I am attempting to setup a file transfer with a bank using Robo-FTP with ftp-ssl. I am unable to connect to the bank. The bank says our firewall has to be setup not to inspect FTP Packets (from them?) and tcp/ip data port ranges 6540 - 6590 need to be open. Our network security folks are reluctant to create such a firewall rule or make any firewall changes for that matter.
I'm an applications programmer, not a security expert. How difficult is it to create such a rule and would it create a vulnerability that we should resist?
A firewall must not be able to inspect the packets, if it can read the traffic, it will be a successful man-in-the-middle attacker. ;)
PLease read:
formatting link
which describes the problem quite well. At least the bank seems to use a fixed port range and uses passive mode for the ftp-data connection.
If the bank runs the ftp server you need to allow tcp connections to port
990 (ftps command) and to the port range they told you (passive mode, ftp- data). So you need rules looking somewhat like this:
from to proto port action
----------------------------------------------- you bank tcp 990 allow (stateful) you bank tcp 6540-6590 allow (stateful) you bank all all reject
Complete stateful handling of the data-connection will never work, because you have a ancrypted connection, so the firewall can't identify the destination port of the data-connection.
Well, as long as the bank allows only passive mode I see not a very big problem.
Well, it is tcp, therefore the direction of the connection is easy to determine. But as with standard ftp you two connections (ftp-command and ftp-data).
The bank has the secure server. Robo-FTP is a client that allows just about any configuration to be used. Passive mode is used here. Thanks for the wikipedia link. When it came to the certificate I got from Verisign, I had to use OpenSSL to create files with different extensions to import/export.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.