Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3446
Views
0
Helpful
5
Replies

Removing FTP from Global service policy

Go to solution
mahesh18
Level 6
Level 6

‎06-04-2013 08:14 PM - edited ‎03-11-2019 06:53 PM

Hi Everyone,

I removed FTP  from global service policy.

I have no ACL that permits or deny FTP traffic.

But my understanding was if we remove some inspect from global service policy it does not work.

But i am still able to access FTP websites?

Is this default behaviour with global policy?

Regards

MAhesh

1 person had this problem
Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-04-2013 08:51 PM

Hi Mahesh,

I guess if it has an effect on your FTP connections depends on the type of FTP connection used, Active or Passive.

To my understanding the "inspect ftp" mainly helps with the Active FTP where the Client first connects to the FTP server with Control port TCP/21 and then the server open the Data connection to the Client with the source Data port of TCP/20. So in this case the firewall has to first allow the FTP Control connection (TCP/21) from the Client to the Server. This is usually allowed by your normal ACL rules or if you are using "security-level" configurations only it should also be allowed like any other TCP traffic.

Now when the Server starts to open the Data connection with a source port TCP/20 towards the destination port that the Client told the server over the Control connection we might then run into problems.

So essentially the firewall will be seing an connection attempt coming from the "outside" with the source port TCP/20 and with a destination port TCP/xxxxx. Without "inspect ftp" to my understanding this should be blocked like any other TCP connection you have not allowed.

So the "inspect ftp" configurations purpose is to dynamically allow the FTP Data connection through the firewall when this Data connection is being built from the "outside" to the "inside".

The reason why your FTP connection keeps working even after removing the "inspect ftp" is probably because you are using Passive FTP. In Passive FTP and Client opens both Control and Data connection to the server so there usually isnt anything on the firewall blocking the Client from opening both of these connections. Also we dont need anything on the firewall telling about the Data connections ports because they are being opened from the "inside" of the firewall so the firewall doesnt have to allow any connection initiation from the "outside" like with Active FTP.

Here is one site explaining the 2 FTP types:

http://slacksite.com/other/ftp.html

Here is the ASA Command Reference section explaining the use of "inspect ftp"

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1744171

Here is also some more information related to it

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1234738

- Jouni

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎06-04-2013 09:05 PM

Hello Mahesh,

There is a lot to talk when we referred to FTP and firewalls as this traffic (as many other) relies on opening dynamically Pinholes/data channel for the data traffic.

I am going to be brief on this one but here is an example of how it matters

Imagine the following:

Inside Client----ASA----Outside server running on Active FTP mode:

The inside client will connect to the outside server (From In to Out. Traffic will be allowed) for the managment connection

Then the client will let the Server on which port to connect, so they can start the data exchange (data channel). The connection will be innitiated from the server side (From out to in)

If the ASA is not able to inspect the FTP session , how is it supposed to open the secondary channel? So inspection NEEDED

FTP SERVER ACTIVE---ASA--OUTSIDE CLIENT

If the FTP server it's on the inside interface running active FTP mode, you will be fine as long as you permit from out-in TCP traffic to port 21 to the server, the server will then innitiate the connection to the outside( From in to outside allowed by defaultNo inspection needed

Now, if we talked about Passive FTP: (Where the client innitiate both connections to the server,)

Inside Client-ASA--Outside Server on passive FTP mode

A beauty for a firewall as the client will innitiate both connections. NO inspection Needed

Inside Server running passive mode--ASA---Outside Client

In this scenario, the client will innitiate both connections, we will allow on the ACL only traffic from the client to the server on port 21..The secondary channel will use a random port, that will be open dynamically.. If we do not have an inspection how is the firewall going to allow the communication.. So Inspection Needed,

Now, if we talked about SFTP or FTPS the discussion would keep going

Hope you have a better idea now,

Regards

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
david.tran
Level 4
Level 4
In response to Julio Carvajal

‎06-05-2013 05:20 AM 

jcarvaja wrote:
Inside Client-ASA--Outside Server on passive FTP mode
A beauty  for a firewall as the client will innitiate both connections. NO inspection Needed

Isn't that a "security risk"?  best practice is to apply ACL on the "inside" interface as well.  Otherwise, let say a host on the "inside" interface is compromised/hacked and it will send sensitive information over the Internet to hackers.  So this is NOT recommended

Inside Server running passive mode--ASA---Outside Client
In this scenario, the client will innitiate both connections, we will allow on the ACL only traffic from the client to the server on port 21..The secondary channel will use a random port, that will be open dynamically.. If we do not have an inspection how is the firewall going to allow the communication.. So Inspection Needed,

Or in this scenario, you can allow inbound tcp high-port (1024-65535) to the destination FTP server if you do not have ftp inspection.

That being said, FTP inspection should be enabled because even with the workaround, without FTP inspection, you will run into especially when FTP client starts using EPSV (enhanced passive mode). 

my 2c

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to david.tran

‎06-05-2013 08:22 AM

Isn't that a "security risk"?  best practice is to apply ACL on the "inside" interface as well.  Otherwise, let say a host on the "inside" interface is compromised/hacked and it will send sensitive information over the Internet to hackers.  So this is NOT recommended

Of course.... If your network has more access-control policies is going to be more secure,

We are talking here about why the inspection is needed or not needed, this discussion is not related about what is more secure....

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎06-04-2013 08:51 PM

Hi Mahesh,

I guess if it has an effect on your FTP connections depends on the type of FTP connection used, Active or Passive.

To my understanding the "inspect ftp" mainly helps with the Active FTP where the Client first connects to the FTP server with Control port TCP/21 and then the server open the Data connection to the Client with the source Data port of TCP/20. So in this case the firewall has to first allow the FTP Control connection (TCP/21) from the Client to the Server. This is usually allowed by your normal ACL rules or if you are using "security-level" configurations only it should also be allowed like any other TCP traffic.

Now when the Server starts to open the Data connection with a source port TCP/20 towards the destination port that the Client told the server over the Control connection we might then run into problems.

So essentially the firewall will be seing an connection attempt coming from the "outside" with the source port TCP/20 and with a destination port TCP/xxxxx. Without "inspect ftp" to my understanding this should be blocked like any other TCP connection you have not allowed.

So the "inspect ftp" configurations purpose is to dynamically allow the FTP Data connection through the firewall when this Data connection is being built from the "outside" to the "inside".

The reason why your FTP connection keeps working even after removing the "inspect ftp" is probably because you are using Passive FTP. In Passive FTP and Client opens both Control and Data connection to the server so there usually isnt anything on the firewall blocking the Client from opening both of these connections. Also we dont need anything on the firewall telling about the Data connections ports because they are being opened from the "inside" of the firewall so the firewall doesnt have to allow any connection initiation from the "outside" like with Active FTP.

Here is one site explaining the 2 FTP types:

http://slacksite.com/other/ftp.html

Here is the ASA Command Reference section explaining the use of "inspect ftp"

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i2.html#wp1744171

Here is also some more information related to it

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_basic.html#wp1234738

- Jouni

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎06-04-2013 09:05 PM

Hello Mahesh,

There is a lot to talk when we referred to FTP and firewalls as this traffic (as many other) relies on opening dynamically Pinholes/data channel for the data traffic.

I am going to be brief on this one but here is an example of how it matters

Imagine the following:

Inside Client----ASA----Outside server running on Active FTP mode:

The inside client will connect to the outside server (From In to Out. Traffic will be allowed) for the managment connection

Then the client will let the Server on which port to connect, so they can start the data exchange (data channel). The connection will be innitiated from the server side (From out to in)

If the ASA is not able to inspect the FTP session , how is it supposed to open the secondary channel? So inspection NEEDED

FTP SERVER ACTIVE---ASA--OUTSIDE CLIENT

If the FTP server it's on the inside interface running active FTP mode, you will be fine as long as you permit from out-in TCP traffic to port 21 to the server, the server will then innitiate the connection to the outside( From in to outside allowed by defaultNo inspection needed

Now, if we talked about Passive FTP: (Where the client innitiate both connections to the server,)

Inside Client-ASA--Outside Server on passive FTP mode

A beauty for a firewall as the client will innitiate both connections. NO inspection Needed

Inside Server running passive mode--ASA---Outside Client

In this scenario, the client will innitiate both connections, we will allow on the ACL only traffic from the client to the server on port 21..The secondary channel will use a random port, that will be open dynamically.. If we do not have an inspection how is the firewall going to allow the communication.. So Inspection Needed,

Now, if we talked about SFTP or FTPS the discussion would keep going

Hope you have a better idea now,

Regards

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
david.tran
Level 4
Level 4
In response to Julio Carvajal

‎06-05-2013 05:20 AM 

jcarvaja wrote:
Inside Client-ASA--Outside Server on passive FTP mode
A beauty  for a firewall as the client will innitiate both connections. NO inspection Needed

Isn't that a "security risk"?  best practice is to apply ACL on the "inside" interface as well.  Otherwise, let say a host on the "inside" interface is compromised/hacked and it will send sensitive information over the Internet to hackers.  So this is NOT recommended

Inside Server running passive mode--ASA---Outside Client
In this scenario, the client will innitiate both connections, we will allow on the ACL only traffic from the client to the server on port 21..The secondary channel will use a random port, that will be open dynamically.. If we do not have an inspection how is the firewall going to allow the communication.. So Inspection Needed,

Or in this scenario, you can allow inbound tcp high-port (1024-65535) to the destination FTP server if you do not have ftp inspection.

That being said, FTP inspection should be enabled because even with the workaround, without FTP inspection, you will run into especially when FTP client starts using EPSV (enhanced passive mode). 

my 2c

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to david.tran

‎06-05-2013 08:22 AM

Isn't that a "security risk"?  best practice is to apply ACL on the "inside" interface as well.  Otherwise, let say a host on the "inside" interface is compromised/hacked and it will send sensitive information over the Internet to hackers.  So this is NOT recommended

Of course.... If your network has more access-control policies is going to be more secure,

We are talking here about why the inspection is needed or not needed, this discussion is not related about what is more secure....

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Julio Carvajal

‎06-05-2013 12:39 PM

Hi Everyone,

Thanks to all of you for answering the question.

Its lot of info about FTP and i will go through it.

Best regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card