File Transfer Protocol
Cisco ASA FTP application inspection examines the FTP sessions to provide the following features:
- Enhanced security while creating dynamic secondary data connections for FTP transfers
- Enforcement of FTP command-response sequence
- Generation an audit trail for FTP sessions
- Translation of embedded IP address
Use the inspect ftp command to enable FTP inspection. The strict keyword (optional) allows the Cisco ASA to prevent client systems from sending embedded commands in FTP requests:
inspect ftp [strict] ftp-map-name
ftp-map-name is the name of an FTP map used to define FTP request commands to be denied. Example 8-8 demonstrates how to use the inspect ftp strict command in conjunction with an FTP map, called myftpmap, to deny several FTP commands.
Example 8-8. Denying Specific FTP Commands
ftp-map myftpmap deny-request-cmd cdup rnfr rnto stor stou ! class-map inspection_default match default-inspection-traffic ! policy-map asa_global_fw_policy class inspection_default inspect ftp strict myftpmap
Caution
The strict option may break FTP sessions from clients that do not comply with the RFC standards; however, it provides more security features.
When the strict option is enabled, the following anomalous activities in FTP commands and replies are denied:
- The total number of commas in the PORT and PASV reply commands is checked. If they are not 5, the PORT command is considered to be truncated and the connection is closed.
- The Cisco ASA inspects all FTP commands to see if they end with characters, as specified by the RFC 959, "FTP Protocol". The connection is closed if these are not present.
- The PORT command is always expected to be sent from the FTP client. If the PORT command is sent from the server, the connection is dropped.
- The PASV reply command is always expected to be sent from the server. If the PASV command is sent from the client, the connection is dropped.
- The Cisco ASA checks the negotiated dynamic port value in the passive FTP mode. The port should not be in the range from 1 to 1024, because these are reserved for well-known protocols. The connection is closed if the negotiated port is within this range.
- The security appliance checks the number of characters included after the port numbers in the PORT and PASV reply commands. The maximum number of characters must be eight. The Cisco ASA closes the TCP connection if the number of character exceeds eight.
The FTP map request-command deny subcommand is used to deny specific FTP commands on the Cisco ASA. Table 8-3 lists all the request-command deny subcommand options that can be restricted under an FTP map.
|
Option |
Description |
|---|---|
|
all |
Denies all supported FTP commands |
|
appe |
Denies the ability to append to a file |
|
cdup |
Denies a user request to change to parent of current directory |
|
help |
Restricts the user to access the help information from the FTP server |
|
retr |
Denies the retrieval of a file from the FTP server |
|
rnfr |
User is not allowed to rename from a filename |
|
rnto |
User is not allowed to rename to a specific filename |
|
site |
User not allowed to specify server-specific command |
|
stor |
Denies the user permission to store a file |
|
stou |
Denies the user permission to store a file with a unique name |
The SYST FTP command allows a system to ask for information about the server's operating system. The server accepts this request with code 215 and sends the requested information. The Cisco ASA replaces the FTP server response to the SYST command with an X for each character sent, to prevent FTP clients from seeing the FTP server systemtype information. You can use the no mask-syst-reply subcommand in FTP map configuration mode to disable this default behavior, as shown in Example 8-9.
Example 8-9. mask-syst-reply Subcommand
ftp-map myftpmap no mask-syst-reply
Part I: Product Overview
Introduction to Network Security
- Introduction to Network Security
- Firewall Technologies
- Intrusion Detection and Prevention Technologies
- Network-Based Attacks
- Virtual Private Networks
- Summary
Product History
- Product History
- Cisco Firewall Products
- Cisco IDS Products
- Cisco VPN Products
- Cisco ASA All-in-One Solution
- Summary
Hardware Overview
Part II: Firewall Solution
Initial Setup and System Maintenance
- Initial Setup and System Maintenance
- Accessing the Cisco ASA Appliances
- Managing Licenses
- Initial Setup
- IP Version 6
- Setting Up the System Clock
- Configuration Management
- Remote System Management
- System Maintenance
- System Monitoring
- Summary
Network Access Control
- Network Access Control
- Packet Filtering
- Advanced ACL Features
- Content and URL Filtering
- Deployment Scenarios Using ACLs
- Monitoring Network Access Control
- Understanding Address Translation
- DNS Doctoring
- Monitoring Address Translations
- Summary
IP Routing
Authentication, Authorization, and Accounting (AAA)
- Authentication, Authorization, and Accounting (AAA)
- AAA Protocols and Services Supported by Cisco ASA
- Defining an Authentication Server
- Configuring Authentication of Administrative Sessions
- Authenticating Firewall Sessions (Cut-Through Proxy Feature)
- Configuring Authorization
- Configuring Accounting
- Deployment Scenarios
- Troubleshooting AAA
- Summary
Application Inspection
- Application Inspection
- Enabling Application Inspection Using the Modular Policy Framework
- Selective Inspection
- Computer Telephony Interface Quick Buffer Encoding Inspection
- Domain Name System
- Extended Simple Mail Transfer Protocol
- File Transfer Protocol
- General Packet Radio Service Tunneling Protocol
- H.323
- HTTP
- ICMP
- ILS
- MGCP
- NetBIOS
- PPTP
- Sun RPC
- RSH
- RTSP
- SIP
- Skinny
- SNMP
- SQL*Net
- TFTP
- XDMCP
- Deployment Scenarios
- Summary
Security Contexts
- Security Contexts
- Architectural Overview
- Configuration of Security Contexts
- Deployment Scenarios
- Monitoring and Troubleshooting the Security Contexts
- Summary
Transparent Firewalls
- Transparent Firewalls
- Architectural Overview
- Transparent Firewalls and VPNs
- Configuration of Transparent Firewall
- Deployment Scenarios
- Monitoring and Troubleshooting the Transparent Firewall
- Summary
Failover and Redundancy
- Failover and Redundancy
- Architectural Overview
- Failover Configuration
- Deployment Scenarios
- Monitoring and Troubleshooting Failovers
- Summary
Quality of Service
- Quality of Service
- Architectural Overview
- Configuring Quality of Service
- QoS Deployment Scenarios
- Monitoring QoS
- Summary
Part III: Intrusion Prevention System (IPS) Solution
Intrusion Prevention System Integration
- Intrusion Prevention System Integration
- Adaptive Inspection Prevention Security Services Module Overview (AIP-SSM)
- Directing Traffic to the AIP-SSM
- AIP-SSM Module Software Recovery
- Additional IPS Features
- Summary
Configuring and Troubleshooting Cisco IPS Software via CLI
- Configuring and Troubleshooting Cisco IPS Software via CLI
- Cisco IPS Software Architecture
- Introduction to the CIPS 5.x Command-Line Interface
- User Administration
- AIP-SSM Maintenance
- Advanced Features and Configuration
- Summary
Part IV: Virtual Private Network (VPN) Solution
Site-to-Site IPSec VPNs
- Site-to-Site IPSec VPNs
- Preconfiguration Checklist
- Configuration Steps
- Advanced Features
- Optional Commands
- Deployment Scenarios
- Monitoring and Troubleshooting Site-to-Site IPSec VPNs
- Summary
Remote Access VPN
- Remote Access VPN
- Cisco IPSec Remote Access VPN Solution
- Advanced Cisco IPSec VPN Features
- Deployment Scenarios of Cisco IPSec VPN
- Monitoring and Troubleshooting Cisco Remote Access VPN
- Cisco WebVPN Solution
- Advanced WebVPN Features
- Deployment Scenarios of WebVPN
- Monitoring and Troubleshooting WebVPN
- Summary
Public Key Infrastructure (PKI)
- Public Key Infrastructure (PKI)
- Introduction to PKI
- Enrolling the Cisco ASA to a CA Using SCEP
- Manual (Cut-and-Paste) Enrollment
- Configuring CRL Options
- Configuring IPSec Site-to-Site Tunnels Using Certificates
- Configuring the Cisco ASA to Accept Remote-Access VPN Clients Using Certificates
- Troubleshooting PKI
- Summary
Part V: Adaptive Security Device Manager
Introduction to ASDM
- Introduction to ASDM
- Setting Up ASDM
- Initial Setup
- Functional Screens
- Interface Management
- System Clock
- Configuration Management
- Remote System Management
- System Maintenance
- System Monitoring
- Summary
Firewall Management Using ASDM
- Firewall Management Using ASDM
- Access Control Lists
- Address Translation
- Routing Protocols
- AAA
- Application Inspection
- Security Contexts
- Transparent Firewalls
- Failover
- QoS
- Summary
IPS Management Using ASDM
- IPS Management Using ASDM
- Accessing the IPS Device Management Console from ASDM
- Configuring Basic AIP-SSM Settings
- Advanced IPS Configuration and Monitoring Using ASDM
- Summary
VPN Management Using ASDM
- VPN Management Using ASDM
- Site-to-Site VPN Setup Using Preshared Keys
- Site-to-Site VPN Setup Using PKI
- Cisco Remote-Access IPSec VPN Setup
- WebVPN
- VPN Monitoring
- Summary
Case Studies
EAN: 2147483647
Pages: 231
