ftp-ssl conflict

Secure Home | Search | About

Lost Password?

Networking Firewalls

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

ftp-ssl conflict

wndavis

08-20-2008

Re: ftp-ssl conflict

Ansgar -59cobal...

08-20-2008

BillD

Wolfgang Kueter

BillD

Posted by on August 20, 2008, 8:04 am

If you were Registered and logged in, you could reply and use other advanced thread options

I am attempting to setup a file transfer with a bank using Robo-FTP
with ftp-ssl. I am unable to connect to the bank. The bank says our
firewall has to be setup not to inspect FTP Packets (from them?) and
tcp/ip data port ranges 6540 - 6590 need to be open. Our network
security folks are reluctant to create such a firewall rule or make
any firewall changes for that matter.

I'm an applications programmer, not a security expert. How difficult
is it to create such a rule and would it create a vulnerability that
we should resist?

Your help on this would be greatly appreciated.

Posted by Ansgar -59cobalt- Wiechers on August 20, 2008, 8:22 am

If you were Registered and logged in, you could reply and use other advanced thread options

wndavis@acm.org wrote:

> I am attempting to setup a file transfer with a bank using Robo-FTP

> with ftp-ssl. I am unable to connect to the bank. The bank says our

> firewall has to be setup not to inspect FTP Packets (from them?) and

> tcp/ip data port ranges 6540 - 6590 need to be open. Our network

> security folks are reluctant to create such a firewall rule or make

> any firewall changes for that matter.

> I'm an applications programmer, not a security expert. How difficult

> is it to create such a rule and would it create a vulnerability that

> we should resist?

Why not use SSH instead of FTPS? It's *much* less of a hassle,
particularly when it comes to traversing firewalls.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Posted by BillD on August 20, 2008, 8:22 pm

If you were Registered and logged in, you could reply and use other advanced thread options

On Aug 20, 8:22=A0am, Ansgar -59cobalt- Wiechers

> wnda...@acm.org wrote:

> > I am attempting to setup a file transfer with a bank using Robo-FTP

> > with ftp-ssl. =A0I am unable to connect to the bank. =A0The bank says o=

> > firewall has to be setup not to inspect FTP Packets (from them?) and

> > tcp/ip data port ranges 6540 - 6590 need to be open. =A0Our network

> > security folks are reluctant to create such a firewall rule or make

> > any firewall changes for that matter.

> > I'm an applications programmer, not a security expert. =A0How difficult

> > is it to create such a rule and would it create a vulnerability that

> > we should resist?

> Why not use SSH instead of FTPS? It's *much* less of a hassle,

> particularly when it comes to traversing firewalls.

> cu

> 59cobalt

> --

> "If a software developer ever believes a rootkit is a necessary part of

> their architecture they should go back and re-architect their solution."

> --Mark Russinovich

We are using SSH with another bank.
Thanks for the tip maybe we can use SSH where there's a choice.

Posted by Wolfgang Kueter on August 20, 2008, 10:01 am

If you were Registered and logged in, you could reply and use other advanced thread options

wndavis wrote:

> I am attempting to setup a file transfer with a bank using Robo-FTP with

> ftp-ssl. I am unable to connect to the bank.

Are you running the ftp Server or the bank?

> The bank says our

> firewall has to be setup not to inspect FTP Packets (from them?) and

> tcp/ip data port ranges 6540 - 6590 need to be open.

A firewall must not be able to inspect the packets, if it can read the
traffic, it will be a successful man-in-the-middle attacker. ;)

PLease read:

http://en.wikipedia.org/wiki/FTPS

which describes the problem quite well. At least the bank seems to use a
fixed port range and uses passive mode for the ftp-data connection.

If the bank runs the ftp server you need to allow tcp connections to port
990 (ftps command) and to the port range they told you (passive mode, ftp-
data).
So you need rules looking somewhat like this:

from        to        proto        port                action
-----------------------------------------------
you        bank        tcp        990                allow (stateful)
you        bank        tcp        6540-6590        allow (stateful)
you        bank        all        all                reject

Complete stateful handling of the data-connection will never work,
because you have a ancrypted connection, so the firewall can't identify
the destination port of the data-connection.

> Our network

> security folks are reluctant to create such a firewall rule or make any

> firewall changes for that matter.

Well, as long as the bank allows only passive mode I see not a very big
problem.

> I'm an applications programmer, not a security expert. How difficult is

> it to create such a rule and would it create a vulnerability that we

> should resist?

Well, it is tcp, therefore the direction of the connection is easy to
determine. But as with standard ftp you two connections (ftp-command and
ftp-data).

Wolfgang

Posted by BillD on August 20, 2008, 8:19 pm

If you were Registered and logged in, you could reply and use other advanced thread options

> wndavis wrote:

> > I am attempting to setup a file transfer with a bank using Robo-FTP wit=

> > ftp-ssl. =A0I am unable to connect to the bank.

> Are you running the ftp Server or the bank?

> > The bank says our

> > firewall has to be setup not to inspect FTP Packets (from them?) and

> > tcp/ip data port ranges 6540 - 6590 need to be open.

> A firewall must not be able to inspect the packets, if it can read the

> traffic, it will be a successful man-in-the-middle attacker. ;)

> PLease read:

> http://en.wikipedia.org/wiki/FTPS

> which describes the problem quite well. At least the bank seems to use a

> fixed port range and uses passive mode for the ftp-data connection.

> If the bank runs the ftp server you need to allow tcp connections to port

> 990 (ftps command) and to the port range they told you (passive mode, ftp=

> data).

> So you need rules looking somewhat like this:

> from =A0 =A0to =A0 =A0 =A0proto =A0 port =A0 =A0 =A0 =A0 =A0 =A0action

> -----------------------------------------------

> you =A0 =A0 bank =A0 =A0tcp =A0 =A0 990 =A0 =A0 =A0 =A0 =A0 =A0 allow (st=

ateful)

> you =A0 =A0 bank =A0 =A0tcp =A0 =A0 6540-6590 =A0 =A0 =A0 allow (stateful=

)

> you =A0 =A0 bank =A0 =A0all =A0 =A0 all =A0 =A0 =A0 =A0 =A0 =A0 reject

> Complete stateful handling of the data-connection will never work,

> because you have a ancrypted connection, so the firewall can't identify

> the destination port of the data-connection.

> > Our network

> > security folks are reluctant to create such a firewall rule or make any

> > firewall changes for that matter.

> Well, as long as the bank allows only passive mode I see not a very big

> problem.

> > I'm an applications programmer, not a security expert. =A0How difficult=

> > it to create such a rule and would it create a vulnerability that we

> > should resist?

> Well, it is tcp, therefore the direction of the connection is easy to

> determine. But as with standard ftp you two connections (ftp-command and

> ftp-data).

> Wolfgang

The bank has the secure server. Robo-FTP is a client that allows just
about any configuration to be used.
Passive mode is used here.
Thanks for the wikipedia link. When it came to the certificate I got
from Verisign, I had to use OpenSSL to create files with different
extensions to import/export.

Similar Threads	Posted
IP conflict in my network	December 5, 2006, 5:21 am
Outpost/Win95 conflict	February 14, 2005, 3:04 pm
Conflict between Norton Antivirus and Sygate?	July 18, 2004, 11:23 am
Zone Alarm / Router conflict	November 15, 2005, 7:41 pm
Comodo firewall conflict with ADSL modem?	August 3, 2007, 8:23 am
Conflict btwn McAfee Internet Security and Diskeeper defragmenter app	March 7, 2005, 1:19 am

The site map in XML format XML site map