Manual Chapter :
Securing FTP Traffic
Applies To:
Show VersionsBIG-IP ASM
- 14.0.0
Securing FTP Traffic
Overview: Securing FTP traffic using default values
This implementation describes how to secure FTP traffic the easy way--by using default values.
When you use an FTP security profile, the BIG-IP® system
inspects FTP traffic for network vulnerabilities. A default FTP security profile is included in
the system that you can use. To activate security checks for FTP traffic, you enable protocol
security in an FTP service profile, and associate the service profile with a virtual server.
You can use the default configuration to protect against the following FTP security risks:
- Port scanning exploits
- Anonymous FTP requests
- Command line length exceeds the defined length
- Potentially dangerous FTP commands
- Traffic that fails FTP protocol compliance checks
- Brute force attacks (due to excessive FTP login attempts)
- File stealing exploits
Task summary
Creating an FTP service profile with security enabled
The easiest method for initiating FTP protocol security for your FTP virtual server
traffic is to use the system default settings. You do this by enabling protocol security
for the system-supplied FTP service profile, and then associating that service profile
with a virtual server.
- On the Main tab, click.The FTP profile list screen opens.
- In theNamecolumn, clickftp.The Properties screen for the system-supplied FTP profile opens.
- If you want to disable IPv6 translation, in the Settings area, clear theTranslate Extendedcheck box.
- Retain theData Portsetting default value of20.
- To enable FTP security checks, select theProtocol Securitycheck box.The Protocol Security tab opens.
- ClickUpdate.
You now have a security-enabled service profile that you can associate with a virtual
server so that FTP protocol checks are performed on the traffic that the FTP virtual
server receives.
Enabling protocol security for an FTP virtual server
When you enable protocol security for an FTP virtual server, the system scans any
incoming FTP traffic for vulnerabilities before the traffic reaches the FTP servers.
- On the Main tab, click.The Virtual Server List screen opens.
- Click theCreatebutton.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type the IP address in CIDR format.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.The IP address you type must be available and not in the loopback network.
- In theService Portfield, type21or selectFTPfrom the list.
- In the Configuration area, for theFTP Profilesetting, select the default profile,ftp.
- From theSource Address Translationlist, selectAuto Map.
- For theDefault Poolsetting, either select an existing pool from the list, or click the Create (+) button and create a new pool.
- ClickFinished.
The custom FTP virtual server appears in the Virtual Servers list.
Reviewing violation statistics for security profiles
You can view statistics and transaction information for each security profile that
triggers security violations.
- On the Main tab, clickand clickHTTP,DNS, orSIP.The appropriate statistics screen opens listing all violations for that protocol, with the number of occurrences.
- Type a Support ID, if you have one, to filter the violations and view one in particular.
- Click a violation's hyperlink to see details about the requests causing the violation.On the Statistics screen, in the left column, you can review information regarding the traffic volume for each security profile configured.
Overview: Securing FTP traffic using a custom configuration
This implementation describes how to secure FTP traffic using a custom configuration. When you
use an FTP security profile, the BIG-IP® system inspects FTP
traffic for network vulnerabilities. A default FTP security profile is included in the system
that you can modify, or you can create a new one as described in the tasks included here. To
activate security checks for FTP traffic, you enable protocol security in an FTP service profile,
and associate the service profile with a virtual server.
You can customize an FTP security profile to generate alarms or block requests for the
following FTP security risks:
- Port scanning exploits
- Anonymous FTP requests
- Command line length exceeds the defined length
- Specific FTP commands
- Traffic that fails FTP protocol compliance checks
- Brute force attacks (excessive FTP login attempts)
- File stealing exploits
Task summary
Creating a custom FTP profile for protocol security
You create a custom FTP profile when you want to fine-tune the way that the BIG-IPsystem manages FTP traffic. This procedure creates an FTP
service profile that optimizes FTP traffic in the LAN, and enables Protocol Security in
the profile so it can scan for vulnerabilities specific to the protocol.
- On the Main tab, click.The FTP profile list screen opens.
- ClickCreate.The New FTP Profile screen opens.
- In theNamefield, type a unique name for the profile.
- From theParent Profilelist, select the defaultftpprofile.
- Select theCustomcheck box.
- If you want to disable IPv6 translation, in the Settings area, clear theTranslate Extendedcheck box.
- For theInherit Parent Profilesetting, select the check box.This optimizes data channel traffic.
- Retain theData Portsetting default value of20.
- To enable FTP security checks, select theProtocol Securitycheck box.The Protocol Security tab opens.
- ClickFinished.
The custom FTP profile now appears in the FTP profile list screen.
Creating a
security profile for FTP traffic
An
FTP security profile
provides security checks that are applicable to the FTP
protocol. You can create an FTP profile that specifies whether
the system allows, logs, or blocks commands and requests from
servers that use the FTP protocol.- On the Main tab, click.The Security Profiles: FTP screen opens.
- Click theCreatebutton.The New FTP Security Profile screen opens.
- In theProfile Namefield, type a unique name for the profile.
- In the Defense Configuration area, selectAlarmorBlockfor the defenses you want to activate.FTP DefenseDescription when set to BlockActive ModePrevents port scanning and other active mode exploits.Anonymous FTP RequestsPrevents unauthorized access by prohibiting anonymous usersCommand Length RestrictionPrevents buffer overflow attacks by limiting command line length. Specify the maximum number of characters allowed in a command.FTP CommandsProtects against unwanted FTP commands. Move the commands you do not want to allow into the Disallowed list.FTP Protocol Compliance FailedProtects against non-RFC compliant commands and also disallows syntax errors.Maximum Login RetriesPrevents brute force attacks by limiting login retries. Specify the maximum attempts a user can try to log on, the maximum number of login attempts allowed from a specific client IP address, and how long to block users before they can try again.Passive ModePrevents passive mode exploits such as file stealing.OptionDescriptionAlarmThe system logs any requests that trigger the violation.BlockThe system blocks any requests that trigger the violation.AlarmandBlockThe system both logs and blocks any requests that trigger the violation.If you do not enable eitherAlarmorBlockfor a violation, the system does not perform the corresponding security check.
- ClickCreate.The screen refreshes, and you see the new security profile in the list.
The BIG-IP system
automatically assigns this service profile to FTP traffic that a
designated virtual server receives.
Modifying associations between service profiles and security profiles
Before you can modify associations between service profiles and security profiles,
you must have created at least one security profile.
When you enable the
Protocol Security
setting on an FTP,
HTTP, or SMTP service profile, the system automatically assigns the first-listed
security profile to the service profile you configured for that profile. You can review
and modify the current associations between the service profiles and the security
profiles for each protocol. - On the Main tab, click.The Profiles Assignment screen opens.
- From the Profiles Assignment menu, select the service profile type.
- For each traffic profile, select the protocol security profile to use from the list in the Assigned Security Profile column.
- ClickSave.
Configuring an FTP
virtual server with a server pool
You can configure a local traffic virtual server
and a default pool for your network's FTP servers.
- On the Main tab, click.The Virtual Server List screen opens.
- Click theCreatebutton.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- In theDestination Address/Maskfield, type an address, as appropriate for your network.The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is10.0.0.1or10.0.0.0/24, and an IPv6 address/prefix isffe1::0020/64or2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.
- In theService Portfield, type21or selectFTPfrom the list.
- From theFTP Profilelist, select eitherftpor a custom profile.
- From theSource Address Translationlist, selectAuto Map.
- In the Resources area of the screen, for theDefault Poolsetting, click theCreate (+)button.The New Pool screen opens.
- In theNamefield, type a unique name for the pool.
- In the Resources area, for theNew Memberssetting, select the type of new member you are adding, then type the information in the appropriate fields, and clickAddto add as many pool members as you need.
- ClickFinishedto create the pool.The screen refreshes, and reopens the New Virtual Server screen. The new pool name appears in theDefault Poollist.
- ClickFinishedto create the virtual server.The screen refreshes, and you see the new virtual server in the list.
The custom FTP virtual server appears in the Virtual Servers list.
Reviewing violation statistics for security profiles
You can view statistics and transaction information for each security profile that
triggers security violations.
- On the Main tab, clickand clickHTTP,DNS, orSIP.The appropriate statistics screen opens listing all violations for that protocol, with the number of occurrences.
- Type a Support ID, if you have one, to filter the violations and view one in particular.
- Click a violation's hyperlink to see details about the requests causing the violation.On the Statistics screen, in the left column, you can review information regarding the traffic volume for each security profile configured.