Answer

Is FTP malware threatening network port security?

According to research by Palo Alto Networks, malware is increasingly targeting "old" ports like FTP because nobody is watching them. What's the best way for organizations to monitor such non-standard ports?

    Requires Free Membership to View

Ask the expert

Have questions about enterprise security? Send them via email today! (All questions are anonymous.)

I'm not sure what you mean by "old" ports, but if you're saying that malware is increasingly targeting "old" protocols, then I agree -- to a point. To be clear, a protocol is a standardized method that computers use to exchange information. File Transfer Protocol (FTP) and HTTP are two of the most commonly known protocols. Protocols use various ports to send information. If an enterprise network were a highway, ports would be the different lanes; only certain lanes take data where it needs to go.

The Palo Alto Networks research seems to indicate that the FTP has been successfully used as a vehicle for malware on ports other than TCP ports 20 and 21, the ports FTP typically uses. This is certainly feasible, as many enterprises leave some of their high-numbered network ports open (and hence unsecured) for testing and management purposes. So an attacker may be able to sneak into a network that isn't properly secured by using FTP on non-standard ports. If proper security monitoring isn't implemented, the malicious traffic could be easily mistaken for standard FTP traffic.

However, a properly configured firewall should be able to defeat such intrusions by triggering an alert when any kind of non-standard FTP traffic is observed. For instance, alerting on certain unencrypted FTP commands like USER, PASS, LIST and RETR is a best practice worth considering. Similarly, consider alerting on common FTP return codes, including 331 (username OK, need password) and 125 (data connection already open; transfer starting). If this hasn't been done before in your organization, begin by monitoring FTP traffic for a period of time, map all traffic (and port use) to legitimate business uses, and then block FTP to ports that it doesn't normally use. This will ensure FTP malware can't sneak in through a "backdoor" port in the network.

This was first published in November 2013

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: