Securing Your FTP Server in the DMZ with Cisco ASA Post-9.7: Masking Sensitive Information

Securing an FTP server, especially one located in the DMZ (Demilitarized Zone), is critical because FTP servers can often be targets for reconnaissance during cyberattacks. Information such as software version numbers, system banners, or directory structures can provide attackers with clues about potential vulnerabilities. In older versions of Cisco ASA, masking or hiding this information required a Layer 7 (L7) policy map configuration with regex patterns. However, with Cisco ASA version 9.7 and beyond, we have more efficient and straightforward methods to accomplish this task.

In this blog, we’ll walk through how to secure your FTP server by masking sensitive information using the enhanced features in ASA post-9.7.

### Why Mask FTP Information?

When a user connects to an FTP server, the server usually discloses certain information that can be exploited by attackers, such as:

- FTP software version numbers

- Host operating system details

- Directory structures or file permissions

By masking or hiding this information, you reduce the attack surface and limit the amount of detail an attacker can use for reconnaissance.

### Key Enhancements in Cisco ASA Post-9.7

Cisco ASA version 9.7 introduced significant improvements in the handling of application-level protocols like FTP. These include:

- **Better Layer 7 (L7) inspection capabilities**: Allowing for easier inspection and control over traffic at the application layer.

- **Advanced FTP inspection policies**: These policies now support more sophisticated manipulation of FTP traffic, such as masking sensitive responses from the server.

- **Streamlined configuration**: The process of configuring L7 inspection policies has been simplified, eliminating the need for complex regex matching for common tasks.

### Steps to Mask Sensitive Information on Your FTP Server Using Cisco ASA Post-9.7

#### 1. **Enable FTP Inspection** (If Not Already Done)

Before proceeding with masking, you must ensure that FTP traffic is being inspected by the ASA. If you haven’t already configured FTP inspection, you can verify this with the following commands:

class-map inspection_default

   match default-inspection-traffic

policy-map global_policy

   class inspection_default

      inspect ftp

This ensures FTP traffic is inspected by default, allowing the ASA to inspect and modify FTP commands and responses as needed.

#### 2. **Configure FTP Inspection Parameters**

In post-9.7 ASA versions, FTP-specific parameters can be added to the L7 policy map to hide or mask specific information. These parameters can block the disclosure of FTP server responses, software banners, and other sensitive details.

Create a new class map or modify an existing one to include FTP masking parameters.

class-map type inspect ftp match-any FTP_INSPECTION_CLASS

   match request-command "USER"

   match request-command "RETR"

   match request-command "STOR"

   match request-command "PWD"

policy-map type inspect ftp FTP_MASKING_POLICY

   parameters

      no-banners

      mask-reply 230

      mask-reply 257

      mask-reply 215

In this example:

- **no-banners**: Hides the FTP server’s banner information, which usually includes the FTP software version and operating system details.

- **mask-reply 230**: Masks the "Login successful" message when the user logs in. This prevents the server from leaking details about user privileges or account settings.

- **mask-reply 257**: Masks the response to the `PWD` (Print Working Directory) command, hiding sensitive directory information from the client.

- **mask-reply 215**: Masks the server response that reveals the operating system type.

These responses are common points where FTP servers can inadvertently disclose sensitive information to users.

#### 3. **Apply the FTP Inspection Policy**

Once you have configured the class map and policy map, the final step is to apply this policy to the appropriate interface or globally. Typically, for an FTP server located in the DMZ, you would apply the inspection policy on the interface connected to the DMZ.

policy-map global_policy

   class inspection_default

      inspect ftp FTP_MASKING_POLICY

This ensures that the FTP inspection policy with masking parameters is applied globally across all FTP traffic going through the ASA firewall.

#### 4. **Monitor and Verify**

After applying the configuration, it’s essential to test and verify that the information masking works as expected. You can connect to the FTP server using various user accounts and monitor the responses to ensure sensitive details like version numbers, operating system details, and directory paths are not being exposed.

You can monitor logs to confirm the policy is being enforced:

show logging | include FTP

This will provide real-time feedback on the FTP inspection policy and any actions taken by the ASA in response to FTP traffic.

#### 5. **Optional: Fine-Tune the Configuration**

Depending on the specific requirements of your FTP server and environment, you may need to fine-tune the masking policy. For instance, if there are additional FTP commands or responses that you want to mask or block, you can adjust the policy by adding more `mask-reply` lines or modifying the `parameters` section.

For example, to block or mask the output of additional FTP commands such as `LIST` or `SYST`, you could add:

match request-command "LIST"

match request-command "SYST"

This would further reduce the amount of exposed information during an FTP session.

### Conclusion

Securing your FTP server in the DMZ is crucial, and masking sensitive information is a key part of reducing the attack surface. With Cisco ASA post-9.7, masking FTP server responses has become more efficient and streamlined, leveraging enhanced Layer 7 inspection capabilities and protocol-specific configurations.

By using the `no-banners` and `mask-reply` features within the FTP inspection policy, you can effectively hide critical information that could otherwise be exploited by attackers during a reconnaissance phase. Always remember to test your configurations in a controlled environment before deploying them in production, and regularly monitor logs to ensure your policies are functioning as expected.

This modern approach to FTP protection ensures that your server remains more secure while maintaining compatibility and performance in your network environment.

Blocking FTP Directory Access for Non-Admin Users on Cisco ASA (Post-9.7)

In earlier versions of Cisco ASA, blocking users from accessing specific FTP directories relied on somewhat complex setups. This involved leveraging regular expressions (regex) within Layer 7 (L7) class maps, matching specific usernames and directory names, and using inspection policies to reset packets when certain conditions were met. While effective, this method had limitations and complexities, such as needing to handle L7 class maps and policy maps in a way that sometimes felt cumbersome.

With the release of Cisco ASA software version 9.7 and beyond, the architecture for configuring such policies has evolved, offering a more streamlined approach with the Advanced Inspection and Prevention Security Services Module (AIP-SSM) and better support for modern application inspection. Here's how to efficiently block non-admin users from accessing a specific FTP directory, such as `/secret`, using modern ASA capabilities.

### Key Changes in Cisco ASA Post-9.7:

1. **Enhanced Protocol Inspection**: The FTP inspection engine has become more robust, allowing for easier manipulation and control of FTP traffic without relying on complex regex patterns.

2. **Simplified Policy Configuration**: Instead of needing to use L7 class maps with regex, ASA 9.7 and later provide more straightforward methods to block access using predefined and customized protocol inspection rules.

3. **Improved Access Control**: Access control based on usernames and directories can now be done more efficiently through protocol-specific inspection mechanisms.

### Steps to Block FTP Access to the `/secret` Directory for All Users Except “admin” (Post-9.7):

#### 1. **Enable FTP Inspection**:

   FTP inspection must be enabled for any traffic inspection and control over the FTP sessions. This is done by default, but it's important to verify.

   

   class-map inspection_default

      match default-inspection-traffic

   policy-map type inspect ftp strict-ftp-map

      parameters

         strict

   service-policy global_policy global

   

   The above configuration ensures FTP traffic is being inspected. In this case, using the `strict` FTP inspection mode is recommended for better control.

#### 2. **Configure an FTP Inspection Policy Map**:

   The FTP inspection engine post-9.7 allows you to set rules that can match FTP commands (such as `CWD` or `RETR`), usernames, and directory names.

   - Define a policy that matches any FTP command where the user is trying to access the `/secret` directory.

   - Also, ensure that only the user “admin” can access this directory, while all other users are blocked.

   

   class-map type inspect ftp match-all FTP_BLOCK_SECRET

      match request-command "USER"

      match request-command "CWD"

      match regex username_not_admin_not_allowed

      match regex secret_directory

   policy-map type inspect ftp FTP_POLICY

      class FTP_BLOCK_SECRET

         reset

   

   In this policy:

   - The `match-all` statement ensures that the class map will only match when both the username and the directory name meet the defined regex conditions.

   - The `reset` action terminates the connection when a non-admin user tries to access the `/secret` directory.

#### 3. **Create Regular Expressions**:

   Since FTP usernames and directory paths can be matched using regex, create the necessary regex patterns to match the conditions. One pattern will match users who are not “admin,” and the other will match the `/secret` directory path.

   

   regex username_not_admin_not_allowed "[^admin]"

   regex secret_directory "^/secret"

   

   These regex patterns:

   - `[^admin]`: This pattern matches any username that is not “admin.”

   - `^/secret`: This pattern matches the directory `/secret`.

#### 4. **Apply the FTP Inspection Policy**:

   Now, apply the inspection policy to the relevant interface (usually the internal network) where FTP traffic originates.

   

   policy-map global_policy

      class inspection_default

         inspect ftp FTP_POLICY

   

   This command ensures that the inspection policy is applied globally across all FTP traffic coming through the ASA firewall.

#### 5. **Test and Monitor**:

   Once the configuration is complete, it is critical to test the setup. You can do this by:

   - Trying to access the `/secret` directory with various usernames, including "admin" and non-admin users.

   - Monitoring the firewall logs to ensure that connections are being reset correctly when unauthorized users try to access the directory.

   You can use the following command to monitor live logs and verify that the FTP inspection policy is functioning as expected:

   

   show logging | include FTP

   

### Benefits of the Post-9.7 Method:

- **Simplified Configuration**: The newer method streamlines the process, making it easier to configure access control based on usernames and directory paths.

- **Better Performance**: The enhanced FTP inspection engine performs better, reducing the need for complex regex matching, which can slow down the inspection process.

- **Improved Flexibility**: With the updated protocol inspection capabilities, it’s easier to create more granular access control policies for specific protocols like FTP.

### Conclusion:

Blocking non-admin users from accessing sensitive directories on an FTP server in Cisco ASA post-9.7 is significantly more straightforward than in earlier versions. By leveraging the enhanced FTP inspection engine and modern class-map configurations, you can efficiently match conditions like usernames and directory paths, ensuring that only authorized users can access specific resources. 

This approach not only improves the security of FTP services but also reduces administrative overhead by simplifying the configuration process. Always ensure that the FTP inspection policies are regularly reviewed and tested to maintain effective security.