beautypg.com

Protecting an ftp server with an alg – Amer Networks E5Web GUI User Manual

Page 392

background image

The FTP ALG also allows restrictions to be placed on the FTP control channel which can improve
the security of FTP connections. These are:

Maximum line length in control channel

Creating very large control channel commands can be used as a form of attack against a
server by causing buffer overruns This restriction combats this threat. The default value is 256

If very long file or directory names on the server are used then this limit may need to be
raised. The shorter the limit, the better the security.

Maximum number of commands per second

To prevent automated attacks against FTP server, restricting the frequency of commands can
be useful. The default limit is 20 commands per second.

Allow 8-bit strings in control channel

The option determines if 8-bit characters are allowed in the control channel. Allowing 8-bit
characters enables support for filenames containing international characters. For example,
accented or umlauted characters.

Filetype Checking

The FTP ALG offers the same filetype verification for downloaded files that is found in the HTTP
ALG. This consists of two separate options:

MIME Type Verification

When enabled, cOS Core checks that a download's stated filetype matches the file's contents.
Mismatches result in the download being dropped.

Allow/Block Selected Types

If selected in blocking mode, specified filetypes are dropped when downloaded. If selected in
allow mode, only the specified filetypes are allowed as downloads.

cOS Core also performs a check to make sure the filetype matches the contents of the file.
New filetypes can be added to the predefined list of types.

The above two options for filetype checking are the same as those available in the HTTP ALG and
are more fully described in Section 6.2.2, “The HTTP ALG”.

Anti-Virus Scanning

The cOS Core Anti-Virus subsystem can be enabled to scan all FTP downloads searching for
malicious code. Suspect files can be de dropped or just logged.

This feature is common to a number of ALGs and is described fully in Section 6.4, “Anti-Virus
Scanning”.

Example 6.2. Protecting an FTP Server with an ALG

As shown, an FTP Server is connected to the Clavister Security Gateway on a DMZ with private
IPv4 addresses, shown below:

Chapter 6: Security Mechanisms

392

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: