topic Re: FTP over HTTP in General Topics

FTP over HTTP

MGoodnow — Wed, 07 Sep 2011 19:38:37 GMT

Hello,

I need to block FTP communication - however, I do not want to block downloads that come through a browser - which can utilizes FTP over HTTP. Would this configuration theoretically work? Curious if anyone has made that work - before I get into testing mode.

Rule1 - any/any - FTP Application - HTTP Service/Port80 - ALLOW

Rule2 - any/any - FTP Application - Any Services - DENY

Would rule 1 allow a user to download a software update that utilizes ftp over port 80 - and rule 2 deny the user from using a FTP application for uploading or downloading straight port 21?

Thanks!

Mike

Re: FTP over HTTP

camkim_MDEA — Wed, 07 Sep 2011 22:20:24 GMT

I'd like to see an example of anyone using ftp over port 80. That would rather seem odd.

Since you would allow FTP downloads, wouldn't it be easier to create rule disallow FTP PUT?

Re: FTP over HTTP

MGoodnow — Wed, 07 Sep 2011 22:29:17 GMT

If the "ftp" application was broken out into a sub "ftp-get" and "ftp-put" - I would go that route. A group of customers requested that back at the New England user forum. Not sure if that is something the app team is still looking into.

Re: FTP over HTTP

migration — Thu, 08 Sep 2011 09:49:35 GMT

The web browser is an ftp client and for this reason doesn't tunnel ftp over http but simply use port 21.

You also have to consider that if you are using ftp-passive mode the server destination port could change from 21 during file transfer.

Otherwise, you have to use ftp-active mode (bad thing, bacause you need to open > 1023 ports to you local net from Internet).

Unfortunately, you can configure http-get and http-put parameters but I didn'f find ftp-put in custom applications.

Re: FTP over HTTP

jleung — Thu, 08 Sep 2011 15:26:56 GMT

Hi,

You can allow ftp and put service as "application-default" which should help you to allow ftp traffic only. For FTP using browser as the client it is actually running the standard ftp at the background.

For FTP put and and get, we do have a custom vulnerability sig shared in devcenter that you can use. You can enable vul profile and put the "ftp put" as "block" action.

Re: FTP over HTTP

MGoodnow — Thu, 15 Sep 2011 18:23:08 GMT

I found that when I deny "ftp" - that you can no longer download from hp.com. It shows in the logs as "web-browsing". This was my thought earlier that is does some type of ftp over port 80. The log never shows a ftp connection only 80. When I allow "ftp" again - then you can download - and it still stays on port 80.

I had tried to enter in the custom signatures - but received an error upon commit. Had to remove them.

Re: FTP over HTTP

jleung — Sat, 17 Sep 2011 15:38:58 GMT

Hi,

I just tried to download some drivers from hp.com, and I saw three logs:

1. web-browsing- which is normal as it is the traffic before I click download from the website

2. ftp control connection running over standard port 21

3. ftp data connection running in high port range

I am not sure why you are not seeing the ftp log. Are you using log at session end or log at session start (you can check it when you click option of a policy). If you are using log at session end you should see things similar to me.

Re: FTP over HTTP

MGoodnow — Thu, 22 Sep 2011 14:01:54 GMT

Hello,

Thank you very much for taking the time to confirm that. Yes, after running a packet capture was also able to see that it does indeed switch over to a ftp url. I am logging at session end. Looking into why there was no entry for anything after "web-browsing". Will open a case with support if I finding nothing. Possible it could of been timing in the logs - but after a minute or two, never saw the new ftp entry. However, logging aside - glad to know that the communication is ftp and will work on some type of whitlisting approach. Thanks!

Cheers,

Mike

Re: FTP over HTTP

jleung — Thu, 22 Sep 2011 14:04:15 GMT

Hi,

Glad to know that.

Jones