beautypg.com

D-Link DFL-2500 User Manual

Page 140

background image

Block Selected means that those filetypes marked will be automatically blocked as
downloads. A file's contents will be analyzed to identify the correct filetype. If, for
example, a file is found to contain .exe data but the the filetype is not .exe then the file
will be blocked if .exe files are blocked. Blocking is the default action taken so if nothing
in the list is marked, no action is taken.

Allow Selected means that only those filetypes marked will be allowed in downloads.
File contents are also examined to establish the true filetype.

Additional filetypes not included by default can be added to the Allow/Block list however
these cannot be subject to MIME type checking meaning that the file extension will be
trusted as being correct for the contents of the file.

Additionally, a size limit can be put on any single download operation.

Deploying an HTTP ALG

As mentioned in the introduction, the HTTP ALG object is brought into use by first associating it
with a Service object and then associating that Service object with an IP rule in the IP rule set. A
number of pre-defined HTTP Services could be used with the ALG. For example, the http service
might be selected for this purpose. As long as the associated Service is associated with an IP rule
then the ALG will be applied to traffic targeted by that IP rule.

The https Service (which is also included in the http-all Service) cannot be used with an HTTP
ALG since HTTPS traffic is encrypted.

6.2.3. FTP

File Transfer Protocol (FTP) is a TCP/IP-based protocol for exchanging files between a client and a
server. The client initiates the connection by connecting to the FTP server. Normally the client
needs to authenticate itself by providing a predefined login and password. After granting access, the
server will provide the client with a file/directory listing from which it can download/upload files
(depending on access rights). The FTP ALG is used to manage FTP connections through the D-Link
Firewall.

FTP Connections

FTP uses two communication channels, one for control commands and one for the actual files being
transferred. When an FTP session is opened, the FTP client establishes a TCP connection (the
control channel) to port 21 (by default) on the FTP server. What happens after this point depends on
the mode of FTP being used.

Connection Modes

FTP operates in two modes: active and passive. These determine the role of the server when opening
data channels between client and server.

In active mode, the FTP client sends a command to the FTP server indicating what IP address and
port the server should connect to. The FTP server establishes the data channel back to the FTP client
using the received address information.

In passive mode, the data channel is opened by the FTP client to the FTP server, just like the
command channel. This is the often recommended default mode for FTP clients though some advice
may recommend the opposite.

FTP Security Issues

Both modes of FTP operation present problems for firewalls. Consider a scenario where an FTP

6.2.3. FTP

Chapter 6. Security Mechanisms

140