Manual Chapter : Securing FTP Traffic

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 15.0.0, 14.1.0
Manual Chapter

Securing FTP Traffic

Overview: Securing FTP traffic using default values

This implementation describes how to secure FTP traffic the easy way--by using default values. When you use an FTP security profile, the BIG-IP® system inspects FTP traffic for network vulnerabilities. A default FTP security profile is included in the system that you can use. To activate security checks for FTP traffic, you enable protocol security in an FTP service profile, and associate the service profile with a virtual server.
You can use the default configuration to protect against the following FTP security risks:
  • Port scanning exploits
  • Anonymous FTP requests
  • Command line length exceeds the defined length
  • Potentially dangerous FTP commands
  • Traffic that fails FTP protocol compliance checks
  • Brute force attacks (due to excessive FTP login attempts)
  • File stealing exploits

Task summary

Creating an FTP service profile with security enabled

The easiest method for initiating FTP protocol security for your FTP virtual server traffic is to use the system default settings. You do this by enabling protocol security for the system-supplied FTP service profile, and then associating that service profile with a virtual server.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Services
    FTP
    .
    The FTP profile list screen opens.
  2. In the
    Name
    column, click
    ftp
    .
    The Properties screen for the system-supplied FTP profile opens.
  3. If you want to disable IPv6 translation, in the Settings area, clear the
    Translate Extended
    check box.
  4. Retain the
    Data Port
    setting default value of
    20
    .
  5. To enable FTP security checks, select the
    Protocol Security
    check box.
    The Protocol Security tab opens.
  6. Click
    Update
    .
You now have a security-enabled service profile that you can associate with a virtual server so that FTP protocol checks are performed on the traffic that the FTP virtual server receives.

Enabling protocol security for an FTP virtual server

When you enable protocol security for an FTP virtual server, the system scans any incoming FTP traffic for vulnerabilities before the traffic reaches the FTP servers.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. For the
    Destination Address/Mask
    setting, confirm that the
    Host
    button is selected, and type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    The IP address you type must be available and not in the loopback network.
  5. In the
    Service Port
    field, type
    21
    or select
    FTP
    from the list.
  6. In the Configuration area, for the
    FTP Profile
    setting, select the default profile,
    ftp
    .
  7. From the
    Source Address Translation
    list, select
    Auto Map
    .
  8. For the
    Default Pool
    setting, either select an existing pool from the list, or click the Create (+) button and create a new pool.
  9. Click
    Finished
    .
The custom FTP virtual server appears in the Virtual Servers list.

Reviewing violation statistics for security profiles

You can view statistics and transaction information for each security profile that triggers security violations.
  1. On the Main tab, click
    Security
    Event Logs
    Protocol
    and click
    HTTP
    ,
    DNS
    , or
    SIP
    .
    The appropriate statistics screen opens listing all violations for that protocol, with the number of occurrences.
  2. Type a Support ID, if you have one, to filter the violations and view one in particular.
  3. Click a violation's hyperlink to see details about the requests causing the violation.
    On the Statistics screen, in the left column, you can review information regarding the traffic volume for each security profile configured.

Overview: Securing FTP traffic using a custom configuration

This implementation describes how to secure FTP traffic using a custom configuration. When you use an FTP security profile, the BIG-IP® system inspects FTP traffic for network vulnerabilities. A default FTP security profile is included in the system that you can modify, or you can create a new one as described in the tasks included here. To activate security checks for FTP traffic, you enable protocol security in an FTP service profile, and associate the service profile with a virtual server.
You can customize an FTP security profile to generate alarms or block requests for the following FTP security risks:
  • Port scanning exploits
  • Anonymous FTP requests
  • Command line length exceeds the defined length
  • Specific FTP commands
  • Traffic that fails FTP protocol compliance checks
  • Brute force attacks (excessive FTP login attempts)
  • File stealing exploits

Task summary

Creating a custom FTP profile for protocol security

You create a custom FTP profile when you want to fine-tune the way that the BIG-IPsystem manages FTP traffic. This procedure creates an FTP service profile that optimizes FTP traffic in the LAN, and enables Protocol Security in the profile so it can scan for vulnerabilities specific to the protocol.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Services
    FTP
    .
    The FTP profile list screen opens.
  2. Click
    Create
    .
    The New FTP Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. From the
    Parent Profile
    list, select the default
    ftp
    profile.
  5. Select the
    Custom
    check box.
  6. If you want to disable IPv6 translation, in the Settings area, clear the
    Translate Extended
    check box.
  7. For the
    Inherit Parent Profile
    setting, select the check box.
    This optimizes data channel traffic.
  8. Retain the
    Data Port
    setting default value of
    20
    .
  9. To enable FTP security checks, select the
    Protocol Security
    check box.
    The Protocol Security tab opens.
  10. Click
    Finished
    .
The custom FTP profile now appears in the FTP profile list screen.

Creating a security profile for FTP traffic

An
FTP security profile
provides security checks that are applicable to the FTP protocol. You can create an FTP profile that specifies whether the system allows, logs, or blocks commands and requests from servers that use the FTP protocol.
  1. On the Main tab, click
    Security
    Protocol Security
    Security Profiles
    FTP
    .
    The Security Profiles: FTP screen opens.
  2. Click the
    Create
    button.
    The New FTP Security Profile screen opens.
  3. In the
    Profile Name
    field, type a unique name for the profile.
  4. In the Defense Configuration area, select
    Alarm
    or
    Block
    for the defenses you want to activate.
    FTP Defense
    Description when set to Block
    Active Mode
    Prevents port scanning and other active mode exploits.
    Anonymous FTP Requests
    Prevents unauthorized access by prohibiting anonymous users
    Command Length Restriction
    Prevents buffer overflow attacks by limiting command line length. Specify the maximum number of characters allowed in a command.
    FTP Commands
    Protects against unwanted FTP commands. Move the commands you do not want to allow into the Disallowed list.
    FTP Protocol Compliance Failed
    Protects against non-RFC compliant commands and also disallows syntax errors.
    Maximum Login Retries
    Prevents brute force attacks by limiting login retries. Specify the maximum attempts a user can try to log on, the maximum number of login attempts allowed from a specific client IP address, and how long to block users before they can try again.
    Passive Mode
    Prevents passive mode exploits such as file stealing.
    Option
    Description
    Alarm
    The system logs any requests that trigger the violation.
    Block
    The system blocks any requests that trigger the violation.
    Alarm
    and
    Block
    The system both logs and blocks any requests that trigger the violation.
    If you do not enable either
    Alarm
    or
    Block
    for a violation, the system does not perform the corresponding security check.
  5. Click
    Create
    .
    The screen refreshes, and you see the new security profile in the list.
The BIG-IP system automatically assigns this service profile to FTP traffic that a designated virtual server receives.

Modifying associations between service profiles and security profiles

Before you can modify associations between service profiles and security profiles, you must have created at least one security profile.
When you enable the
Protocol Security
setting on an FTP, HTTP, or SMTP service profile, the system automatically assigns the first-listed security profile to the service profile you configured for that profile. You can review and modify the current associations between the service profiles and the security profiles for each protocol.
  1. On the Main tab, click
    Security
    Protocol Security
    Profiles Assignment
    .
    The Profiles Assignment screen opens.
  2. From the Profiles Assignment menu, select the service profile type.
  3. For each traffic profile, select the protocol security profile to use from the list in the Assigned Security Profile column.
  4. Click
    Save
    .

Configuring an FTP virtual server with a server pool

You can configure a local traffic virtual server and a default pool for your network's FTP servers.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. In the
    Destination Address/Mask
    field, type an address, as appropriate for your network.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is
    10.0.0.1
    or
    10.0.0.0/24
    , and an IPv6 address/prefix is
    ffe1::0020/64
    or
    2001:ed8:77b5:2:10:10:100:42/64
    . When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
  5. In the
    Service Port
    field, type
    21
    or select
    FTP
    from the list.
  6. From the
    FTP Profile
    list, select either
    ftp
    or a custom profile.
  7. From the
    Source Address Translation
    list, select
    Auto Map
    .
  8. In the Resources area of the screen, for the
    Default Pool
    setting, click the
    Create (+)
    button.
    The New Pool screen opens.
  9. In the
    Name
    field, type a unique name for the pool.
  10. In the Resources area, for the
    New Members
    setting, select the type of new member you are adding, then type the information in the appropriate fields, and click
    Add
    to add as many pool members as you need.
  11. Click
    Finished
    to create the pool.
    The screen refreshes, and reopens the New Virtual Server screen. The new pool name appears in the
    Default Pool
    list.
  12. Click
    Finished
    to create the virtual server.
    The screen refreshes, and you see the new virtual server in the list.
The custom FTP virtual server appears in the Virtual Servers list.

Reviewing violation statistics for security profiles

You can view statistics and transaction information for each security profile that triggers security violations.
  1. On the Main tab, click
    Security
    Event Logs
    Protocol
    and click
    HTTP
    ,
    DNS
    , or
    SIP
    .
    The appropriate statistics screen opens listing all violations for that protocol, with the number of occurrences.
  2. Type a Support ID, if you have one, to filter the violations and view one in particular.
  3. Click a violation's hyperlink to see details about the requests causing the violation.
    On the Statistics screen, in the left column, you can review information regarding the traffic volume for each security profile configured.