Manual Chapter : Securing FTP Traffic

Applies To:

Show Versions Show Versions

BIG-IP ASM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Overview: Securing FTP traffic using default values

This implementation describes how to secure FTP traffic the easy way--by using default values. When you use an FTP security profile, the BIG-IP® system inspects FTP traffic for network vulnerabilities. A default FTP security profile is included in the system that you can use. To activate security checks for FTP traffic, you enable protocol security in an FTP service profile, and associate the service profile with a virtual server.

You can use the default configuration to protect against the following FTP security risks:

  • Port scanning exploits
  • Anonymous FTP requests
  • Command line length exceeds the defined length
  • Potentially dangerous FTP commands
  • Traffic that fails FTP protocol compliance checks
  • Brute force attacks (due to excessive FTP login attempts)
  • File stealing exploits

Task summary

Creating an FTP service profile with security enabled

The easiest method for initiating FTP protocol security for your FTP virtual server traffic is to use the system default settings. You do this by enabling protocol security for the system-supplied FTP service profile, and then associating that service profile with a virtual server.
  1. On the Main tab, click Local Traffic > Profiles > Services > FTP .
    The FTP profile list screen opens.
  2. In the Name column, click ftp.
    The Properties screen for the system-supplied FTP profile opens.
  3. If you want to disable IPv6 translation, in the Settings area, clear the Translate Extended check box.
  4. Retain the Data Port setting default value of 20.
  5. To enable FTP security checks, select the Protocol Security check box.
    The Protocol Security tab opens.
  6. Click Update.
You now have a security-enabled service profile that you can associate with a virtual server so that FTP protocol checks are performed on the traffic that the FTP virtual server receives.

Enabling protocol security for an FTP virtual server

When you enable protocol security for an FTP virtual server, the system scans any incoming FTP traffic for vulnerabilities before the traffic reaches the FTP servers.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address field, type the IP address in CIDR format.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a /32 prefix.
    Note: The IP address you type must be available and not in the loopback network.
  5. In the Service Port field, type 21 or select FTP from the list.
  6. In the Configuration area, for the FTP Profile setting, select the default profile, ftp.
  7. From the Source Address Translation list, select Auto Map.
  8. For the Default Pool setting, either select an existing pool from the list, or click the Create (+) button and create a new pool.
  9. Click Finished.
The custom FTP virtual server appears in the Virtual Servers list.

Reviewing violation statistics for security profiles

You can view statistics and transaction information for each security profile that triggers security violations.
  1. On the Main tab, click Security > Event Logs > Protocol and click HTTP, FTP, SMTP, or DNS.
    The appropriate statistics screen opens listing all violations for that protocol, with the number of occurrences.
  2. Type a Support ID, if you have one, to filter the violations and view one in particular.
  3. Click a violation's hyperlink to see details about the requests causing the violation.
    On the Statistics screen, in the left column, you can review information regarding the traffic volume for each security profile configured.

Overview: Securing FTP traffic using a custom configuration

This implementation describes how to secure FTP traffic using a custom configuration. When you use an FTP security profile, the BIG-IP system inspects FTP traffic for network vulnerabilities. A default FTP security profile is included in the system that you can modify, or you can create a new one as described in the tasks included here. To activate security checks for FTP traffic, you enable protocol security in an FTP service profile, and associate the service profile with a virtual server.

You can customize an FTP security profile to generate alarms or block requests for the following FTP security risks:

  • Port scanning exploits
  • Anonymous FTP requests
  • Command line length exceeds the defined length
  • Specific FTP commands
  • Traffic that fails FTP protocol compliance checks
  • Brute force attacks (excessive FTP login attempts)
  • File stealing exploits

Task summary

Creating a custom FTP profile for protocol security

You create a custom FTP profile when you want to fine-tune the way that the BIG-IPsystem manages FTP traffic. This procedure creates an FTP service profile that optimizes FTP traffic in the LAN, and enables Protocol Security in the profile so it can scan for vulnerabilities specific to the protocol.
  1. On the Main tab, click Local Traffic > Profiles > Services > FTP .
    The FTP profile list screen opens.
  2. Click Create.
    The New FTP Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. From the Parent Profile list, select the default ftp profile.
  5. Select the Custom check box.
  6. If you want to disable IPv6 translation, in the Settings area, clear the Translate Extended check box.
  7. For the Inherit Parent Profile setting, select the check box.
    This optimizes data channel traffic.
  8. Retain the Data Port setting default value of 20.
  9. To enable FTP security checks, select the Protocol Security check box.
    The Protocol Security tab opens.
  10. Click Finished.
The custom FTP profile now appears in the FTP profile list screen.

Creating a security profile for FTP traffic

An FTP security profile provides security checks that are applicable to the FTP protocol. You can create an FTP profile that specifies whether the system allows, logs, or blocks commands and requests from servers that use the FTP protocol.
  1. On the Main tab, click Security > Protocol Security > Security Profiles > FTP .
    The Security Profiles: FTP screen opens.
  2. Click the Create button.
    The New FTP Security Profile screen opens.
  3. In the Profile Name field, type a unique name for the profile.
  4. In the Defense Configuration area, select Alarm or Block for the defenses you want to activate.
    FTP Defense Description when set to Block
    Active Mode Prevents port scanning and other active mode exploits.
    Anonymous FTP Requests Prevents unauthorized access by prohibiting anonymous users
    Command Length Restriction Prevents buffer overflow attacks by limiting command line length. Specify the maximum number of characters allowed in a command.
    FTP Commands Protects against unwanted FTP commands. Move the commands you do not want to allow into the Disallowed list.
    FTP Protocol Compliance Failed Protects against non-RFC compliant commands and also disallows syntax errors.
    Maximum Login Retries Prevents brute force attacks by limiting login retries. Specify the maximum attempts a user can try to log on, the maximum number of login attempts allowed from a specific client IP address, and how long to block users before they can try again.
    Passive Mode Prevents passive mode exploits such as file stealing.
    Option Description
    Alarm The system logs any requests that trigger the violation.
    Block The system blocks any requests that trigger the violation.
    Alarm and Block The system both logs and blocks any requests that trigger the violation.
    If you do not enable either Alarm or Block for a violation, the system does not perform the corresponding security check.
  5. Click Create.
    The screen refreshes, and you see the new security profile in the list.
The BIG-IP system automatically assigns this service profile to FTP traffic that a designated virtual server receives.

Modifying associations between service profiles and security profiles

Before you can modify associations between service profiles and security profiles, you must have created at least one security profile.
When you enable the Protocol Security setting on an FTP, HTTP, or SMTP service profile, the system automatically assigns the first-listed security profile to the service profile you configured for that profile. You can review and modify the current associations between the service profiles and the security profiles for each protocol.
  1. On the Main tab, click Security > Protocol Security > Profiles Assignment .
    The Profiles Assignment screen opens.
  2. From the Profiles Assignment menu, select the service profile type.
  3. For each traffic profile, select the protocol security profile to use from the list in the Assigned Security Profile column.
  4. Click Save.

Configuring an FTP virtual server with a server pool

You can configure a local traffic virtual server and a default pool for your network's FTP servers.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. In the Destination Address/Mask field, type an address, as appropriate for your network.
    The supported format is address/prefix, where the prefix length is in bits. For example, an IPv4 address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is ffe1::0020/64 or 2001:ed8:77b5:2:10:10:100:42/64. When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a /32 prefix.
  5. In the Service Port field, type 21 or select FTP from the list.
  6. From the FTP Profile list, select either ftp or a custom profile.
  7. From the Source Address Translation list, select Auto Map.
  8. In the Resources area of the screen, for the Default Pool setting, click the Create (+) button.
    The New Pool screen opens.
  9. In the Name field, type a unique name for the pool.
  10. In the Resources area, for the New Members setting, select the type of new member you are adding, then type the information in the appropriate fields, and click Add to add as many pool members as you need.
  11. Click Finished to create the pool.
    The screen refreshes, and reopens the New Virtual Server screen. The new pool name appears in the Default Pool list.
  12. Click Finished to create the virtual server.
    The screen refreshes, and you see the new virtual server in the list.
The custom FTP virtual server appears in the Virtual Servers list.

Reviewing violation statistics for security profiles

You can view statistics and transaction information for each security profile that triggers security violations.
  1. On the Main tab, click Security > Event Logs > Protocol and click HTTP, FTP, SMTP, or DNS.
    The appropriate statistics screen opens listing all violations for that protocol, with the number of occurrences.
  2. Type a Support ID, if you have one, to filter the violations and view one in particular.
  3. Click a violation's hyperlink to see details about the requests causing the violation.
    On the Statistics screen, in the left column, you can review information regarding the traffic volume for each security profile configured.