Applies To:Show Versions
- 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Overview: Securing FTP traffic using default values
This implementation describes how to secure FTP traffic the easy way--by using default values. When you use an FTP security profile, the BIG-IP system inspects FTP traffic for network vulnerabilities. A default FTP security profile is included in the system that you can use. To activate security checks for FTP traffic, you enable protocol security in an FTP service profile, and associate the service profile with a virtual server.
You can use the default configuration to protect against the following FTP security risks:
- Port scanning exploits
- Anonymous FTP requests
- Command line length exceeds the defined length
- Potentially dangerous FTP commands
- Traffic that fails FTP protocol compliance checks
- Brute force attacks (due to excessive FTP login attempts)
- File stealing exploits
Creating an FTP service profile with security enabled
- On the Main tab, click The FTP profile list screen opens. .
- In the Name column, click ftp. The Properties screen for the system-supplied FTP profile opens.
- In the Settings area, clear the Translate Extended check box, if you want to disable IPv6 translation.
- Leave the Data Port setting at the default value, 20.
- Select the Protocol Security check box to enable FTP security checks.
- Click Update.
Enabling protocol security for an FTP virtual server
- On the Main tab, click The Virtual Server List screen opens. .
- Click the Create button. The New Virtual Server screen opens.
- In the Name field, type a unique name for the virtual server.
- For the Destination setting, in the Address field, type the IP address you want to use for the virtual server. The IP address you type must be available and not in the loopback network.
- In the Service Port field, type 21 or select FTP from the list.
- In the Configuration area, for the FTP Profile setting, select the default profile, ftp.
- From the Source Address Translation list, select Auto Map.
- For the Default Pool setting, either select an existing pool from the list, or click the Create (+) button and create a new pool.
- Click Finished.
Reviewing violation statistics for security profiles
- On the Main tab, click HTTP, FTP, SMTP, or DNS. The appropriate statistics screen opens listing all violations for that protocol, with the number of occurrences. and click
- Type a Support ID, if you have one, to filter the violations and view one in particular.
- Click a violation's hyperlink to see details about the requests causing the violation. On the Statistics screen, in the left column, you can review information regarding the traffic volume for each security profile configured.