D-Link DFL-260E User Manual for DFL-260E - Page 273
Note: Some commands are never allowed, Control Channel Restrictions, Filetype Checking
View all D-Link DFL-260E manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 273 highlights
6.2.3. The FTP ALG Chapter 6. Security Mechanisms standard set. • Allow the SITE EXEC command to be sent to an FTP server by a client. • Allow the RESUME command even if content scanning terminated the connection. Note: Some commands are never allowed Some commands, such as encryption instructions, are never allowed. Encryption would mean that the FTP command channel could not be examined by the ALG and the dynamic data channels could not be opened. Control Channel Restrictions The FTP ALG also allows restrictions to be placed on the FTP control channel which can improve the security of FTP connections. These are: • Maximum line length in control channel Creating very large control channel commands can be used as a form of attack against a server by causing buffer overruns This restriction combats this threat. The default value is 256 If very long file or directory names on the server are used then this limit may need to be raised. The shorter the limit, the better the security. • Maximum number of commands per second To prevent automated attacks against FTP server, restricting the frequency of commands can be useful. The default limit is 20 commands per second. • Allow 8-bit strings in control channel The option determines if 8-bit characters are allowed in the control channel. Allowing 8-bit characters enables support for filenames containing international characters. For example, accented or umlauted characters. Filetype Checking The FTP ALG offers the same filetype verification for downloaded files that is found in the HTTP ALG. This consists of two separate options: • MIME Type Verification When enabled, NetDefendOS checks that a download's stated filetype matches the file's contents. Mismatches result in the download being dropped. • Allow/Block Selected Types If selected in blocking mode, specified filetypes are dropped when downloaded. If selected in allow mode, only the specified filetypes are allowed as downloads. NetDefendOS also performs a check to make sure the filetype matches the contents of the file. New filetypes can be added to the predefined list of types. The above two options for filetype checking are the same as those available in the HTTP ALG and are more fully described in Section 6.2.2, "The HTTP ALG". 273