Securing FTP Traffic

Overview: Securing FTP traffic using default values

This implementation describes how to secure FTP traffic the easy way--by using
default values. When
you use an FTP security profile, the BIG-IP® system inspects FTP traffic for
network vulnerabilities. A
default FTP security profile is included in the system that you can use. To
activate security checks for
FTP traffic, you enable protocol security in an FTP service profile, and associate
the service profile with
a virtual server.
You can use the default configuration to protect against the following FTP security
risks:
• Port scanning exploits
• Anonymous FTP requests
• Command line length exceeds the defined length
• Potentially dangerous FTP commands
• Traffic that fails FTP protocol compliance checks
• Brute force attacks (due to excessive FTP login attempts)
• File stealing exploits
Task summary
Creating an FTP service profile with security enabled
Enabling protocol security for an FTP virtual server
Reviewing violation statistics for security profiles
Creating an FTP service profile with security enabled
The easiest method for initiating FTP protocol security for your FTP virtual server
traffic is to use the
system default settings. You do this by enabling protocol security for the system-
supplied FTP service
profile, and then associating that service profile with a virtual server.
1. On the Main tab, click Local Traffic > Profiles > Services > FTP.
The FTP profile list screen opens.
2. In the Name column, click ftp.
The Properties screen for the system-supplied FTP profile opens.
3. In the Settings area, clear the Translate Extended check box if you want to
disable IPv6 translation.
4. Retain the Data Port setting default value of 20.
5. Select the Protocol Security check box to enable FTP security checks.
6. Click Update.
You now have a security-enabled service profile that you can associate with a
virtual server so that FTP
protocol checks are performed on the traffic that the FTP virtual server receives.
Enabling protocol security for an FTP virtual server
When you enable protocol security for an FTP virtual server, the system scans any
incoming FTP traffic
for vulnerabilities before the traffic reaches the FTP servers.
1. On the Main tab, click Local Traffic > Virtual Servers.
The Virtual Server List screen opens.
2. Click the Create button.
The New Virtual Server screen opens.
3. In the Name field, type a unique name for the virtual server.
4. In the Destination Address field, type the IP address in CIDR format.
The supported format is address/prefix, where the prefix length is in bits. For
example, an IPv4
address/prefix is 10.0.0.1 or 10.0.0.0/24, and an IPv6 address/prefix is
ffe1::0020/64 or
2001:ed8:77b5:2:10:10:100: