[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 802
  • Last Modified:

Passive ftp with SSL over NAT

I currently used SLift Pro ftp product (google with keywords  "SLift privylink")
without SSL enabled (but the files are sort of hashed/encrypted at one end &
when transferred over, it's unhashed/decrypted) but our customer (the remote
end whom we have data interchange with) now wants SSL to be enabled as
Internet files transfer needs better security than the current method & this is
the challenge facing me now

SLIFT Pro's data transfer mechanism is implemented based on FTP protocol. When SSL is not enabled/used, firewall configuration between server and clients is quite straightforward (&
is currently working in our environment) as most firewall products can support FTP protocol without any issue. Server and client hosts can use private IP addresses with NAT enabled at both ends' firewalls/routers. NAT will translate IP address information in FTP protocol communication messages from public to private, or private to public, automatically and do necessary port forwarding actions in context.

But when SSL is enabled to protect the data/messages, the message content will become unknown to the firewall servers/network routers. For this reason, NAT will not be possible anymore as firewalls/network routers will not be able to translate the IP address information in the 'encrypted' data packets. When this issue happens, the server will request a connected client to establish a new connection to server's private IP address for data transfer. Subsequently, client will follow the incorrect instruction (as not modified by NAT) to attempt to make a connection to server's private IP address.

Customer does not agree to replace SSL with SSH tunnel (ie ftp over
SSH tunnel/VPN )
 
I'm setting up a test network at my end to do a more rigorous test.  Any suggestions
on how I can approach this troubleshooting?  Checking firewall console for denied
access?  Anyway to check for NAT not being successfully translated?

Can I run netstat or some sort of tool to sniff (both client & server are Windows 2003)?

0
sunhux
Asked:
sunhux
  • 5
  • 2
3 Solutions
 
shahravishCommented:
I have done a similar deploy for a few clients in the past.. I can't recall exactly, but there is a way (either implicit/explicit) which allows youto define a set of ports that the protocol will use to respond.
Basically you define those ports for NATing purposes in your firewall - i used globalscape ftp server, which allowed me to set a range of ports that would be used, hence made it easier.
0
 
AlexPaceCommented:
If you agree to use Passive Mode for the data channel, the FTP server software will allow you to set a port range to use in the PASV response.  Alternatively, if you decide to use Active Mode, the client could commit to always using a certain port or ports when he sends the PORT command.  However, it is more likely that the FTP Server software will allow you to specfiy a passive range than it is that the other guy's client will allow him to specify an active mode port.

Also, some FTP servers (ex: Robo-FTP Server) allow you to specify an external IP address in addition to the port range for the PASV response.  This comes in handy if your FTPS connection encrypts both the control channel and the data channel. With an FTPS connection you can encrypt both channels, only the control channel, or only the data channel.  If you only encrypt the data channel your firewall will still see the PASV or PORT commands come across the control channel and be able to open the necessary ports on fly... you can even connect with both encrypted and then clear the control channel after you authenticate so the credentials are sent over SSL (TLS) but the remaindre of the session is over an unprotected control channel.
0
 
sunhuxAuthor Commented:

So can we say in summary, setting the ftp server to use passive mode
is the way to go?  Active ftp would be more complicated?

Any 'port forwarding' on the firewall (at client or server end?) needed?
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
AlexPaceCommented:
As the person responsible for the server, the choice to require passive mode makes sense because it allows you to know exactly which ports you need to tweak on your firewall.  Active Mode relies on the client to tell the server which port to use and then the server makes an outgoing connection to the client.  Half the time this is blocked by the client's firewall anyway so it might be a lower support load for you if you just say "we only support passive mode on ports 50000-50100" and be done with it.  This is not an unreasonable position for an FTP Server admin to take.  

The primary drawback of only supporting passive mode is that the DOS command line FTP client is ONLY able to do Active Mode.  This probably doesn't apply to your situation because the DOS client can't do FTPS either, only plain unencrypted FTP.
0
 
sunhuxAuthor Commented:

Yes, we have already set the ftp server such that
"we only support passive mode on ports 7001-7005"  
& our Slift ftp client has the option to turn on "passive" too.

On Monday, we'll test it out on our test environment (which has
just been set up last Fri evening) : if it doesn't work, can I paste
the firewall logs here for your analysis on we can do do next
0
 
sunhuxAuthor Commented:

Can't get hold of firewall logs : same NAT issue.

Is there any Windows freeware that could do address translation/forwarding
(not port forwarding) so that if this client PC is trying to access a certain IP
address, it will be forwarding to another address?
0
 
sunhuxAuthor Commented:


   http://geekswithblogs.net/Lance/archive/2005/08/23/50912.aspx
Refer to  the link above, seems like the Ftp software that I have only support
option 1 in the Solution section & that did not work (possibly because the
software did not allow us to specify the public address
0
 
sunhuxAuthor Commented:
I'll try another thread
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now