Approach to manage FTP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Approach to manage FTP

L4 Transporter

Based on recent research by Palo Alto there appears to be a greater emphasis needed  on managing FTP.  What approach have you found  most easily to deploy?  The two options I can think of are:

1. Controlling who can do FTP

2. Only allowing FTP access to trusted FTP sites

Any thoughts or ideas appreciated.

Phil

2 REPLIES 2

L6 Presenter

Depends on your situation.

A regular web-browsing client usually doesnt have to be able to use ftp for daily use.

So if your case is to block malware reaching clients then the hole which you allow clients through should be as narrow as possible. And if possible also consider using terminalserver solutions or dedicated (virtual) appliances such as Webconverger - opensource Web Kiosk PC operating system

An easy way to achieve the above (in terms of PA configuration) is a combination of your suggestions.

First of all, not everyone should be allowed for ftp. And those who are will be limited to dedicated sites.

Im not sure if you can use url filtering for this but if you can then a somewhat healthy approach is to only allow sites which belongs to specific categories.

Also dont forget to enable AV scanning in PA for the traffic passing through.

A potential threat is encrypted ftp. There is both SFTP and FTPS. Im not sure if the SSL-termination in PA will help you that much with both of the cases (if any).

L4 Transporter

Besides a few business systems that have FTP needs - we block ftp unless you are a "domain" authenticated IT person. Initially we found a few domain or local system accounts that had a business need to FTP (and those we made accommodations for), but overall it was successful very early on. Provided most everyone in your environment logs into the domain - using AD users and groups within the rules works very slick. We also setup a daily report showing FTP usage, to keep an eye on IT usage and DLP. And we include Threat/AV/URL/Wildfire to the ftp allow rule.


Initially we setup the rule in logging only for a few months to get a handle of who/what/when was happening for FTP.


Cheers,


Mike

  • 1733 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!