SSL/TLS Inspection for FTPS Connections

[Dave365]

Hello,

Anyone achieved SSL/TLS Inspection on a securing gateway for FTPS connections (FTP over SSL/TLS, not SFTP)? is this possible?

There are various protections in IPS blade regarding FTP, but since most file transfers in production environments are encrypted, those protections do not work without a way for the gateway to observe the data decrypted.

I tried to add a rule in HTTPS inspection policy including the server's certificate/private key, but the connection cannot be established at all. Without inspecting the connection, file transfers work fine.

It would be great if HTTPs inspection also works for FTPS.

Regards,
Dave

[wyndfx]

Currently it's not possible to do inspection on FTPS connections.

[jflemingeds]

Does it really have to be ftp over tls? I take it sftp (over ssh) or the likes isn't an option?

[Dave365]

Thanks for the info.

For this specific case it has to be FTPS. We don't have an option.

However, in case of SFTP the IPS still cannot see the traffic decrypted right?

Do you consider SFTP more secure than FTPS? The problem with SFTP is that because it works over SSH, in case the service is not configured correctly (or in case there is a vulnerability), the client can get command-line access on the Operating System itself.

Any thoughts?

Thanks,

[jflemingeds]

Thanks for the info.

For this specific case it has to be FTPS. We don't have an option.

However, in case of SFTP the IPS still cannot see the traffic decrypted right?

Do you consider SFTP more secure than FTPS? The problem with SFTP is that because it works over SSH, in case the service is not configured correctly (or in case there is a vulnerability), the client can get command-line access on the Operating System itself.

Any thoughts?

Thanks,

I would would say either is just as secure and either can be misconfigured and have very bad things happen.

This is a pretty good dock explaining how to setup a sftp jail.

https://www.thegeekstuff.com/2012/03/chroot-sftp-setup/

That is very close to how check point runs their sftp servers from the looks of it. I'll also point out checkpoint doesn't run ftp over ssl servers ( that i know of at least).

If you wanted to go a step further don't allow any ssh login on port 22 except for sftp-server users and then start admin ssh on a different port and make with the firewalling.

[Dave365]

Good points.

Thanks for the feedback everyone.