FTP Security

Please accept my apologies if this question has been asked and answered 
in another thread.  If it has, my search failed to turn it up.

D-Link makes a NAS product (DNS-323) which allows for the use of an FTP 
server.  I desire to use this built-in functionality; however, after 
enabling it and making all of the security adjustments (i.e. creating 
groups/users with permissions, establishing passwords, etc.) I am 
concerned that a Shields Up scan of my IP shows the port that this 
server is assigned as being OPEN. :(

Is there any way to enable this FTP server functionality without having 
the assigned port exposed as open?  Is there any way to stealth the 
assigned port?  If not, is the most secure way to run the FTP server to 
have a randomly assigned port and users with strong passwords?

Given that Mr. Gibson has pointed out, much to his dismay, the 
increasing prevalence of these types of devices, maybe there should be a 
discussion on Security Now about how to properly secure these types of 
devices.

Any guidance will be much appreciated.

-- 
Dustin H. Allen, MBA, JD (candidate)


0
Dustin
7/17/2008 2:26:52 AM
grc.techtalk 27358 articles. 1 followers. Follow

17 Replies
552 Views

Similar Articles

[PageSpeed] 46

In Steve Gibson's grc.techtalk - Dustin H. Allen wrote:

> D-Link makes a NAS product (DNS-323) which allows for the use of
> an FTP server.  I desire to use this built-in functionality;
> however, after enabling it and making all of the security
> adjustments (i.e. creating groups/users with permissions,
> establishing passwords, etc.) I am concerned that a Shields Up
> scan of my IP shows the port that this server is assigned as being
> OPEN. 
>


Where does NAS live?

Your network has zones... 
eg. 

untrusted  |  semi-trusted (DMZ) |  trusted

     border/access         sub-network/edge


Your NAS should be either in trusted or semi-trusted(DMZ)

If in DMZ... border must not allow any untrusted traffic to NAS
If in trusted.... then only sub-network traffic allowed to NAS



-- 
OpenPGP: id=18795161E22D3905; preference=signencrypt;
            url=http://guysalias.fateback.com/pgpkeys.txt
0
Guy
7/17/2008 2:48:08 AM
On Wed, 16 Jul 2008 22:26:52 -0400, "Dustin H. Allen"
<allendustin@hotmail.com> wrote:

>Is there any way to enable this FTP server functionality without having 
>the assigned port exposed as open?

Be aware "OPEN" means there's a server responding on that port.  No
kidding.  Stealth and running a server is an oxymoron.

BUT...

There are techniques to filter so it's, say, only open to certain IPs.
There's also a technique to use a secret "knock" of the port to open
it.  I'm not counting these things because I doubt your NAS could do
them by itself without additional equipment.

Hope that clarifies.

Bill
-- 
Expert Opinions $5   I Shut-Up $10
0
Bill_MI
7/17/2008 3:14:07 AM
"Dustin H. Allen" <allendustin@hotmail.com> wrote:

/ ... /

> Is there any way to enable this FTP server functionality without having the
> assigned port exposed as open?  Is there any way to stealth the assigned port?

/ ... /

The *purpose* of a server is to respond to TCP connection requests.

Otherwise, the TCP/IP 3-way handshake cannot be established.

You can use a software firewall if you're concerned about the integrity
of your passwords and configure it to only allow the IP addresses of
who you want to connect to your server. A rules-based firewall like
the one I use (Kerio 2.1.5) simplifies this security metric.

-- 
xperience



0
xperience
7/17/2008 5:47:30 AM
Guy wrote:
> Where does NAS live?

The NAS is hooked up just like any PC.  This is the first I've heard of 
zones (I'm admitting my ignorance here).  Actually, I have heard of the 
DMZ and I know a little about it.  DMZ is disabled in my router, so I 
know it's not there.  By equating "trusted" with "sub-network/edge" 
(which your diagram seems to do), it seems that in order for a device to 
be placed in the "trusted" category it would need to connect to the 
internet without being behind the NAT router.  Correct me if I'm wrong, 
but if that is the case, my NAS is not set up that way.  It is set up 
just like any PC within my network, behind the router.


> Your network has zones... 
> eg. 
> 
> untrusted  |  semi-trusted (DMZ) |  trusted
> 
>      border/access         sub-network/edge
> 
> 
> Your NAS should be either in trusted or semi-trusted(DMZ)
> 
> If in DMZ... border must not allow any untrusted traffic to NAS
> If in trusted.... then only sub-network traffic allowed to NAS

The last part of what you said, "then only sub-network traffic allowed 
to NAS" causes concern to me.  I can FTP (with proper username and 
password) into the NAS from a remote location.  I'm not sure if you are 
labeling that kind of access "sub-network" traffic.

-- 
Dustin H. Allen, MBA, JD (candidate)


0
Dustin
7/17/2008 12:31:45 PM
"Dustin H. Allen" <allendustin@hotmail.com> wrote in message 
news:g5mala$21o9$1@news.grc.com...
> Please accept my apologies if this question has been asked and answered in 
> another thread.  If it has, my search failed to turn it up.
>
> D-Link makes a NAS product (DNS-323) which allows for the use of an FTP 
> server.  I desire to use this built-in functionality; however, after 
> enabling it and making all of the security adjustments (i.e. creating 
> groups/users with permissions, establishing passwords, etc.) I am 
> concerned that a Shields Up scan of my IP shows the port that this server 
> is assigned as being OPEN. :(
>
> Is there any way to enable this FTP server functionality without having 
> the assigned port exposed as open?  Is there any way to stealth the 
> assigned port?  If not, is the most secure way to run the FTP server to 
> have a randomly assigned port and users with strong passwords?

It sounds like you want FTP for the LAN only, correct?  You don't want 
anyone accessing the NAS from the Internet?

I'm surprised the NAS doesn't have instructions on how to do this.  Does the 
vendor have a support forum or a technical support email address?  I would 
try them first.  They should best know how to address this issue.  If they 
don't, shame on them.  Another approach would be to download some user 
manual PDF's for other NAS'es to see if the issue is addressed in one of 
them.

-- 
Robert


0
Robert
7/17/2008 1:15:08 PM
Robert Wycoff wrote:
> It sounds like you want FTP for the LAN only, correct?  You don't want 
> anyone accessing the NAS from the Internet?
I apologize for not being very clear.  I do want to be able to access 
the FTP server from the internet.

> I'm surprised the NAS doesn't have instructions on how to do this.  Does the 
> vendor have a support forum or a technical support email address?  I would 
> try them first.  They should best know how to address this issue.  If they 
> don't, shame on them.  Another approach would be to download some user 
> manual PDF's for other NAS'es to see if the issue is addressed in one of 
> them.

I will try the above mentioned suggestion and check D-Link's website for 
help.  However, since I knew very little about setting up the FTP server 
in the first place, I followed the directions and do not remember them 
addressing the security aspects or various setup options.

-- 
Dustin H. Allen, MBA, JD (candidate)


0
Dustin
7/17/2008 1:22:14 PM
"Dustin H. Allen" <allendustin@hotmail.com> wrote in message
news:g5nh25$1ah$1@news.grc.com...
> Robert Wycoff wrote:
>> It sounds like you want FTP for the LAN only, correct?  You don't want
>> anyone accessing the NAS from the Internet?
> I apologize for not being very clear.  I do want to be able to access the
> FTP server from the internet.

Any time you install a server and make it available to access from the
Internet, the port has to be open for someone to connect to it.  It's the
same for a web server (port 80).

Just because ShieldsUp! finds port 21 open, doesn't mean you are in
"danger" if you follow FTP security best practices.

http://www.google.com/search?hl=en&q=ftp+server+security+best+practices

eg:

http://msdn.microsoft.com/en-us/library/aa924420.aspx

-- 
Robert



0
Robert
7/17/2008 3:08:06 PM
Dustin H. Allen wrote:
> Please accept my apologies if this question has been asked and answered 
> in another thread.  If it has, my search failed to turn it up.
> 
> D-Link makes a NAS product (DNS-323) which allows for the use of an FTP 
> server.  I desire to use this built-in functionality; however, after 
> enabling it and making all of the security adjustments (i.e. creating 
> groups/users with permissions, establishing passwords, etc.) I am 
> concerned that a Shields Up scan of my IP shows the port that this 
> server is assigned as being OPEN. :(
> 
> Is there any way to enable this FTP server functionality without having 
> the assigned port exposed as open?  Is there any way to stealth the 
> assigned port?  If not, is the most secure way to run the FTP server to 
> have a randomly assigned port and users with strong passwords?
> 
> Given that Mr. Gibson has pointed out, much to his dismay, the 
> increasing prevalence of these types of devices, maybe there should be a 
> discussion on Security Now about how to properly secure these types of 
> devices.
> 
> Any guidance will be much appreciated.
> 
A Secure FTP (SFTP) is much better. Your passwords and all your data are 
sent in the clear so having encrypted FTP is much better so your 
password isn't in the clear. I think the security implications of this 
are obvious.

Cygwin can do it, or a Linux box because you need to do it over SSH. I 
could be wrong but there might be SSH for Winders and SFTP could be done 
with that.

Paul
0
Paul
7/17/2008 5:05:46 PM
In Steve Gibson's grc.techtalk - Dustin H. Allen wrote:

> Guy wrote:
>> Where does NAS live?
> 
> The NAS is hooked up just like any PC.  This is the first I've
> heard of zones (I'm admitting my ignorance here).  Actually, I
> have heard of the DMZ and I know a little about it.  DMZ is
> disabled in my router, so I know it's not there.  By equating
> "trusted" with "sub-network/edge" (which your diagram seems to
> do), it seems that in order for a device to be placed in the
> "trusted" category it would need to connect to the internet
> without being behind the NAT router.  Correct me if I'm wrong, but
> if that is the case, my NAS is not set up that way.  It is set up 
> just like any PC within my network, behind the router.
> 
> 


Diagram is left to right; Internet on left, workstations on right.

It is generic, could be for enterprise or soho.

Here is a better picture:
<http://guysalias.fateback.com/misc/junk/net-diagram.jpg>




>> Your network has zones... 
>> eg. 
>> 
>> untrusted  |  semi-trusted (DMZ) |  trusted
>> 
>>       border/access         sub-network/edge
>> 
>> 
>> Your NAS should be either in trusted or semi-trusted(DMZ)
>> 
>> If in DMZ... border must not allow any untrusted traffic to NAS
>> If in trusted.... then only sub-network traffic allowed to NAS
> 
> The last part of what you said, "then only sub-network traffic
> allowed to NAS" causes concern to me.  I can FTP (with proper
> username and password) into the NAS from a remote location.  I'm
> not sure if you are labeling that kind of access "sub-network"
> traffic. 
> 


OK...

If you want/need remote (public) access you must:

 o have some port open to public
 o guard traffic to NAS at border
    (since it is public it is in semi-trusted zone)
 o use some RAS/VPN to protect NAS data and login information
    (FTP service on that NAS device is not encrypted)


-- 
OpenPGP: id=18795161E22D3905; preference=signencrypt;
            url=http://guysalias.fateback.com/pgpkeys.txt
0
Guy
7/17/2008 6:18:43 PM
"Dustin H. Allen" <allendustin@hotmail.com> wrote:
> Robert Wycoff wrote:
>> It sounds like you want FTP for the LAN only, correct?  You don't want anyone 
>> accessing the NAS from the Internet?
> I apologize for not being very clear.  I do want to be able to access the FTP 
> server from the internet.
>
>> I'm surprised the NAS doesn't have instructions on how to do this.  Does the 
>> vendor have a support forum or a technical support email address?  I would try 
>> them first.  They should best know how to address this issue.  If they don't, 
>> shame on them.  Another approach would be to download some user manual PDF's for 
>> other NAS'es to see if the issue is addressed in one of them.

> I will try the above mentioned suggestion and check D-Link's website for help. 
> However, since I knew very little about setting up the FTP server in the first 
> place, I followed the directions and do not remember them addressing the security 
> aspects or various setup options.

Who do you want connecting to your server?

-- 
xperience 


0
xperience
7/17/2008 6:47:36 PM
xperience wrote:
> Who do you want connecting to your server?
I would like to restrict access to a small group of users, but I am 
concerned that unwanted users will try to maliciously gain access.

-- 
Dustin H. Allen, MBA, JD (candidate)


0
Dustin
7/17/2008 7:00:40 PM
"Dustin H. Allen" <allendustin@hotmail.com> wrote:
> xperience wrote:
>> Who do you want connecting to your server?
> I would like to restrict access to a small group of users, but I am concerned that 
> unwanted users will try to maliciously gain access.

Ok, but are those users from the Internet or from a local area network
(LAN) that you have set up in your home/office, using several different
computers?

It sounds like they're from the Internet ... different parts of the city, state
country or world, etc. Is that correct?

-- 
xperience

 


0
xperience
7/17/2008 8:38:25 PM
xperience wrote:
> Ok, but are those users from the Internet or from a local area network
> (LAN) that you have set up in your home/office, using several different
> computers?
> 
> It sounds like they're from the Internet ... different parts of the city, state
> country or world, etc. Is that correct?

Yes.  The users are connecting to the NAS via the internet, not just the 
local area network.  To be clear, users are accessing the NAS using both 
(some coming in from the internet and some accessing it via the LAN). 
Sorry that I haven't been clear in explaining what I'm trying to do. 
I've been a little exhausted these last few days.  Thank you for having 
the patience to try to help me.

-- 
Dustin H. Allen, MBA, JD (candidate)


0
Dustin
7/17/2008 9:12:52 PM
"Dustin H. Allen" <allendustin@hotmail.com> wrote:

/ ... /

> Yes.  The users are connecting to the NAS via the internet, not just the local area 
> network.  To be clear, users are accessing the NAS using both (some coming in from 
> the internet and some accessing it via the LAN). Sorry that I haven't been clear in 
> explaining what I'm trying to do. I've been a little exhausted these last few days. 
> Thank you for having the patience to try to help me.

No problem. I've been very stressed out recently as I found out that
I have sleep apnea. It's really nasty.

Anyhow, if you are using XP or Win2K, just use a software firewall
like Kerio 2.1.5 to set up rules for who you want to let connect.
Kerio 2.1.5 plus a strong password for FTP is unhackable and your
server will show up as stealthed to any unwanted incoming traffic.
Even if they know your password, they'll get nowhere!

-- 
xperience 


0
xperience
7/18/2008 6:10:31 AM
xperience wrote:
> No problem. I've been very stressed out recently as I found out that
> I have sleep apnea. It's really nasty.

Doesn't sound like fun.

> Anyhow, if you are using XP or Win2K, just use a software firewall
> like Kerio 2.1.5 to set up rules for who you want to let connect.
> Kerio 2.1.5 plus a strong password for FTP is unhackable and your
> server will show up as stealthed to any unwanted incoming traffic.
> Even if they know your password, they'll get nowhere!

Part of the issue is that the NAS is a self contained unit (see D-Link 
DNS-323).  As such, I cannot run a software firewall on it.  I am 
confined within the constraints of the firmware.  Is is enough to merely 
use strong passwords?

-- 
Dustin H. Allen, MBA, JD (candidate)


0
Dustin
7/18/2008 9:57:51 AM
"Dustin H. Allen" <allendustin@hotmail.com>  wrote:
> xperience wrote:
>> No problem. I've been very stressed out recently as I found out that
>> I have sleep apnea. It's really nasty.

> Doesn't sound like fun.

It sure isn't.

>> Anyhow, if you are using XP or Win2K, just use a software firewall
>> like Kerio 2.1.5 to set up rules for who you want to let connect.
>> Kerio 2.1.5 plus a strong password for FTP is unhackable and your
>> server will show up as stealthed to any unwanted incoming traffic.
>> Even if they know your password, they'll get nowhere!

> Part of the issue is that the NAS is a self contained unit (see D-Link DNS-323). 
> As such, I cannot run a software firewall on it.  I am confined within the 
> constraints of the firmware.  Is is enough to merely use strong passwords?

If you can use unicode characters I would think so ... ex:  �?Cz-19
or something similar.

You might also be able to use a second software based FTP server
on your computer [software firewall it] then map it out to the hardware
based NAS.

-- 
xperience






0
xperience
7/18/2008 2:07:16 PM
xperience wrote:
> If you can use unicode characters I would think so ... ex:  �?Cz-19
> or something similar.
> 
> You might also be able to use a second software based FTP server
> on your computer [software firewall it] then map it out to the hardware
> based NAS.
> 
Again use SFTP due to cleartext.

Paul
0
Paul
7/18/2008 7:11:49 PM
Reply: