Approach to manage FTP

Reply
Highlighted
L4 Transporter

Approach to manage FTP

Based on recent research by Palo Alto there appears to be a greater emphasis needed  on managing FTP.  What approach have you found  most easily to deploy?  The two options I can think of are:

1. Controlling who can do FTP

2. Only allowing FTP access to trusted FTP sites

Any thoughts or ideas appreciated.

Phil

Highlighted
L6 Presenter

Re: Approach to manage FTP

Depends on your situation.

A regular web-browsing client usually doesnt have to be able to use ftp for daily use.

So if your case is to block malware reaching clients then the hole which you allow clients through should be as narrow as possible. And if possible also consider using terminalserver solutions or dedicated (virtual) appliances such as Webconverger - opensource Web Kiosk PC operating system

An easy way to achieve the above (in terms of PA configuration) is a combination of your suggestions.

First of all, not everyone should be allowed for ftp. And those who are will be limited to dedicated sites.

Im not sure if you can use url filtering for this but if you can then a somewhat healthy approach is to only allow sites which belongs to specific categories.

Also dont forget to enable AV scanning in PA for the traffic passing through.

A potential threat is encrypted ftp. There is both SFTP and FTPS. Im not sure if the SSL-termination in PA will help you that much with both of the cases (if any).

Highlighted
L4 Transporter

Re: Approach to manage FTP

Besides a few business systems that have FTP needs - we block ftp unless you are a "domain" authenticated IT person. Initially we found a few domain or local system accounts that had a business need to FTP (and those we made accommodations for), but overall it was successful very early on. Provided most everyone in your environment logs into the domain - using AD users and groups within the rules works very slick. We also setup a daily report showing FTP usage, to keep an eye on IT usage and DLP. And we include Threat/AV/URL/Wildfire to the ftp allow rule.


Initially we setup the rule in logging only for a few months to get a handle of who/what/when was happening for FTP.


Cheers,


Mike

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!