Installation guide
12-79
Device Manager Guide, Cisco ACE 4700 Series Application Control Engine Appliance
OL-26645-02
Chapter 12 Configuring Traffic Policies
Configuring Rules and Actions for Policy Maps
Setting Policy Map Rules and Actions for Layer 7 FTP Command
Inspection
File Transfer Protocol (FTP) inspection inspects FTP sessions for address translation in a message,
dynamic opening of ports, and stateful tracking of request and response messages. Each specified FTP
command must be acknowledged before the ACE allows a new command. Command filtering allows
you to restrict specific commands by the ACE. When the ACE denies a command, it closes the
connection.
The FTP command inspection process, as performed by the ACE:
• Prepares a dynamic secondary data connection. The channels are allocated in response to a file
upload, a file download, or a directory listing event and must be prenegotiated. The port is
negotiated through the PORT or PASV commands.
• Tracks the FTP command-response sequence. The ACE performs the command checks listed below.
If you specify the FTP Strict field in a Layer 3 and Layer 4 policy map, the ACE tracks each FTP
command and response sequence for the anomalous activity outlined below. The FTP Strict
parameter is used in conjunction with a Layer 7 FTP policy map (nested within the Layer 3 and
Layer 4 policy map) to deny certain FTP commands or to mask the server reply for SYST command.
Note The use of the FTP Strict parameter may affect FTP clients that do not comply with the RFC
standards.
–
Truncated command—Checks the number of commas in the PORT and PASV reply command
against a fixed value of five. If the value is not five, the ACE assumes that the PORT command
is truncated and issues a warning message and closes the TCP connection.
–
Incorrect command—Checks the FTP command to verify if it ends with <CR><LF> characters,
as required by RFC 959. If the FTP command does not end with those characters, the ACE
closes the connection.
–
Size of RETR and STOR commands—Checked the size of the RETR and STOR commands
against a fixed constant of 256. If the size is greater, the ACE logs an error message and closes
the connection.
–
Command spoofing—Verifies that the PORT command is always sent from the client. If a PORT
command is sent from the server, the ACE denies the TCP connection.
–
Reply spoofing—Verifies that the PASV reply command (227) is always sent from the server.
If a PASV reply command is sent from the client, the ACE denies the TCP connection. This
denial prevents a security hole when the user executes “227 xxxxx a1, a2, a3, a4, p1, p2.”
–
Invalid port negotiation—Checks the negotiated dynamic port value to verify that it is greater
than 1024 (port numbers in the range from 2 to 1024 are reserved for well-known connections).
If the negotiated port falls in this range, the ACE closes the TCP connection.
–
Command pipelining—Checks the number of characters present after the port numbers in the
PORT and PASV reply command against a constant value of 8. If the number of characters is
greater than 8, the ACE closes the TCP connection.
• Translates embedded IP addresses in conjunction with NAT. FTP command inspection translates the
IP address within the application payload. Refer to RFC 959 for background details.