This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Anyone using Standard-Mode FTP Proxy?

For Web Proxy, standard mode provides multiple technical benefits, so I assumed that standard mode FTP proxy would be preferable to transparent-mode FTP proxy.   My testing has challenged that assumption.

My favorite test site has been to open a web page to ftp://ftp.astaro.com, because it is also accessible as an http page.

When I enable ftp proxy mode = Both, and then configure my proxy script to direct "ftp://' traffic to Utmaddress:2121, I most often get a hang condition - nothing displays, and no error message.

In the FTP Proxy log, I see a connect event from my IP address.   The logging is a disappointment because it has no information about what was done in the connection, just session open and session close entries with my source IP address but without any target URL or address data.   Nothing is logged in the web filter log (which is expected).

By comparison, if I use transparent ftp proxy, my proxy script routes it to the web filter proxy port of 8080, the target URL is captured in the web filter log, and the page displays.

One caveat:   For FTP sites, Chrome does not pass NTLM information to UTM successfully, so the connection can be blocked for lack of credentials.   Sophos Support thinks it is Google's fault.  Since Chrome is probably our most-used browser, I have a web filtering exception to bypass authentication  for ftp sites.

So my questions are:

  • Can Standard Mode FTP proxy work in a web browser to connect to an anonymous FTP site?
  • Is there additional logging information captured somewhere other than the FTP proxy log?

I have an open support ticket, but wondered if I would get a quicker and better answer here.



This thread was automatically locked due to age.
Parents
  • Here is my understanding of how UTM will behave in different configurations and client actions.   Understanding how a defense technology works seems essential to choosing and implementing a security policy.

    FTP using standard port 21

    Client Config

    Target

    Processed By

    No Proxy

    ftp://host:21

    Transparent FTP Proxy

    Proxy to UTM:8080

    ftp://host:21

    Standard Web Proxy

    Proxy to UTM:2121

    ftp://host:21

    Non-Transparent FTP Proxy

    FTP using non-standard port, such as 9999:

    Client Config

    Target

    Processed By

    No Proxy

    ftp://host:9999

    Firewall Rules

    Proxy to UTM:8080

    ftp://host:9999

    Standard Web Proxy

    Proxy to UTM:2121

    ftp://host:9999

    Non-Transparent FTP Proxy

    General Notes:

    FTP proxy provides extraordinarily poor logging.   I indicated earlier that my tests using ftp in a web browser produced a log with source IP but nothing about target host, IP, or action performed.

    FTP proxy has the advantage that one can easily implement a whitelist-only configuration, so that users can only ftp to specifically listed internet destinations.   For Web Proxy, this can probably be configured using regular expressions to configure allow and block rules in the Filter Action.    This assumption requires testing, but we can agree that that if it works it is certainly more difficult to configure correctly, and more flexible in how it can be applied.

    For non-standard ports, FTP proxy is presumed to allow all ports by default, since there is no configuration related to this possibility.   Web Proxy will block non-standard ports unless they are authorized on the Filtering Options... Misc... tab.

    When traffic is processed by firewall rules, the firewall considers IP addresses and ports, but I don't believe there is any attempt to interpret traffic by protocol.   So it cannot actually filter on "FTP" protocol, it can only filter based whether traffic is allowed or blocked to port 21 or 9999. 

    What if I want User-Based Policy Rules for FTP?

    Web Proxy implements user-based filtering and logging, but as I indicated earlier, Chrome does not pass the HTLM information needed for UTM to apply FTP user filtering on a transparent basis.

    FTP Proxy does not seem to implement any user-based filtering or logging.

    Firewall Rules can filter on "user network" objects, but my understanding is that they represent the current IP address of a user on a VPN Client connection.  As such, they could be used anywhere an IP address can be used (such as a Source IP filter list for Web Proxy or FTP Proxy), but they are not applicable to non-VPN connections, they will not provide user identity in the FTP logs, and the user must identify himself to Web Proxy by another method.

    Conclusions

    Based on all of the above, I conclude that Standard Web Proxy is the best of the available options, which can be enforced by using firewall rules to block port 21 and 2121, and disabling both Transparent and Non-Transparent FTP Proxies.

    But can I use a non-browser with Standard Web Proxy?

    The Microsoft FTP client knows nothing about proxies and has no proxy configuration options.  So probably not.

    I reviewed configuration options for two FTP client applications, WinSCP and FTP Voyager.  Both of these products provided options to support multiple proxy technologies, including HTTP.   So if you have the right client application, the answer is yes.

    Follow-Up:

    This is really two questions for the community:   Do I have my facts straight, and do you agree with my conclusions?

  • "But can I use a non-browser with Standard Web Proxy?

    "The Microsoft FTP client knows nothing about proxies and has no proxy configuration options.  So probably not."

    Try FileZilla, Doug.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I was working through the corporate control issues when I asked that, and have since looked more closely at what good ftp clients can do.   The good ones support multiple proxy methods, but none seem to be able to use the system settings, as they cannot be expected to parse proxy.pac files.

    The tough policy nut is blocking ftp login prompts, since these are unencrypted.

Reply
  • I was working through the corporate control issues when I asked that, and have since looked more closely at what good ftp clients can do.   The good ones support multiple proxy methods, but none seem to be able to use the system settings, as they cannot be expected to parse proxy.pac files.

    The tough policy nut is blocking ftp login prompts, since these are unencrypted.

Children
No Data