Solved

Passive ftp with SSL over NAT

Posted on 2011-09-08
8
766 Views
Last Modified: 2012-05-12
I currently used SLift Pro ftp product (google with keywords  "SLift privylink")
without SSL enabled (but the files are sort of hashed/encrypted at one end &
when transferred over, it's unhashed/decrypted) but our customer (the remote
end whom we have data interchange with) now wants SSL to be enabled as
Internet files transfer needs better security than the current method & this is
the challenge facing me now

SLIFT Pro's data transfer mechanism is implemented based on FTP protocol. When SSL is not enabled/used, firewall configuration between server and clients is quite straightforward (&
is currently working in our environment) as most firewall products can support FTP protocol without any issue. Server and client hosts can use private IP addresses with NAT enabled at both ends' firewalls/routers. NAT will translate IP address information in FTP protocol communication messages from public to private, or private to public, automatically and do necessary port forwarding actions in context.

But when SSL is enabled to protect the data/messages, the message content will become unknown to the firewall servers/network routers. For this reason, NAT will not be possible anymore as firewalls/network routers will not be able to translate the IP address information in the 'encrypted' data packets. When this issue happens, the server will request a connected client to establish a new connection to server's private IP address for data transfer. Subsequently, client will follow the incorrect instruction (as not modified by NAT) to attempt to make a connection to server's private IP address.

Customer does not agree to replace SSL with SSH tunnel (ie ftp over
SSH tunnel/VPN )
 
I'm setting up a test network at my end to do a more rigorous test.  Any suggestions
on how I can approach this troubleshooting?  Checking firewall console for denied
access?  Anyway to check for NAT not being successfully translated?

Can I run netstat or some sort of tool to sniff (both client & server are Windows 2003)?

0
Comment
Question by:sunhux
  • 5
  • 2
8 Comments
 
LVL 3

Assisted Solution

by:shahravish
shahravish earned 100 total points
Comment Utility
I have done a similar deploy for a few clients in the past.. I can't recall exactly, but there is a way (either implicit/explicit) which allows youto define a set of ports that the protocol will use to respond.
Basically you define those ports for NATing purposes in your firewall - i used globalscape ftp server, which allowed me to set a range of ports that would be used, hence made it easier.
0
 
LVL 16

Accepted Solution

by:
AlexPace earned 400 total points
Comment Utility
If you agree to use Passive Mode for the data channel, the FTP server software will allow you to set a port range to use in the PASV response.  Alternatively, if you decide to use Active Mode, the client could commit to always using a certain port or ports when he sends the PORT command.  However, it is more likely that the FTP Server software will allow you to specfiy a passive range than it is that the other guy's client will allow him to specify an active mode port.

Also, some FTP servers (ex: Robo-FTP Server) allow you to specify an external IP address in addition to the port range for the PASV response.  This comes in handy if your FTPS connection encrypts both the control channel and the data channel. With an FTPS connection you can encrypt both channels, only the control channel, or only the data channel.  If you only encrypt the data channel your firewall will still see the PASV or PORT commands come across the control channel and be able to open the necessary ports on fly... you can even connect with both encrypted and then clear the control channel after you authenticate so the credentials are sent over SSL (TLS) but the remaindre of the session is over an unprotected control channel.
0
 

Author Comment

by:sunhux
Comment Utility

So can we say in summary, setting the ftp server to use passive mode
is the way to go?  Active ftp would be more complicated?

Any 'port forwarding' on the firewall (at client or server end?) needed?
0
 
LVL 16

Assisted Solution

by:AlexPace
AlexPace earned 400 total points
Comment Utility
As the person responsible for the server, the choice to require passive mode makes sense because it allows you to know exactly which ports you need to tweak on your firewall.  Active Mode relies on the client to tell the server which port to use and then the server makes an outgoing connection to the client.  Half the time this is blocked by the client's firewall anyway so it might be a lower support load for you if you just say "we only support passive mode on ports 50000-50100" and be done with it.  This is not an unreasonable position for an FTP Server admin to take.  

The primary drawback of only supporting passive mode is that the DOS command line FTP client is ONLY able to do Active Mode.  This probably doesn't apply to your situation because the DOS client can't do FTPS either, only plain unencrypted FTP.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:sunhux
Comment Utility

Yes, we have already set the ftp server such that
"we only support passive mode on ports 7001-7005"  
& our Slift ftp client has the option to turn on "passive" too.

On Monday, we'll test it out on our test environment (which has
just been set up last Fri evening) : if it doesn't work, can I paste
the firewall logs here for your analysis on we can do do next
0
 

Author Comment

by:sunhux
Comment Utility

Can't get hold of firewall logs : same NAT issue.

Is there any Windows freeware that could do address translation/forwarding
(not port forwarding) so that if this client PC is trying to access a certain IP
address, it will be forwarding to another address?
0
 

Author Comment

by:sunhux
Comment Utility


   http://geekswithblogs.net/Lance/archive/2005/08/23/50912.aspx
Refer to  the link above, seems like the Ftp software that I have only support
option 1 in the Solution section & that did not work (possibly because the
software did not allow us to specify the public address
0
 

Author Closing Comment

by:sunhux
Comment Utility
I'll try another thread
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now