New Security Enhancement to NetWare FTP Server

  • Document ID:3183151
  • Creation Date:21-Nov-2006
  • Modified Date:26-Apr-2012
    • Micro Focus Products:
      NetWare

Environment

Novell NetWare 6.5
Novell NetWare 6.5 SP6
NetWare FTP Server (NWFTPD.NLM)

Situation

Before discussing the new security feature, a brief discussion of the existing security feature is in order:
For a few years, the NetWare FTP Server has had the ability to encrypt it's connections through SSL to protect commands, user names, passwords, and file contents from passing of the wire in clear text. This treatment must be requested by the FTP client. An FTP server cannot force the client to request this. However, an FTP Server can conceivably do the next best thing: Deny the client the ability to use insecure connections.
When the encryption feature was introduced, a parameter was made available in FTPSERV.CFG which controls whether the FTP Server allows both normal and encrypted FTP connections, or just encrypted connections. This was a simple NO/YES setting, defaulting to NO for support of both types.
SECURE_CONNECTIONS_ONLY=NO/YES
When set to YES, if a FTP client attempts to use a control connection without encrypting it, an error will be generated and the connection aborted. This is effective at curtailing clear text FTP commands. In most cases, the client would get an error and the connection aborted before having a chance to issue a password.
However, besides control connections (for commands), FTP makes use of data connections, for directory lists and file transfers. The SECURE_CONNECTIONS_ONLY=YES was initially designed only to abort insecure control connections. Insecure data connections could still occur, if the client requested them.
This allows FTP clients to continue using insecure data transfers, when the FTP Server administrator may wish to prevent that.

Resolution

Beginning in NetWare 6.5 SP6, the FTP Server (NWFTPD.NLM) has been modified to understand an additional value on the above mentioned parameter. Besides NO or YES, it may be set as follows:
SECURE_CONNECTIONS_ONLY=STRICT
Set this way, the FTP Server will return errors and abort connections for all unencrypted connections, regardless of whether they are control or data connections.
This enhancement is also available in NWFTPD13.EXE.

Status

Security Alert