Previous Topic

Next Topic

Book Contents

Book Index

The Stateful Inspection Advantage - Passive FTP Example

In order to discuss the strength of Stateful Inspection technology in comparison to the other firewall technologies mentioned, we will examine the Passive FTP protocol and the ways that firewalls handle Passive FTP traffic pass-through.

FTP connections are unique, since they are established using two sessions or channels: one for command (AKA control) and one for data. The following table describes the steps of establishing a Passive FTP connection, where:

Establishment of Passive FTP Connection

Step

Channel Type

Description

Source

TCP Source Port

Destination

TCP Destination Port

1

CMD

Client initiates a PASV command to the FTP server on port 21

FTP client

C > 1023

FTP server

21

2

CMD

Server responds with data port information P > 1023

FTP server

21

FTP client

C

3

Data

Client initiates data connection to server on port P

FTP client

D > 1023

FTP server

P

4

Data

Server acknowledges data connection

FTP server

P

FTP client

D

The following diagram demonstrates the establishment of a Passive FTP connection through a firewall protecting the FTP server.

Establishment of Passive FTP Connection

From the FTP server's perspective, the following connections are established:

The fact that both of the channels are established by the client presents a challenge for the firewall protecting the FTP server: while a firewall can easily be configured to identify incoming command connections over the default port 21, it must also be able to handle incoming data connections over a dynamic port that is negotiated randomly as part of the FTP client-server communication. The following table examines how different firewall technologies handle this challenge:

Firewall Technologies and Passive FTP Connections

Firewall Technology

Action

Packet Filter

Packet filters can handle outbound FTP connections in either of the following ways:

  • By leaving the entire upper range of ports (greater than 1023) open. While this allows the file transfer session to take place over the dynamically allocated port, it also exposes the internal network.
  • By shutting down the entire upper range of ports. While this secures the internal network, it also blocks other services.

Thus packet filters' handling of Passive FTP comes at the expense of either application support or security.

Application-Layer Gateway (Proxy)

Application-layer gateways use an FTP proxy that acts as a go-between for all client-server sessions.

This approach overcomes the limitations of packet filtering by bringing application-layer awareness to the decision process; however, it also takes a high toll on performance. In addition, each service requires its own proxy (an FTP proxy for FTP sessions, an HTTP proxy for HTTP session, and so on), and since the application-layer gateway can only support a certain number of proxies, its usefulness and scalability is limited. Finally, this approach exposes the operating system to external threats.

Stateful Inspection Firewall

A Stateful Inspection firewall examines the FTP application-layer data in an FTP session. When the client initiates a command session, the firewall extracts the port number from the request. The firewall then records both the client and server's IP addresses and port numbers in an FTP-data pending request list. When the client later attempts to initiate a data connection, the firewall compares the connection request's parameters (ports and IP addresses) to the information in the FTP-data pending request list, to determine whether the connection attempt is legitimate.

Since the FTP-data pending request list is dynamic, the firewall can ensure that only the required FTP ports open. When the session is closed, the firewall immediately closes the ports, guaranteeing the FTP server's continued security.

See Also

Check Point Stateful Inspection Technology

Packet State and Context Information

What Other Stateful Inspection Firewalls Cannot Do