and it will send sensitive information over the Internet to hackers. So this is NOT recommended
Inside Server running passive mode--ASA---Outside ClientIn this scenario, the client will innitiate both connections, we will allow on the ACL only traffic from the client to the server on port 21..The secondary channel will use a random port, that will be open dynamically.. If we do not have an inspection how is the firewall going to allow the communication.. So Inspection Needed,
Or in this scenario, you can allow inbound tcp high-port (1024-65535) to the destination FTP server if you do not have ftp inspection.
That being said, FTP inspection should be enabled because even with the workaround, without FTP inspection, you will run into especially when FTP client starts using EPSV (enhanced passive mode).
my 2c
06-05-2013 08:22 AM
Isn't that a "security risk"? best practice is to apply ACL on the "inside" interface as well. Otherwise, let say a host on the "inside" interface is compromised/hacked and it will send sensitive information over the Internet to hackers. So this is NOT recommended
Of course.... If your network has more access-control policies is going to be more secure,
We are talking here about why the inspection is needed or not needed, this discussion is not related about what is more secure....
06-04-2013 08:51 PM
Hi Mahesh,
I guess if it has an effect on your FTP connections depends on the type of FTP connection used, Active or Passive.
To my understanding the "inspect ftp" mainly helps with the Active FTP where the Client first connects to the FTP server with Control port TCP/21 and then the server open the Data connection to the Client with the source Data port of TCP/20. So in this case the firewall has to first allow the FTP Control connection (TCP/21) from the Client to the Server. This is usually allowed by your normal ACL rules or if you are using "security-level" configurations only it should also be allowed like any other TCP traffic.
Now when the Server starts to open the Data connection with a source port TCP/20 towards the destination port that the Client told the server over the Control connection we might then run into problems.
So essentially the firewall will be seing an connection attempt coming from the "outside" with the source port TCP/20 and with a destination port TCP/xxxxx. Without "inspect ftp" to my understanding this should be blocked like any other TCP connection you have not allowed.
So the "inspect ftp" configurations purpose is to dynamically allow the FTP Data connection through the firewall when this Data connection is being built from the "outside" to the "inside".
The reason why your FTP connection keeps working even after removing the "inspect ftp" is probably because you are using Passive FTP. In Passive FTP and Client opens both Control and Data connection to the server so there usually isnt anything on the firewall blocking the Client from opening both of these connections. Also we dont need anything on the firewall telling about the Data connections ports because they are being opened from the "inside" of the firewall so the firewall doesnt have to allow any connection initiation from the "outside" like with Active FTP.
Here is one site explaining the 2 FTP types:
http://slacksite.com/other/ftp.html
Here is the ASA Command Reference section explaining the use of "inspect ftp"
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1744171
Here is also some more information related to it
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1234738
- Jouni
06-04-2013 09:05 PM
Hello Mahesh,
There is a lot to talk when we referred to FTP and firewalls as this traffic (as many other) relies on opening dynamically Pinholes/data channel for the data traffic.
I am going to be brief on this one but here is an example of how it matters
Imagine the following:
Inside Client----ASA----Outside server running on Active FTP mode:
The inside client will connect to the outside server (From In to Out. Traffic will be allowed) for the managment connection
Then the client will let the Server on which port to connect, so they can start the data exchange (data channel). The connection will be innitiated from the server side (From out to in)
If the ASA is not able to inspect the FTP session , how is it supposed to open the secondary channel? So inspection NEEDED
FTP SERVER ACTIVE---ASA--OUTSIDE CLIENT
If the FTP server it's on the inside interface running active FTP mode, you will be fine as long as you permit from out-in TCP traffic to port 21 to the server, the server will then innitiate the connection to the outside( From in to outside allowed by default) No inspection needed
Now, if we talked about Passive FTP: (Where the client innitiate both connections to the server,)
Inside Client-ASA--Outside Server on passive FTP mode
A beauty for a firewall as the client will innitiate both connections. NO inspection Needed
Inside Server running passive mode--ASA---Outside Client
In this scenario, the client will innitiate both connections, we will allow on the ACL only traffic from the client to the server on port 21..The secondary channel will use a random port, that will be open dynamically.. If we do not have an inspection how is the firewall going to allow the communication.. So Inspection Needed,
Now, if we talked about SFTP or FTPS the discussion would keep going
Hope you have a better idea now,
Regards
Julio Carvajal
06-05-2013 05:20 AM
jcarvaja wrote:
Inside Client-ASA--Outside Server on passive FTP modeA beauty for a firewall as the client will innitiate both connections. NO inspection Needed
Isn't that a "security risk"? best practice is to apply ACL on the "inside" interface as well. Otherwise, let say a host on the "inside" interface is compromised/hacked and it will send sensitive information over the Internet to hackers. So this is NOT recommended
Inside Server running passive mode--ASA---Outside ClientIn this scenario, the client will innitiate both connections, we will allow on the ACL only traffic from the client to the server on port 21..The secondary channel will use a random port, that will be open dynamically.. If we do not have an inspection how is the firewall going to allow the communication.. So Inspection Needed,
Or in this scenario, you can allow inbound tcp high-port (1024-65535) to the destination FTP server if you do not have ftp inspection.
That being said, FTP inspection should be enabled because even with the workaround, without FTP inspection, you will run into especially when FTP client starts using EPSV (enhanced passive mode).
my 2c
06-05-2013 08:22 AM
Isn't that a "security risk"? best practice is to apply ACL on the "inside" interface as well. Otherwise, let say a host on the "inside" interface is compromised/hacked and it will send sensitive information over the Internet to hackers. So this is NOT recommended
Of course.... If your network has more access-control policies is going to be more secure,
We are talking here about why the inspection is needed or not needed, this discussion is not related about what is more secure....
06-05-2013 12:39 PM
Hi Everyone,
Thanks to all of you for answering the question.
Its lot of info about FTP and i will go through it.
Best regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide