The FTP ALG also allows restrictions to be placed on the FTP control channel which can improve
the security of FTP connections. These are:
• Maximum line length in control channel
Creating very large control channel commands can be used as a form of attack against a
server by causing buffer overruns This restriction combats this threat. The default value is 256
If very long file or directory names on the server are used then this limit may need to be
raised. The shorter the limit, the better the security.
• Maximum number of commands per second
To prevent automated attacks against FTP server, restricting the frequency of commands can
be useful. The default limit is 20 commands per second.
• Allow 8-bit strings in control channel
The option determines if 8-bit characters are allowed in the control channel. Allowing 8-bit
characters enables support for filenames containing international characters. For example,
accented or umlauted characters.
Filetype Checking
The FTP ALG offers the same filetype verification for downloaded files that is found in the HTTP
ALG. This consists of two separate options:
• MIME Type Verification
When enabled, NetDefendOS checks that a download's stated filetype matches the file's
contents. Mismatches result in the download being dropped.
• Allow/Block Selected Types
If selected in blocking mode, specified filetypes are dropped when downloaded. If selected in
allow mode, only the specified filetypes are allowed as downloads.
NetDefendOS also performs a check to make sure the filetype matches the contents of the
file. New filetypes can be added to the predefined list of types.
The above two options for filetype checking are the same as those available in the HTTP ALG and
are more fully described in Section 6.2.2, “The HTTP ALG”.
Anti-Virus Scanning
The NetDefendOS Anti-Virus subsystem can be enabled to scan all FTP downloads searching for
malicious code. Suspect files can be de dropped or just logged.
This feature is common to a number of ALGs and is described fully in Section 6.5, “Anti-Virus
Scanning”.
FTP ALG with ZoneDefense
ZoneDefense is a feature that allows NetDefendOS to block hosts and networks by sending
management commands to certain types of external network switches. Used together with the
FTP ALG, ZoneDefense can be configured to protect a network from the spread of malware such
as viruses. This is relevant in two scenarios:
Chapter 6: Security Mechanisms
439
To Next Page
Loading...
