cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4367
Views
0
Helpful
12
Replies

Allowing encrypted FTP traffic

Kristian Leth
Level 1
Level 1

Hello guys.

I have just bought an ASA5505, and im having some issues with the my FTPS server now.

First of all here is my network setup:

Internet ->

ISP Router ( IP 192.168.1.1 - forwards FTPS port 990 to 192.168.1.2) ->

ASA5505 (IP 192.168.1.2 on outside, and inside it 192.168.2.x) ->

FTPS server (IP 192.168.2.11)

This setup cant be changed due to my ISP.

But before i bought the ASA5505, the FTPS was working just fine.

Now only the FTP traffic is working on port 21, so i asked on the Filezilla forum why this kept happening?

***NOTE*** The ASA5505 allows the packets through the firewall, but wont allow to open a "data" connection - so people logsin just fine, but cant see all of their folders.

On the Filezilla forum they said that its because that the Router (ASA5505) is tampering with the packets.

https://forum.filezilla-project.org/viewtopic.php?f=6&t=31513

https://wiki.filezilla-project.org/Network_Configuration#Malicious_routers.2C_firewalls_and_data_sabotage

So how can i make the ASA5505 not tampering with the packets? or try to inspect them?

12 Replies 12

Richard Burts
Hall of Fame
Hall of Fame

Usually inspection of ftp is enabled on ASA5500 in the global policy. Check the global policy on your ASA and see if FTP is included in the list of protocols to inspect. If it is there, then change the config to remove it.

HTH

Rick

HTH

Rick

Hello.

Where is the global policy?

The global policy is in the ASA configuration near the bottom. If you are not sure where it is then perhaps the best thing is to ask you to post the configuration of the ASA (after masking out sensitive information such as public IP addresses and passwords).

HTH

Rick

HTH

Rick

hi kristian,

kindly enable the FTP inspection engine on your 5505.

policy-map global_policy

class inspection_default

inspect ftp

hobbe
Level 7
Level 7

You will "always" have problems with FTPS through a firewall.

This is due to the fact that FTPS is firewall unfriendly protocol and something that should not be used in a modern world.

You are better of using fx SFTP. So if you have the possibility my best advice would be to switch.

This is a general problem with the protocol itself not the firewall.

The issue is that basically you will have to choose security or functionality you can not have both.

ie do you want security then you can not make FTPS function in an ASA.

This is due to the fact that the port and other information is exchanged between the server and the client within an encrypted environment that the firewall does not have access to, so to make FTPS work through the firewall you will have to lower the defences ie let everything through that the FTPS server might want to open up ports for wich normally would mean any port 1023+.

Historically In FTP this problem is mitigated due to the inspection of FTP control packets so that the firewall knows what the server and the client agrees upon when it comes to ports and so on and can tae apropriate action.

Ofcourse someone thinks (and is right) that FTP is not safe enough beeing in cleartext and all that,

So how do we fix that it is not safe enough ? why dont we just SSL encrypt it like we did with HTTP and presto FTPS is born, with all the historical problems of FTP.

There are some mitigations to this problem in FTPS ie you can in some server software choose a narrower range of ports, but the basic problem is today unavoidable.

SFTP does not have this limitation due to it beeing a totally different protocol and firewall friendlier. ie everything goes on the same port so if it is possible I strongly urge you to go with SFTP instead of FTPS..

Good luck

Hope This Helps

Hello.

I will ask on the filezilla forum, if its possible to setup it up as SFTP and not FTPS.

Thanks so far, ill get back to you

Ive got the answer from them:

Quote:

Ive got a reply from Cisco, and they say that i should use SFTP instead of FTPS.

That's a stupid answer that completely avoid answering your question.

Quote:

You will "always" have problems with FTPS through a firewall.
This is due to the fact that FTPS is firewall unfriendly protocol and something that should not be used in a modern world.

That is simply not true. FTPS is very firewall friendly, all it requires is a little bit of configuration.

Quote:

Is it possible to make filezilla run on SFTP?

Except for the same letters in the name and a similar purpose, FTPS and SFTP are two completely different protocols that have nothing in common. FileZilla Server only speaks FTP(S).

Kristian

Ive got a reply from Cisco, and they say that i should use SFTP instead of FTPS.

Actually this is not a reply from Cisco it is from a poster on the Netpro site. Please understand that Cisco do not endorse any views or answers given on these forums so it's best not to quote them as being the source of the answer.

That is simply not true. FTPS is very firewall friendly, all it requires is a little bit of configuration.

Did they tell you what that configuration might be ? My understanding is that you can configure FTPS to only use a restricted set of ports for the data link and then allow these through the firewall.  But this does come back to the point made by hobbe in his post ie. you still have to open a range of ports to allow the connection through so it is less secure than a protocol that does not require this.

I have no experience with FTPS but if you do need to open up a range of ports (whether limited or not) i wouldn't say that makes FTPS particularly firewall friendly. In my opinion a firewall friendly protocol is one which requires no extra ports to be opened other than the actual port in use eg. FTP was known as a firewall unfriendly protocol because of this very problem ie. the need to open additional ports for the data connection. That is why firewall vendors added inspection for FTP so they could dynamically open the additional port for data.

Enabling FTP inspection will not help here because, as already pointed out, the firewall cannot see the actual ports in use as they are hidden from it.

Perhaps you could post back to the other forum and ask exactly what configuration is required for the FTPS connection on the server but i suspect you will still need to open additional ports to get this to work.

Jon

Hello.

Im sorry that i said that Cisco had commented on this - my bad.

About the ports... i have a range of ports for passive data transfer (50000-500030). These ports is also used for FTP transfers - and are working fine. So i dont believe that its the FTPS server at this point.

Also if i connect to the FTPS server from another Virtual Server (the server never gets to ask the firewall about a connection, because the Hyper-V virtual switch does the job internally between the hosts, and the FTPS server) then all my backup softwares, and FTPS connections works perfectly.

Hi Kristian

Sorry for the delayed answer to your post.

"That's a stupid answer that completely avoid answering your question."

IF the only explanation you have given is the line that you should use SFTP instead then I can understand why this person feels that way, But you did get a more detailed explanation than that.

"That is simply not true. FTPS is very firewall friendly, all it requires is a little bit of configuration."

I will respond with a more thorogh explanation why this is not right below the line. I still state that FTPS is firewall unfriendly and it should not be used.

"Except for the same letters in the name and a similar purpose, FTPS and SFTP are two completely different protocols that have nothing in common. FileZilla Server only speaks FTP(S)."

I agree that the 2 protocols have nothing in common.

------------------------

I have extensive knowledge of the three different protocols we are talking about and I manage firewalls that passes traffic from all three of them and sometimes at the same time.

Ok here to my explanation.

We start at the beginning, in the beginning there was FTP, FTP is a protocol that uses the concept of dynamic opening of ports, ie you have a control channel and when you transfer information you do that over a dynamically opened port.

In the beginning this was a big problem for firewalls, how could the firewalls know what ports to open and when to open them. This lead to problems where you had to pre open ports for anyone you wanted to be able to connect with, wich on the internet was just about everyone, and since the ports where dynamically opened you had to open the whole span from 1023 to 65535. Opening all high ports on a machine results in the firewall being unable to help the host staying secure. This as you can understand is a less than desireable result from a security standpoint.


Then someone realised that they can take a look in the control channel.

This is what cisco called Fixup protocol and now calls inspect, other vendors fx call it Deep packet inspection and ALG Application Layer Gateway and so on. This lets the firewall look into the control channel and open the ports needed for communication when they are needed and only for the intended communication peers ie ftp server/client.

With this the hosts where once again protected by the firewall and all seemed well from that perspective.

Along comes someone and proclaims rightly that well we have a security problem here the username and password is transfered in cleartext  and all the information that is also transfered in cleartext this is unacceptable. How do we solve this ? well we can do what we did to HTTP and make HTTPS, why not do the same and use SSL/TLS ?

thus FTPS is born.

So what does this mean ? it means that the control channel now is encrypted but FTP still works in a fundamentally the same way. Since the controlchannel now is encrypted the firewalls are now back to the point before the inspect possibility and that means that it can not help the host to stay secure. We are now back to the point where we have to open all possible ports that might be used (in your case you have closed it down to 50000-50030) to anyone who might want to use the ftps server and the ports needs to be always open. This creates a hole in the firewall protection of your host. This is also why I call the protocoll firewall unfriendly.

SFTP does not have this problem since it does not use dynamically opened ports.

This is the reason why we are leaving ftps and ftp and moving to sftp and why I recomend that solution.

I speak to customers who want to use FTPS atleast one or twice a month mostly due to IIS servers and microsoft software. Sometimes they have made adaptations to their software and then i get to hear the same arguments as you have heard and I have to explain to them (customers and app developers)  that getting the traffic through the firewall is not a problem per se, its not dropping the security stance that is the problem. That we can get the traffic through the firewall does not mean the firewall supports it. There is a difference.

Hope this clears up things a bit.

To make your stuff work with the firewall you need to allow the port you have choosen as control channel and ports 50000-50030 from anyone talking to it in your access-lists towards your unit and if you are using PAT/nat you need to pat/nat all ports involved too.

When it comes to filezilla supporting or not supporting ofcourse a developer of a software who does not have a functionality will want to stear you towards a functionality they have. That is just human nature.

Good luck

HTH

Hello.

Thank you for your time, to reply to me - really appreciate it

"

"That's a stupid answer that completely avoid answering your question."

IF the only explanation you have given is the line that you should use SFTP instead then I can understand why this person feels that way, But you did get a more detailed explanation than that.

"

The FileZilla poster have looked in here, and replied at the FileZilla forum.

I will try to work something out, but how can it be that SFTP does not use passive ports? How can it then contain multiple connections?

***EDIT***

Hobbe ?

You sound like you know alot about both FTP servers, and ASA Firewalls.

Do you know a free SFTP solution for windows servers? and that has a File Transfer console like filezilla?

Hi

SFTP is a different protocol than FTPS and thus it does things differently.

I know of free sftp solutions for windows but I do not know filezilla so I do not know how or what the file transfer console is or what it does.

We either use payversions of File transfer software or special software developed by and for us.

But I would look into Coreftp wich has some sort of a free version or maybe solarwinds wich has a very small and easy sftp server.

or do a google search for free sftp servers.

Good luck

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco