class-map FTP match port tcp eq ftp
2. Create a inspection policy map in order to tune the FTP engine inspection
Example: Mask the FTP server banner; Mask the system information replay; Disallow the use of commands DELE and RMD; Deny download of .doc files.
regex TXT ".*\.txt"
regex ZIP ".*\.zip"
regex DOC ".*\.doc"
class-map type inspect ftp match-all DENIED_COMMANDS
match request-command dele rmd
policy-map type inspect ftp FTP_INSPECT
parameters
mask-banner
mask-syst-reply
match filename regex DOC
reset
class DENIED_COMMANDS
reset log
3.Create the Layer 3/4 policy map
policy-map policy_inside
class FTP
inspect ftp strict FTP_INSPECT
4.Apply the policy map using a service policy (global or at interface-level)
service-policy policy_inside interface inside
5. Verification:
FTP output without traffic inspection
root@bt:~# ftp 192.168.223.129
Connected to 192.168.223.129.
220-FileZilla Server version 0.9.41 beta
220-written by Tim Kosse (Tim.Kosse@gmx.de)
220 Please visit http://sourceforge.net/projects/filezilla/
Name (192.168.223.129:root): test
331 Password required for test
Password:
230 Logged on
Remote system type is UNIX.
ftp> ls
200 Port command successful
150 Opening data channel for directory list.
-r--r--r-- 1 ftp ftp 22 Mar 03 21:45 configurations.zip
-r--r--r-- 1 ftp ftp 10752 Feb 02 13:38 test.doc
-r--r--r-- 1 ftp ftp 22 Mar 03 21:45 example1.txt
-r--r--r-- 1 ftp ftp 22 Mar 03 21:45 example2.txt
226 Transfer OK
ftp>
Mask FTP banner and system information replay:
Connected to 192.168.223.129.
220-************************************
220-***************************************
220 *******************************************************
Name (192.168.223.129:root): test
331 Password required for test
Password:
230 Logged on
Remote system type is XXXXXXXXXXXXXXXXXXXXXXXXXX.
ftp>
t@bt:~# ftp 192.168.223.129
Deny DELE and RMD commands
ftp> dele example1.txt
421 Service not available, remote server has closed connection
%ASA-5-303005: Strict FTP inspection matched Class 21: DENIED_COMMANDS in policy-map FTP_INSPECT, Reset connection from inside:10.1.1.2/55339 to outside:192.168.223.129/21
%ASA-4-507003: tcp flow from inside:10.1.1.2/55339 to outside:192.168.223.129/21 terminated by inspection engine, reason - inspector reset unconditionally.
%ASA-6-302014: Teardown TCP connection 44 for outside:192.168.223.129/21 to inside:10.1.1.2/55339 duration 0:00:11 bytes 256 Flow closed by inspection
Deny download of .doc files
ftp> get test.doc
local: test.doc remote: test.doc
200 Port command successful
421 Service not available, remote server has closed connection
%ASA-6-302013: Built outbound TCP connection 46 for outside:192.168.223.129/20 (192.168.223.129/20) to inside:10.1.1.2/56273 (10.1.1.2/56273)
%ASA-6-302014: Teardown TCP connection 46 for outside:192.168.223.129/20 to inside:10.1.1.2/56273 duration 0:00:00 bytes 187 TCP FINs
%ASA-4-507003: tcp flow from inside:10.1.1.2/55340 to outside:192.168.223.129/21 terminated by inspection engine, reason - inspector reset unconditionally.
%ASA-6-302014: Teardown TCP connection 45 for outside:192.168.223.129/21 to inside:10.1.1.2/55340 duration 0:00:38 bytes 428 Flow closed by inspection
%ASA-6-302014: Teardown TCP connection 47 for outside:192.168.223.129/0 to inside:10.1.1.2/40729 duration 0:00:00 bytes 0 Parent flow is closed
Any other command works
ftp> get example2.txt
local: example2.txt remote: example2.txt
200 Port command successful
150 Opening data channel for file transfer.
226 Transfer OK
363 bytes received in 0.00 secs (747.9 kB/s)
ftp>
ftp> put example3.txt
local: example3.txt remote: example3.txt
200 Port command successful
150 Opening data channel for file transfer.
226 Transfer OK
443 bytes sent in 0.00 secs (16022.9 kB/s)
ftp>
No comments:
Post a Comment