Applies To:Show Versions
- 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Overview: Securing FTP traffic using a custom configuration
This implementation describes how to secure FTP traffic using a custom configuration. When you use an FTP security profile, the BIG-IP system inspects FTP traffic for network vulnerabilities. A default FTP security profile is included in the system that you can modify, or you can create a new one as described in the tasks included here. To activate security checks for FTP traffic, you enable protocol security in an FTP service profile, and associate the service profile with a virtual server.
You can customize an FTP security profile to generate alarms or block requests for the following FTP security risks:
- Port scanning exploits
- Anonymous FTP requests
- Command line length exceeds the defined length
- Specific FTP commands
- Traffic that fails FTP protocol compliance checks
- Brute force attacks (excessive FTP login attempts)
- File stealing exploits
Creating a custom FTP profile for protocol security
- On the Main tab, click The FTP profile list screen opens. .
- Click Create. The New FTP Profile screen opens.
- In the Name field, type a unique name for the profile.
- From the Parent Profile list, select the default ftp profile.
- Select the Custom check box.
- In the Settings area, clear the Translate Extended check box, if you want to disable IPv6 translation.
- For the Inherit Parent Profile setting, select the check box. This optimizes data channel traffic.
- Leave the Data Port setting at the default value, 20.
- Select the Protocol Security check box to enable FTP security checks.
- Click Finished.
Creating a security profile for FTP traffic
- On the Main tab, click The Security Profiles: FTP screen opens. .
- Click the Create button. The New FTP Security Profile screen opens.
- In the Profile Name field, type a unique name for the profile.
In the Defense Configuration area, modify the blocking policy settings for each
If you do not enable either Alarm or
Block for a violation, the system does not perform
the corresponding security check.
Option Description Alarm The system logs any requests that trigger the violation. Block The system blocks any requests that trigger the violation. Alarm and Block The system both logs and blocks any requests that trigger the violation.
- Click Create. The screen refreshes, and you see the new security profile in the list.
Modifying associations between service profiles and security profiles
- On the Main tab, click The Profiles Assignment: HTTP screen opens. .
- From the Profiles Assignment menu, select the service profile type, if different from HTTP.
- For each traffic profile, select the protocol security profile to use from the list in the Assigned Security Profile column.
- Click Save.
Configuring an FTP virtual server with a server pool
- On the Main tab, click The Virtual Server List screen opens. .
- Click the Create button. The New Virtual Server screen opens.
- In the Name field, type a unique name for the virtual server.
- For the Destination setting, select the type, and type an address, or an address and mask, as appropriate for your network.
- In the Service Port field, type 21 or select FTP from the list.
- From the FTP Profile list, select either ftp or a custom profile.
- From the Source Address Translation list, select Auto Map.
- In the Resources area of the screen, for the Default Pool setting, click the Create (+) button. The New Pool screen opens.
- In the Name field, type a unique name for the pool.
- In the Resources area, for the New Members setting, select the type of new member you are adding, then type the appropriate information in the Node Name, Address, and Service Port fields, and click Add to add as many pool members as you need.
- Click Finished to create the pool. The screen refreshes, and reopens the New Virtual Server screen. The new pool name appears in the Default Pool list.
- Click Finished to create the virtual server. The screen refreshes, and you see the new virtual server in the list.
Reviewing violation statistics for security profiles
- On the Main tab, click HTTP, FTP, SMTP, or DNS. The appropriate statistics screen opens listing all violations for that protocol, with the number of occurrences. and click
- Type a Support ID, if you have one, to filter the violations and view one in particular.
- Click a violation's hyperlink to see details about the requests causing the violation. On the Statistics screen, in the left column, you can review information regarding the traffic volume for each security profile configured.