ISA in SBS - yes, it's secure

A central location for SBS ISA specific configuration information relevant to small consulting practices and others smart enough to use the best technology in the world.

Lingo - The Talk of Broadband

Sunday, October 01, 2006

Secure FTP through ISA 2004

At first I thought they were joking...FTPS...Never heard of can't secure FTP without an application filtering firewall like ISA...that's right an FTP application filter. But twice recently something called FTPS has come to my attention and finally I had a situation where a client needed to access an FTPS server but couldn't.

ISA 2004 has an FTP Application Filter that inspects FTP traffic as it passes through. It also dynamically opens the high port required for the connection. There is an excellent article by Stefaan Pouseele called How the FTP Protocol Challenges Firewall Security over on the website. In it Stefaan explains why FTP is insecure by design, how ISA can secure FTP for you and all of the details in between. It is an excellent article.

FTPS creates an interesting challenge though. FTPS was developed in an attempt to secure FTP transmission. It's FTP with SSL encrypted information running inside. The owners of an FTPS website assume that you are using a simple packet filtering 'el cheapo firewall and can't secure your own network. FTPS proposes to do this for you using SSL. But if you are using a quality application filtering firewall with an FTP filter like ISA 2004 then you'll run into a problem because the FTP application filter can't see into the SSL encrypted packets and will therefore deny them.

Solution 1: Disable the FTP Application filter. This will work IF FTPS is the only kind of FTP site you will ever need to connect to. If you disable the FTP filter all "normal" FTP traffic will be denied.

Solution 2: Create a new Access Rule for FTP for traffic going from your network to the FTPS destination that does not use the FTP filter.

Here's what your rule should look like:

Allow -- Selected Protocols, FTP. Highlight FTP, Press Edit, Uncheck the FTP Access Filter -- Traffic from your Internal Network --- Traffic to New, Address Range, Enter IP address of the FTPS server you need to reach -- SBS Internet Users or User group of your choice.

FTPS will now work to that destination for all but SecureNat clients. So make sure you've got the Firewall Client installed on all of your workstations.


At 12:16 AM, Blogger Diana said...

WOW! I find this when I was googling today on how to configure client to access a FTPS site. Great! -Diana

At 4:44 PM, Anonymous Anonymous said...

That would be great but you can't deselect the check-box.

At 6:37 PM, Blogger Amy - Harbor Computer Services said...

That check box is not normally grayed out. You can uncheck the box.

At 1:13 AM, Blogger marktaylor said...

Hi friend,
It's really nice information on secure FTP.It's provide the total information on how the secure FTP works to transfer the file.


Post a Comment

<< Home