Manual Chapter : Securing FTP Traffic Using a Custom Configuration

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Overview: Securing FTP traffic using a custom configuration

This implementation describes how to secure FTP traffic using a custom configuration. When you use an FTP security profile, the BIG-IP system inspects FTP traffic for network vulnerabilities. A default FTP security profile is included in the system that you can modify, or you can create a new one as described in the tasks included here. To activate security checks for FTP traffic, you enable protocol security in an FTP service profile, and associate the service profile with a virtual server.

You can customize an FTP security profile to generate alarms or block requests for the following FTP security risks:

  • Port scanning exploits
  • Anonymous FTP requests
  • Command line length exceeds the defined length
  • Specific FTP commands
  • Traffic that fails FTP protocol compliance checks
  • Brute force attacks (excessive FTP login attempts)
  • File stealing exploits

Task summary

Creating a custom FTP profile for protocol security

You create a custom FTP profile when you want to fine-tune the way that the BIG-IPsystem manages FTP traffic. This procedure creates an FTP service profile that optimizes FTP traffic in the LAN, and enables Protocol Security in the profile so it can scan for vulnerabilities specific to the protocol.
  1. On the Main tab, click Local Traffic > Profiles > Services > FTP. The FTP profile list screen opens.
  2. Click Create. The New FTP Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select the default ftp profile.
  5. Select the Custom check box.
  6. In the Settings area, clear the Translate Extended check box, if you want to disable IPv6 translation.
  7. For the Inherit Parent Profile setting, select the check box. This optimizes data channel traffic.
  8. Leave the Data Port setting at the default value, 20.
  9. Select the Protocol Security check box to enable FTP security checks.
  10. Click Finished.
The custom FTP profile now appears in the FTP profile list screen.

Creating a security profile for FTP traffic

An FTP security profile provides security checks that are applicable to the FTP protocol. You can create an FTP profile that specifies whether the system allows, logs, or blocks commands and requests from servers that use the FTP protocol.
  1. On the Main tab, click Security > Protocol Security > Security Profiles > FTP. The Security Profiles: FTP screen opens.
  2. Click the Create button. The New FTP Security Profile screen opens.
  3. In the Profile Name field, type a unique name for the profile.
  4. In the Defense Configuration area, modify the blocking policy settings for each violation. If you do not enable either Alarm or Block for a violation, the system does not perform the corresponding security check.
    Option Description
    Alarm The system logs any requests that trigger the violation.
    Block The system blocks any requests that trigger the violation.
    Alarm and Block The system both logs and blocks any requests that trigger the violation.
  5. Click Create. The screen refreshes, and you see the new security profile in the list.
The BIG-IP system automatically assigns this service profile to FTP traffic that a designated virtual server receives.

Modifying associations between service profiles and security profiles

Before you can modify associations between service profiles and security profiles, you must have created at least one security profile.
When you enable the Protocol Security setting on an FTP, HTTP, or SMTP service profile, the system automatically assigns the first-listed security profile to the service profile you configured for that profile. You can review and modify the current associations between the service profiles and the security profiles for each protocol.
  1. On the Main tab, click Security > Protocol Security > Profiles Assignment. The Profiles Assignment: HTTP screen opens.
  2. From the Profiles Assignment menu, select the service profile type, if different from HTTP.
  3. For each traffic profile, select the protocol security profile to use from the list in the Assigned Security Profile column.
  4. Click Save.

Configuring an FTP virtual server with a server pool

You can configure a local traffic virtual server and a default pool for your network's FTP servers.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, select the type, and type an address, or an address and mask, as appropriate for your network.
  5. In the Service Port field, type 21 or select FTP from the list.
  6. From the FTP Profile list, select either ftp or a custom profile.
  7. From the Source Address Translation list, select Auto Map.
  8. In the Resources area of the screen, for the Default Pool setting, click the Create (+) button. The New Pool screen opens.
  9. In the Name field, type a unique name for the pool.
  10. In the Resources area, for the New Members setting, select the type of new member you are adding, then type the appropriate information in the Node Name, Address, and Service Port fields, and click Add to add as many pool members as you need.
  11. Click Finished to create the pool. The screen refreshes, and reopens the New Virtual Server screen. The new pool name appears in the Default Pool list.
  12. Click Finished to create the virtual server. The screen refreshes, and you see the new virtual server in the list.
The custom FTP virtual server appears in the Virtual Servers list.

Reviewing violation statistics for security profiles

You can view statistics and transaction information for each security profile that triggers security violations.
  1. On the Main tab, click Security > Event Logs > Protocol and click HTTP, FTP, SMTP, or DNS. The appropriate statistics screen opens listing all violations for that protocol, with the number of occurrences.
  2. Type a Support ID, if you have one, to filter the violations and view one in particular.
  3. Click a violation's hyperlink to see details about the requests causing the violation. On the Statistics screen, in the left column, you can review information regarding the traffic volume for each security profile configured.