Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Security for FTP Traffic
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

When you create an FTP security profile, the Protocol Security Module inspects FTP traffic for network vulnerabilities. To activate security checks for FTP traffic, you enable FTP security for an FTP service profile, and associate the service profile with a virtual server.
The easiest method for initiating FTP protocol security for your FTP virtual server traffic is to use the system default settings. You do this by enabling protocol security for the system-supplied FTP service profile, and then associating that service profile with a virtual server.
1.
On the Main tab, expand Local Traffic, and then click Profiles.
The Profiles: Services: HTTP screen opens.
2.
From the Services menu, choose FTP.
The Security Profiles: FTP screen opens.
3.
In the Name column, click ftp.
The Properties screen for the system-supplied FTP profile opens.
4.
Clear the Translate Extended check box if you want to disable IPv6 translation.
5.
Leave the Data Port setting at the default value, 20.
6.
Select the Protocol Security check box to enable FTP security checks.
The system automatically associates a default FTP security profile with the system-supplied FTP service profile.
7.
Click the Update button to save your changes.
Next, you can associate the FTP service profile with a virtual server so that FTP protocol checks are performed on the traffic that the FTP virtual server receives. Refer to Configuring an FTP virtual server, for more information.
If the default system configuration does not meet the requirements of your environment, you can manually configure FTP security and traffic management.
FTP service profiles optimize FTP traffic in the LAN. The FTP service profile uses the FTP security profile to scan for vulnerabilities specific to the protocol.
Note: For more information about service profiles in general, refer to BIG-IP® Local Traffic Manager: Concepts.
1.
On the Main tab, expand Local Traffic, and then click Profiles.
The Profiles: Services: HTTP screen opens.
2.
From the Services menu, choose FTP.
The Security Profiles: FTP screen opens.
3.
Click the Create button.
The New FTP Profile screen opens.
4.
For the Name setting, type a unique name for the profile.
5.
For the Parent Profile setting, select the existing FTP profile from which you want the new profile to inherit settings. The default setting is ftp.
6.
Select the Custom check box.
The system lets you edit the individual settings.
7.
Clear the Translate Extended check box if you want to disable IPv6 translation.
8.
Leave the Data Port setting at the default value, 20.
9.
Select the Protocol Security check box to enable FTP security.
10.
Click Finished.
The screen refreshes and displays the new FTP service profile in the list.
The FTP security profile provides the security checks that are applicable to the FTP protocol. In the security profile, you can also specify whether the Protocol Security Module logs violations locally (the default) or to a remote logging server.
1.
On the Main tab, expand Protocol Security, point to Security Profiles, then click FTP.
The Security Profiles: FTP screen opens.
2.
Above the FTP Security Profiles area, click the Create button.
The New FTP Security Profile screen opens.
3.
In the Profile Properties area, in the Profile Name field, type a unique name for the profile.
4.
Select the Remote Logging check box if you want to enable remote logging for this security profile.
Note: The Remote Logging check box is available only if you have specified the remote logging server. See Configuring remote logging.
5.
In the Defense Configuration area, you can modify the blocking policy settings for each violation. If you do not enable either Alarm or Block for a violation, the system does not perform the corresponding security check.
Check Alarm if you want the system to log any requests that trigger the violation.
Check Block if you want the system to block requests that trigger the violation.
Check both Alarm and Block if you want the system to perform both actions.
Tip: In the configuration area, point to the Info icon next to each violation for a description of the violation.
6.
Click Create.
The screen refreshes, and you see the new security profile in the list.
When you enable the Protocol Security setting on an FTP service profile, the system automatically assigns the first-listed FTP security profile to the FTP service profile. If you have more than one security profile configured, you can change the associations on the Profiles Assignment screen in the Protocol Security Module. On the Profiles Assignment screen, you can review the current associations, including the FTP service profile, the virtual server that uses the service profile, and the FTP security profile.
1.
On the Main tab, expand Protocol Security, and then click Profiles Assignment.
The Profiles Assignment screen opens.
3.
In the FTP Security Profiles Assignment area, for each traffic profile, select the FTP security profile to use from the list in the Assigned Security Profile column.
4.
Click Save to retain your changes.
To protect FTP traffic, you need to configure a local traffic virtual server and a default pool for the FTP servers, and associate the FTP service profile that you created. The system automatically associates the FTP security profile with the virtual server. As a result, the FTP security profile is applied to any FTP traffic that the virtual server receives.
Note: For details about virtual servers, refer to BIG-IP® Local Traffic Manager: Concepts.
1.
On the Main tab, expand Local Traffic, and then click Virtual Servers.
The Virtual Servers screen opens.
2.
Click the Create button.
The New Virtual Server screen opens.
3.
For the Name setting, type a unique name for the virtual server.
4.
For the Destination setting, select the type, and type an address, or an address and mask, as appropriate for your network.
5.
For the Service Port setting, either type 21 in the field, or select FTP from the list.
6.
Next to Configuration, select Advanced.
The screen displays additional configuration options.
7.
For the FTP Profile setting, select either the system-supplied profile (ftp), or a profile that you created.
8.
For the SNAT Pool setting, if your network configuration requires address translation, select Auto Map.
9.
In the Resources area, for the Default Pool setting, click the Create button .
The New Pool screen opens.
10.
On the New Pool screen, for the Name setting, type a unique name for the pool.
11.
On the New Pool screen, for the New Members setting, you can add members to the pool in two ways:
Select New Address to type the address and port of any FTP servers that you want to add. (Note that the system automatically adds them as nodes, too.)
Select Node List to choose addresses from a list of servers that already exist in the local traffic configuration.
12.
On the New Pool screen, for the Service Port setting, select FTP from the list.
13.
Click the Add button to add each node or address to the New Members list.
14.
Click Finished to create the pool.
The screen refreshes, and reopens the New Virtual Server screen. The new pool should be listed in the Default Pool setting.
15.
Click Finished to create the virtual server.
The screen refreshes, and you see the new virtual server in the list.
The system is now ready to scan FTP traffic for vulnerabilities common to that protocol. See Reviewing violations statistics for security profiles, for information on reviewing the FTP security attacks that the system detects.
After you finish configuring the system, and traffic is going to the FTP server, the Protocol Security Module provides statistics and transaction information about FTP traffic that triggers any of the FTP security violations. If you enable the Alarm flag for a violation and incoming FTP traffic triggers the violation, the Protocol Security Module logs the request, which you can review on the Statistics screen of the Protocol Security Module. If you enable the Block flag for any of the violations, the Protocol Security Module blocks the request.
Important: The Protocol Security Module stores FTP security violations in system memory rather than on disk. As a result, if you are using a redundant system configuration, the violations data does not replicate to the other unit.
1.
On the Main tab, expand Protocol Security, and then click Statistics.
The Protocol Statistics screen opens listing FTP, SMTP, and HTTP violations and the number of times each has occurred.
2.
For FTP violations that the system has detected, the violation name becomes a hyperlink. Click the link to see details about the requests that caused the violation.
3.
On the Statistics screen, in the left column, you can review information regarding the FTP traffic volume.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)