PDA

View Full Version : ftp-ssl conflict



wndavis@acm.org
08-20-08, 07:04 AM
I am attempting to setup a file transfer with a bank using Robo-FTP
with ftp-ssl. I am unable to connect to the bank. The bank says our
firewall has to be setup not to inspect FTP Packets (from them?) and
tcp/ip data port ranges 6540 - 6590 need to be open. Our network
security folks are reluctant to create such a firewall rule or make
any firewall changes for that matter.

I'm an applications programmer, not a security expert. How difficult
is it to create such a rule and would it create a vulnerability that
we should resist?

Your help on this would be greatly appreciated.

Ansgar -59cobalt- Wiechers
08-20-08, 07:22 AM
wndavis@acm.org wrote:
> I am attempting to setup a file transfer with a bank using Robo-FTP
> with ftp-ssl. I am unable to connect to the bank. The bank says our
> firewall has to be setup not to inspect FTP Packets (from them?) and
> tcp/ip data port ranges 6540 - 6590 need to be open. Our network
> security folks are reluctant to create such a firewall rule or make
> any firewall changes for that matter.
>
> I'm an applications programmer, not a security expert. How difficult
> is it to create such a rule and would it create a vulnerability that
> we should resist?

Why not use SSH instead of FTPS? It's *much* less of a hassle,
particularly when it comes to traversing firewalls.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Wolfgang Kueter
08-20-08, 09:01 AM
wndavis wrote:

> I am attempting to setup a file transfer with a bank using Robo-FTP with
> ftp-ssl. I am unable to connect to the bank.

Are you running the ftp Server or the bank?

> The bank says our
> firewall has to be setup not to inspect FTP Packets (from them?) and
> tcp/ip data port ranges 6540 - 6590 need to be open.

A firewall must not be able to inspect the packets, if it can read the
traffic, it will be a successful man-in-the-middle attacker. ;)

PLease read:

http://en.wikipedia.org/wiki/FTPS

which describes the problem quite well. At least the bank seems to use a
fixed port range and uses passive mode for the ftp-data connection.


If the bank runs the ftp server you need to allow tcp connections to port
990 (ftps command) and to the port range they told you (passive mode, ftp-
data).
So you need rules looking somewhat like this:

from to proto port action
-----------------------------------------------
you bank tcp 990 allow (stateful)
you bank tcp 6540-6590 allow (stateful)
you bank all all reject

Complete stateful handling of the data-connection will never work,
because you have a ancrypted connection, so the firewall can't identify
the destination port of the data-connection.

> Our network
> security folks are reluctant to create such a firewall rule or make any
> firewall changes for that matter.

Well, as long as the bank allows only passive mode I see not a very big
problem.

> I'm an applications programmer, not a security expert. How difficult is
> it to create such a rule and would it create a vulnerability that we
> should resist?

Well, it is tcp, therefore the direction of the connection is easy to
determine. But as with standard ftp you two connections (ftp-command and
ftp-data).

Wolfgang

Todd H.
08-20-08, 04:01 PM
wndavis@acm.org writes:

> I am attempting to setup a file transfer with a bank using Robo-FTP
> with ftp-ssl.

Fro whatever it's worth when most security types see FTP and "bank" in
the same sentence, sphincters pucker.

> I am unable to connect to the bank. The bank says our firewall has
> to be setup not to inspect FTP Packets (from them?) and tcp/ip data
> port ranges 6540 - 6590 need to be open. Our network security folks
> are reluctant to create such a firewall rule or make any firewall
> changes for that matter.

Good for them!

> I'm an applications programmer, not a security expert. How difficult
> is it to create such a rule and would it create a vulnerability that
> we should resist?
>
> Your help on this would be greatly appreciated.

Can the bank be talked out of using FTP? You could implement an SSH
server, do this with scp, one simple port (preferably on a
non-standard high numbered one to avoid log traffic from script
kiddies), and yer done.

FTP sucks in all sorts of ways. I shutter to think it's some bank's
preferred mode of transport.

--
Todd H.
http://www.toddh.net/

BillD
08-20-08, 07:12 PM
On Aug 20, 5:01*pm, comph...@toddh.net (Todd H.) wrote:
> wnda...@acm.org writes:
> > I am attempting to setup a file transfer with a bank using Robo-FTP
> > with ftp-ssl.
>
> Fro whatever it's worth when most security types see FTP and "bank" in
> the same sentence, sphincters pucker.
>
> > I am unable to connect to the bank. *The bank says our firewall has
> > to be setup not to inspect FTP Packets (from them?) and tcp/ip data
> > port ranges 6540 - 6590 need to be open. *Our network security folks
> > are reluctant to create such a firewall rule or make any firewall
> > changes for that matter.
>
> Good for them!
>
> > I'm an applications programmer, not a security expert. *How difficult
> > is it to create such a rule and would it create a vulnerability that
> > we should resist?
>
> > Your help on this would be greatly appreciated.
>
> Can the bank be talked out of using FTP? * You could implement an SSH
> server, do this with scp, *one simple port (preferably on a
> non-standard high numbered one to avoid log traffic from script
> kiddies), and yer done. *
>
> FTP sucks in all sorts of ways. * *I shutter to think it's some bank's
> preferred mode of transport.
>
> --
> Todd H.http://www.toddh.net/

Did you miss the SSL? I'm not using plain old FTP. We have a
certificate issued by Verisign.

BillD
08-20-08, 07:19 PM
On Aug 20, 10:01*am, Wolfgang Kueter <wolfg...@shconnect.de> wrote:
> wndavis wrote:
> > I am attempting to setup a file transfer with a bank using Robo-FTP with
> > ftp-ssl. *I am unable to connect to the bank.
>
> Are you running the ftp Server or the bank?
>
> > The bank says our
> > firewall has to be setup not to inspect FTP Packets (from them?) and
> > tcp/ip data port ranges 6540 - 6590 need to be open.
>
> A firewall must not be able to inspect the packets, if it can read the
> traffic, it will be a successful man-in-the-middle attacker. ;)
>
> PLease read:
>
> http://en.wikipedia.org/wiki/FTPS
>
> which describes the problem quite well. At least the bank seems to use a
> fixed port range and uses passive mode for the ftp-data connection.
>
> If the bank runs the ftp server you need to allow tcp connections to port
> 990 (ftps command) and to the port range they told you (passive mode, ftp-
> data).
> So you need rules looking somewhat like this:
>
> from * *to * * *proto * port * * * * * *action
> -----------------------------------------------
> you * * bank * *tcp * * 990 * * * * * * allow (stateful)
> you * * bank * *tcp * * 6540-6590 * * * allow (stateful)
> you * * bank * *all * * all * * * * * * reject
>
> Complete stateful handling of the data-connection will never work,
> because you have a ancrypted connection, so the firewall can't identify
> the destination port of the data-connection.
>
> > Our network
> > security folks are reluctant to create such a firewall rule or make any
> > firewall changes for that matter.
>
> Well, as long as the bank allows only passive mode I see not a very big
> problem.
>
> > I'm an applications programmer, not a security expert. *How difficultis
> > it to create such a rule and would it create a vulnerability that we
> > should resist?
>
> Well, it is tcp, therefore the direction of the connection is easy to
> determine. But as with standard ftp you two connections (ftp-command and
> ftp-data).
>
> Wolfgang

The bank has the secure server. Robo-FTP is a client that allows just
about any configuration to be used.
Passive mode is used here.
Thanks for the wikipedia link. When it came to the certificate I got
from Verisign, I had to use OpenSSL to create files with different
extensions to import/export.

BillD
08-20-08, 07:22 PM
On Aug 20, 8:22*am, Ansgar -59cobalt- Wiechers
<usenet-2...@planetcobalt.net> wrote:
> wnda...@acm.org wrote:
> > I am attempting to setup a file transfer with a bank using Robo-FTP
> > with ftp-ssl. *I am unable to connect to the bank. *The bank says our
> > firewall has to be setup not to inspect FTP Packets (from them?) and
> > tcp/ip data port ranges 6540 - 6590 need to be open. *Our network
> > security folks are reluctant to create such a firewall rule or make
> > any firewall changes for that matter.
>
> > I'm an applications programmer, not a security expert. *How difficult
> > is it to create such a rule and would it create a vulnerability that
> > we should resist?
>
> Why not use SSH instead of FTPS? It's *much* less of a hassle,
> particularly when it comes to traversing firewalls.
>
> cu
> 59cobalt
> --
> "If a software developer ever believes a rootkit is a necessary part of
> their architecture they should go back and re-architect their solution."
> --Mark Russinovich

We are using SSH with another bank.
Thanks for the tip maybe we can use SSH where there's a choice.

Todd H.
08-20-08, 11:43 PM
BillD <wndavis@acm.org> writes:

> On Aug 20, 5:01*pm, comph...@toddh.net (Todd H.) wrote:
>> wnda...@acm.org writes:
>> > I am attempting to setup a file transfer with a bank using Robo-FTP
>> > with ftp-ssl.
>>
>> Fro whatever it's worth when most security types see FTP and "bank" in
>> the same sentence, sphincters pucker.
>>
>> > I am unable to connect to the bank. *The bank says our firewall has
>> > to be setup not to inspect FTP Packets (from them?) and tcp/ip data
>> > port ranges 6540 - 6590 need to be open. *Our network security folks
>> > are reluctant to create such a firewall rule or make any firewall
>> > changes for that matter.
>>
>> Good for them!
>>
>> > I'm an applications programmer, not a security expert. *How difficult
>> > is it to create such a rule and would it create a vulnerability that
>> > we should resist?
>>
>> > Your help on this would be greatly appreciated.
>>
>> Can the bank be talked out of using FTP? * You could implement an SSH
>> server, do this with scp, *one simple port (preferably on a
>> non-standard high numbered one to avoid log traffic from script
>> kiddies), and yer done. *
>>
>> FTP sucks in all sorts of ways. * *I shutter to think it's some bank's
>> preferred mode of transport.
>>
>> --
>> Todd H.http://www.toddh.net/
>
> Did you miss the SSL? I'm not using plain old FTP. We have a
> certificate issued by Verisign.

The SSL helps, but FTP still is enough of a pain in the ass with port
usage that it's still a red headed stepchild vs scp.

Sorry to hear about the money lost to Verisign. :-\ ssh is free.

--
Todd H.
http://www.toddh.net/