RE: Web proxy or Firewall Client (to be or not to be)
- From: "Lesky Alfonso M." <leskyam@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sat, 22 Feb 2003 15:05:24 -0500
Hi, Thomas
I have read the article you suggested me: "How the FTP protocol
Challenges Firewall Security" by Stefaan Pouseele and I have more
elements to give you about my problem with FTP access from SecureNAT
clients. I send you a file with the information I have recopiled from
my log and a comparison with the logs of the article I had read.
Is there any way to access FTP Sites from a SecureNAT Client to Download
and Upload files without install the Firewall client application?
Thanks very much for your time Tom.
RULES APPLIED TO ANY REQUEST
In the case of: Protocol rule "PR A FTP Out" and Site & Content Rule "S&C A
Sitios ONAT" are applied to "Any request" or to IPs
I have access to FTP Sites and I can Upload and Download fine from SecureNAT
clients. Below are the Logs for the cases of
client in ACTIVE MODE and in PASSIVE MODE, with a comparison of the logs for
SecureNAT Clients from the Stefaan Pouseele's Article.
#Software: Microsoft(R) Internet Security and Acceleration Server 2000
#Version: 1.0
#Date: 2003-02-22 07:08:59
ACTIVE, PORT MODE
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
My results:
FTP Client access active:
#Fields: c-ip time r-ip r-port cs-protocol
s-operation sc-status rule#1 rule#2 sessionid
connectionid
192.168.60.2 17:15:41 169.158.1.20 21 21 TCP
Connect 0 PR A FTP Out S&C A Sitios ONAT 2 1
192.168.60.2 17:15:43 - - 0 TCP
Bind 0 PR A FTP Out - 2 2
192.168.60.2 17:15:43 - 6511 0 TCP
Listen 0 - - 2 2
192.168.60.2 17:15:44 169.158.1.20 20 0 TCP
Accept 0 PR A FTP Out - 2 2
192.168.60.2 17:15:44 - - 0 TCP
Bind 20000 PR A FTP Out - 2 2
192.168.60.2 17:15:49 169.158.1.20 20 0 TCP
Accept 20000 PR A FTP Out - 2 2
192.168.60.2 17:15:55 169.158.1.20 21 21 TCP
Connect 20000 PR A FTP Out S&C A Sitios ONAT 2 1
From Stefaan Pouseele's Article
FTP Client access active:
c-ip time r-ip r-port cs-prot
s-oper sc-stat rule#1 rule#2
sessid connid
172.16.16.2 14:41:0 64.90.59.34 21 21
TCP Connect 0 SPECIAL INTERNT
6556 20504
172.16.16.2 14:41:0 64.90.59.34 20 0
TCP Accept 0 SPECIAL -
6556 20505
172.16.16.2 14:41:0 64.90.59.34 20 0
TCP Accept 20000 SPECIAL -
6556 20505
172.16.16.2 14:43:4 64.90.59.34 21 21
TCP Connect 20000 SPECIAL
INTERNT 6556 20504
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
PASSIVE, PASV MODE
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
My results:
FTP Client access passive:
#Fields: c-ip time r-ip r-port cs-protocol
s-operation sc-status rule#1 rule#2 sessionid
connectionid
192.168.60.2 17:10:46 169.158.1.20 21 21 TCP
Connect 0 PR A FTP Out S&C A Sitios ONAT 2 1
192.168.60.2 17:10:48 169.158.1.20 2328 2328 TCP
Connect 0 - - 2 2
192.168.60.2 17:10:49 169.158.1.20 2328 2328 TCP
Connect 20000 - - 2 2
192.168.60.2 17:11:30 169.158.1.20 21 21 TCP
Connect 20000 PR A FTP Out S&C A Sitios ONAT 2 1
From Stefaan Pouseele's Article
FTP Client access passive:
c-ip time r-ip r-port cs-prot
s-oper sc-stat rule#1 rule#2
sessid connid
172.16.16.2 14:44:5 64.90.59.34 21 21
TCP Connect 0 SPECIAL INTERNT
6557 20506
172.16.16.2 14:44:5 64.90.59.34 61659 61659 TCP
Connect 0 SPECIAL INTERNT 6557
20507
172.16.16.2 14:45:2 64.90.59.34 61659 61659 TCP
Connect 20000 SPECIAL INTERNT
6557 20507
172.16.16.2 14:46:2 64.90.59.34 21 21
TCP Connect 20000 SPECIAL INTERNT
6557 20506
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
RULES APPLIED TO A ESPECIFIC GROUP OF USERS
In the case of: Protocol rule "PR A FTP Out" is applies to "A specific group of
users" I recieve two diferent messages according to the PASV or PORT Mode used
for the SecureNAT client in his navegator.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
FROM THE CLIENT SIDE (IE 5.0, 5.01, 6.0 English & Spanish) WITH (PASV MODE) And
"Enable folder view for FTP sites" is not checked I recieve the message:
ISA Server: extended error message :
200 Type set to I.
200 PORT Command successful.
550 Permission denied.
THE "PROXY LOG" REPORT THE FOLLOWING
#Software: Microsoft(R) Internet Security and Acceleration Server 2000
#Version: 1.0
#Date: 2003-02-22 18:52:05
#Fields: c-ip cs-username c-agent time r-ip
r-port cs-protocol cs-transport s-operation sc-status rule#1
rule#2 sessionid connectionid
192.168.60.254 anonymous 19:11:44 ftp.onat.gov.cu -
21 ftp GET - 407 -
-
192.168.60.254 anonymous 19:11:45 ftp.onat.gov.cu -
21 ftp GET - 407 -
-
192.168.60.254 anonymous 19:11:45 ftp.onat.gov.cu -
21 ftp GET - 407 -
-
192.168.60.254 anonymous 19:11:46 ftp.onat.gov.cu -
21 ftp GET - 407 -
-
192.168.60.254 anonymous 19:11:47 ftp.onat.gov.cu -
21 ftp GET - 407 -
-
192.168.60.254 anonymous 19:11:47 ftp.onat.gov.cu -
21 ftp GET - 407 -
-
192.168.60.254 ONATCFG\Leskyam 19:11:49 ftp.onat.gov.cu
169.158.1.20 21 ftp GET Inet 200
PR A FTP Out S&C A Sitios ONAT
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
FROM THE CLIENT SIDE (IE 5.0, 5.01, 6.0 English & Spanish) WITH (PASV MODE) And
"Enable folder view for FTP sites" checked I recieve a popup window
message with the text:
Windows cannot access this folder. Make sure you typed the file name correctly
and
that you have permission to access the folder.
Details:
The FTP session was terminated
THE "FIREWALL LOG" REPORT THE FOLLOWING
#Software: Microsoft(R) Internet Security and Acceleration Server 2000
#Version: 1.0
#Date: 2003-02-22 18:52:05
#Fields: c-ip cs-username c-agent time r-ip r-port
cs-protocol cs-transport s-operation sc-status rule#1 rule#2
sessionid connectionid
192.168.60.2 - - 19:36:14 169.158.1.20 21
21 TCP Connect 13301 - S&C FTP
Server 6 37
192.168.60.2 - - 19:36:14 169.158.1.20 21
21 TCP Connect 13301 - S&C FTP
Server 6 38
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Other related posts:
