CONFIGURING A POLICY FOR INSPECTING OSI LAYERS 5–7
In this demonstration we are going to focus on File Transfer Protocol (FTP). The File Transfer Protocol (FTP) is used between clients and servers. Clients can open FTP connections to servers and perform several different file-oriented operations. The ASA offers an FTP application inspector that must sit between the client and server to work properly.
The FTP inspector offers the following functions:
■ Protocol verification: Drop any FTP sessions that do not adhere to the FTP protocol specification and log the URI of all accessed FTP objects. FTP protocol verification is enabled by default and cannot be disabled.
■ Protocol minimization: Allow only specific FTP commands and functions to be passed on to the protected client or server. For example, any FTP connections that use any request commands other than GET could be dropped.
■ Payload minimization: Allow only specific FTP payloads to be delivered to the protected server. For example, an ASA can filter FTP connections according to filenames, file types, server names, and usernames.
■ Application layer signatures: Identify and drop specific FTP payloads.
In our demonstration we are going to prevent users from issuing unauthorized commands such as a Delete command once they are connected to the FTP server at 220.127.116.11 in the DMZ. In short we are going to disallow any delete commands that may be issued by the user once they are connected to the FTP server.
AN INTERNET USER CONNECTED TO THE FTP SERVER AT 18.104.22.168
The figure below shows a user already connected to the FTP server which is on the DMZ from the Internet.
BEFORE L5-7 INSPECTION, THE USER CAN DELETE FILES ON THE FTP SERVER.
Before we configure FTP L5 to L7 inspection let us verify that the user can delete files on the FTP server once connected.
FTP INSPECTION APPLIED
The figure below shows the configuration on the ASA firewall showing L5-L7 FTP inspection taking place.
A USER TRIES TO DELETE A FILE
THE USER IS DENIED THE PERMISSION TO DELETE THE FILE AS SHOWN BELOW.
As you can see from the figure above, we have successfully implemented FTP deep protocol inspection.