Re: Nbar & FTP

From: Bob Sinclair (bsin@cox.net)
Date: Tue May 31 2005 - 17:03:29 GMT-3

• Next message: ccie2be: "RE: Nbar & FTP"
• Previous message: simon hart: "RE: Compression on low band link"
• Next in thread: Bob Sinclair: "Re: Nbar & FTP"
• Maybe reply: Bob Sinclair: "Re: Nbar & FTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi Tim,

NBAR does in fact look into the packets exchanged on the control port and
discovers the ports negotiated for passive FTP. This does not mean it cannot
handle active FTP, which it does just fine.

Here is some "scripture" from Richard Deal:

"NBAR can inspect traffic from Layers 3 through 7. This inspection can look
for the following types of information:
  a.. TCP and UDP port numbers in the transport-layer segment header
  b.. Dynamic TCP and UDP port numbers assigned for additional connections for
an application, such as FTP (similar to the inspection process that CBAC uses
when examining applications that open additional connections)
  c.. subport information, which is information contained in the application
layer data, such as application data types
  d.. Layer 3 IP protocols (other than TCP and UDP"
    Page 445

As regards the lab, the answer always has to be to read the task and any
related tasks very carefully. If ambiguity persists, run it by the proctor.
But remember that NBAR only works on traffic transiting a router, not traffic
generated by it.

HTH,

Bob Sinclair
CCIE #10427, CCSI 30427, CISSP
www.netmasterclass.net

  ----- Original Message -----
  From: ccie2be
  To: 'Bob Sinclair' ; 'simon hart' ; ccielab@groupstudy.com
  Sent: Tuesday, May 31, 2005 3:35 PM
  Subject: RE: Nbar & FTP

  Hi Bob,

  I don't doubt what you say but I can't understand how that is either.

  Correct me if I'm mistaken, but for nbar to match passive FTP, wouldn't it
  have to have the ability to see inside the packets exchanged on the control
  port - port 21 to see what ports were negotiated for the data transfer?

  I know this intelligence is built into CBAC but I thought Nbar was static
in
  nature and did its matching based on pre-defined acl's (port maps) or
  something like that.

  I would think that Nbar would work fine for active FTP given that in that
  mode all ports are known - port 20 and port 21. But, from your remarks, it
  sounds like Nbar won't match active FTP.

  Is that true?

  Now, in the lab, if we need to do anything with FTP traffic, filter it,
  shape it, police it, reserve bandwidth for it, or prioritize it, but the
lab
  doesn't explicitly mention if this is passive or active FTP, how would you
  suggest we identify FTP traffic?

   TIA, Tim

  -----Original Message-----
  From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Bob
  Sinclair
  Sent: Monday, May 30, 2005 10:57 PM
  To: simon hart; ccielab@groupstudy.com
  Subject: Re: Rate Limiting FTP

  Simon,

  NBAR can be used to identify passive FTP traffic. I was able to lab this
up
  with a 3620 running 12.2(15)T9. Matched protocol FTP and got hits on a
  policy-map for passive-mode ftp upload.

  HTH,

  Bob Sinclair
  CCIE #10427, CCSI 30427, CISSP
  www.netmasterclass.net

    ----- Original Message -----
    From: simon hart
    To: ccielab@groupstudy.com
    Sent: Monday, May 30, 2005 5:04 PM
    Subject: Rate Limiting FTP

    All,

    If one is asked to rate limit FTP then how is this achieved if the FTP
    sessions are Passive.

    My understanding is that with passive FTP random ports will be created
for
    the source and destination ports. These ports are communicated via the
  FTP
    control session on port 21.

    Now if I classify my traffic using an acl, and I use the key word FTP,
  then
    it is only matching the control traffic on port 21. If I choose the
    ftp-data option then I shall be using port 20, but that is for Active
    sessions and I am keen to rate limit passive sessions.

    If I use Nbar, my understanding is that nbar will only match on the
  control
    channel, is this correct. If that is the case then there is no way to
  match
    and thus rate limit a passive FTP data channel using either of these
    methods.

    Any help appreciated

    Simon
    --
    No virus found in this outgoing message.
    Checked by AVG Anti-Virus.
    Version: 7.0.322 / Virus Database: 267.2.0 - Release Date: 27/05/2005

    _______________________________________________________________________
    Subscription information may be found at:
    http://www.groupstudy.com/list/CCIELab.html

  _______________________________________________________________________
  Subscription information may be found at:
  http://www.groupstudy.com/list/CCIELab.html

  _______________________________________________________________________
  Subscription information may be found at:
  http://www.groupstudy.com/list/CCIELab.html

• Next message: ccie2be: "RE: Nbar & FTP"
• Previous message: simon hart: "RE: Compression on low band link"
• Next in thread: Bob Sinclair: "Re: Nbar & FTP"
• Maybe reply: Bob Sinclair: "Re: Nbar & FTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jun 03 2005 - 10:12:04 GMT-3