|
|
|
|
|
In order to discuss the strength of Stateful Inspection technology in comparison to the other firewall technologies mentioned, we will examine the Passive FTP protocol and the ways that firewalls handle Passive FTP traffic pass-through.
FTP connections are unique, since they are established using two sessions or channels: one for command (AKA control) and one for data. The following table describes the steps of establishing a Passive FTP connection, where:
Establishment of Passive FTP Connection
Step |
Channel Type |
Description |
Source |
TCP Source Port |
Destination |
TCP Destination Port |
|---|---|---|---|---|---|---|
1 |
CMD |
Client initiates a PASV command to the FTP server on port 21 |
FTP client |
C > 1023 |
FTP server |
21 |
2 |
CMD |
Server responds with data port information P > 1023 |
FTP server |
21 |
FTP client |
C |
3 |
Data |
Client initiates data connection to server on port P |
FTP client |
D > 1023 |
FTP server |
P |
4 |
Data |
Server acknowledges data connection |
FTP server |
P |
FTP client |
D |
The following diagram demonstrates the establishment of a Passive FTP connection through a firewall protecting the FTP server.
Establishment of Passive FTP Connection
From the FTP server's perspective, the following connections are established:
The fact that both of the channels are established by the client presents a challenge for the firewall protecting the FTP server: while a firewall can easily be configured to identify incoming command connections over the default port 21, it must also be able to handle incoming data connections over a dynamic port that is negotiated randomly as part of the FTP client-server communication. The following table examines how different firewall technologies handle this challenge:
Firewall Technologies and Passive FTP Connections
Firewall Technology |
Action |
|---|---|
Packet Filter |
Packet filters can handle outbound FTP connections in either of the following ways:
Thus packet filters' handling of Passive FTP comes at the expense of either application support or security. |
Application-Layer Gateway (Proxy) |
Application-layer gateways use an FTP proxy that acts as a go-between for all client-server sessions. This approach overcomes the limitations of packet filtering by bringing application-layer awareness to the decision process; however, it also takes a high toll on performance. In addition, each service requires its own proxy (an FTP proxy for FTP sessions, an HTTP proxy for HTTP session, and so on), and since the application-layer gateway can only support a certain number of proxies, its usefulness and scalability is limited. Finally, this approach exposes the operating system to external threats. |
Stateful Inspection Firewall |
A Stateful Inspection firewall examines the FTP application-layer data in an FTP session. When the client initiates a command session, the firewall extracts the port number from the request. The firewall then records both the client and server's IP addresses and port numbers in an FTP-data pending request list. When the client later attempts to initiate a data connection, the firewall compares the connection request's parameters (ports and IP addresses) to the information in the FTP-data pending request list, to determine whether the connection attempt is legitimate. Since the FTP-data pending request list is dynamic, the firewall can ensure that only the required FTP ports open. When the session is closed, the firewall immediately closes the ports, guaranteeing the FTP server's continued security. |