D-Link DFL-210 Product Manual - Page 244
The FTP ALG, NetDefend Firewall.
UPC - 790069288944
View all D-Link DFL-210 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 244 highlights
6.2.3. The FTP ALG Chapter 6. Security Mechanisms equivalent to a large number of possible URLs. The wildcard character "*" can be used to represent any sequence of characters. For example, the entry *.some_domain.com will block all pages whose URLs end with some_domain.com. If we want to now explicitly allow one particular page then this can be done with an entry in the whitelist of the form my_page.my_company.com and the blacklist will not prevent this page from being reachable since the whitelist has precedence. Deploying an HTTP ALG As mentioned in the introduction, the HTTP ALG object is brought into use by first associating it with a service object and then associating that service object with an IP rule in the IP rule set. A number of predefined HTTP services could be used with the ALG. For example, the http service might be selected for this purpose. As long as the associated service is associated with an IP rule then the ALG will be applied to traffic targeted by that IP rule. The https service (which is also included in the http-all service) cannot be used with an HTTP ALG since HTTPS traffic is encrypted. 6.2.3. The FTP ALG File Transfer Protocol (FTP) is a TCP/IP-based protocol for exchanging files between a client and a server. The client initiates the connection by connecting to the FTP server. Normally the client needs to authenticate itself by providing a predefined login and password. After granting access, the server will provide the client with a file/directory listing from which it can download/upload files (depending on access rights). The FTP ALG is used to manage FTP connections through the NetDefend Firewall. FTP Connections FTP uses two communication channels, one for control commands and one for the actual files being transferred. When an FTP session is opened, the FTP client establishes a TCP connection (the control channel) to port 21 (by default) on the FTP server. What happens after this point depends on the FTP mode being used. FTP Connection Modes FTP operates in two modes: active and passive. These determine the role of the server when opening data channels between client and server. • Active Mode In active mode, the FTP client sends a command to the FTP server indicating what IP address and port the server should connect to. The FTP server establishes the data channel back to the FTP client using the received address information. • Passive Mode In passive mode, the data channel is opened by the FTP client to the FTP server, just like the command channel. This is the often recommended default mode for FTP clients though some advice may recommend the opposite. A Discussion of FTP Security Issues Both active and passive modes of FTP operation present problems for NetDefend Firewalls. 244