Applies To:

Show Versions Show Versions

Manual Chapter: Securing FTP Traffic Using a Custom System Configuration
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Securing FTP traffic

This implementation describes how to secure FTP traffic. When you create an FTP security profile, the BIG-IP® Protocol Security Module™ inspects FTP traffic for network vulnerabilities. To activate security checks for FTP traffic, you enable FTP security for an FTP service profile, and associate the service profile with a virtual server.

You can configure the Protocol Security Module to generate alarms or block requests for the following FTP security risks:

  • Port scanning exploits
  • Anonymous FTP requests
  • Command line length exceeds the defined length
  • Specific FTP commands
  • Traffic that fails FTP protocol compliance checks
  • Brute force attacks (excessive FTP login attempts)
  • File stealing exploits

Task summary

Creating a custom FTP security profile

You create a custom FTP profile when you want to fine-tune the way that the BIG-IPsystem manages FTP traffic. This procedure creates an FTP service profile that optimizes FTP traffic in the LAN, and uses the security profile to scan vulnerabilities specific to the protocol.
  1. On the Main tab, click Local Traffic > Profiles > Services > FTP . The FTP profile list screen opens.
  2. Click Create. The New FTP Profile screen opens.
  3. In the Name field, type a name for the profile.
  4. From the Parent Profile list, select the default ftp profile.
  5. On the right side of the screen, select the Custom check box. The settings in the Settings area become available for modification.
  6. If you want to disable IPv6 translation, clear the Translate Extended check box.
  7. For the Inherit Parent Profile setting, select the check box. This optimizes data channel traffic.
  8. Leave the Data Port setting at the default value, 20.
  9. Select the Protocol Security check box to enable FTP security checks.
The custom FTP profile now appears in the FTP profile list screen.

Creating a security profile for FTP traffic

The FTP security profile provides the security checks that are applicable to the FTP protocol. In the security profile, you can also specify whether the Protocol Security Module logs violations locally (the default) or to a remote logging server.
  1. On the Main tab, click Protocol Security > Security Profiles > FTP . The Security Profiles: FTP screen opens.
  2. Click the Create button. The New FTP Security Profile screen opens.
  3. In the Profile Name field, type a unique name for the profile.
  4. If you have specified the remote logging server, and you want to enable remote logging for this profile, select the Remote Logging check box.
  5. In the Defense Configuration area, modify the blocking policy settings for each violation. If you do not enable either Alarm or Block for a violation, the system does not perform the corresponding security check.
    Option Description
    Alarm The system logs any requests that trigger the violation.
    Block The system blocks any requests that trigger the violation.
    Alarm and Block The system both logs and blocks any requests that trigger the violation.
  6. Click Create. The screen refreshes, and you see the new security profile in the list.
The BIG-IP system automatically assigns this service profile to FTP traffic that a designated virtual server receives.

Modifying associations between service profiles and security profiles

Before you can modify associations, you must have created at least one security profile.
When you enable the Protocol Security setting on a service profile, the system automatically assigns the first-listed security profile to the service profile you configured for that profile. On the Profiles Assignment screen, you can review and modify the current associations, including a protocol's service profile, the virtual server that uses that service profile, and the security profile itself.
  1. On the Main tab, click Protocol Security > Profiles Assignment . The Profiles Assignment screen opens.
  2. On the menu bar, click the protocol whose settings you want to view (for example, HTTP, FTP, or SMTP).
  3. In the Security Profiles Assignment area, for each traffic profile, select the protocol security profile to use from the list in the Assigned Security Profile column.
  4. Click Save.

Configuring an FTP virtual server with a server pool

You can configure a local traffic virtual server and a default pool for your network's FTP servers.
  1. On the Main tab, click Local Traffic > Virtual Servers . The Virtual Server List screen displays a list of existing virtual servers.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, select the type, and type an address, or an address and mask, as appropriate for your network.
  5. In the Service Port field, type 21 or select FTP from the list.
  6. From the Configuration list, select Advanced.
  7. From the FTP Profile list, select either ftp or a custom profile.
  8. From the SNAT Pool list, select Auto Map.
  9. In the Resources area of the screen, for the Default Pool setting, click the Create (+) button. The New Pool screen opens.
  10. In the Name field, type a unique name for the pool.
  11. For the New Members setting, select the type of new member you are adding, then type the appropriate information in the Node Name, Address, and Service Port fields, and click Add to add as many pool members as you need.
  12. Click Finished to create the pool. The screen refreshes, and reopens the New Virtual Server screen. The new pool should be listed in the Default Pool setting.
  13. Click Finished to create the virtual server. The screen refreshes, and you see the new virtual server in the list.
The custom FTP virtual server appears in the Virtual Servers list.

Reviewing violations statistics for security profiles

Protocol Security Module provides statistics and transaction information for each profile that triggers any of the security violations defined by each service profile. If you enable the Alarm flag for a violation and incoming traffic triggers the violation, the Protocol Security Module logs the request, which you can review on the Statistics screen of the Protocol Security Module. If you enable the Block flag for any of the violations, the Protocol Security Module blocks the request.
  1. On the Main tab, click Protocol Security > Statistics . The Protocol Statistics screen opens listing all violations, organized by protocol, with the number of occurrences.
  2. Enter a Support ID if you have one to filter the violations and view one in particular.
  3. Click a violation's hyperlink to see details about the requests causing the violation. On the Statistics screen, in the left column, you can review information regarding the traffic volume for each security profile configured.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?

NOTE: Please do not provide personal information.

Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)