The Summary View

Understanding the Summary View

The Summary View provides the administrator with a one page overview of the server’s configuration and any potential security issues that may be present.

The server scans the current Cerberus configuration at startup, and every time a configuration change is made, to look for any potential security issues that might result from the current system configuration. System warnings and messages are displayed in the System Messages list and each protocol type is given an overall security status indicator.

The Cerberus FTP Server 9.0 Desktop Summary View

The possible status for each protocol type are:

  • Secure – All listeners currently active for this protocol type are configured to accept only encrypted connections.
  • Not Secure – Some or all listeners currently active for this protocol type are configured to allow unencrypted connections.
  • Disabled – There are no listeners currently active on the server for this protocol.

Common System Messages

There are generally two types of system messages displayed in the System Messages list – general messages and security messages.

Anytime a protocol is listed as Not Secure there will be a system security message detailing the reason. Common system messages, their explanation and resolution, if applicable, are detailed below.

  • FTP Listener X can allow unencrypted control or data connections

    Background: Normal FTP has no encryption and therefore allows passwords and data to be transmitted in the clear over a network. To address this security issue, two secure forms of FTP were developed called implicit FTPS and explicit FTPES. Implicit FTPS is very similar to HTTPS and takes place on a completely separate port from typical FTP. Interfaces of this type are always encrypted and considered secure. Explicit FTPES, however, starts on a normal unencrypted FTP connection and is then “upgraded” to a secure connection through special FTP commands. This type of connection depends on the client issuing commands instructing the server to enable encryption. However, the client can also continue as a normal FTP connection without enabling encryption. This situation allows for unencrypted connections and presents a security issue for servers.

    Resolution: To resolve this issue and still allow FTP access there are two possible solutions. One is to remove all FTP listeners and only enable FTPS listeners. FTPS listeners only accept encrypted communications and are considered secure.

    If you wish to also allow FTPES secure connections then you must instruct the server to require encryption before allowing a connection to proceed. To require the FTP listener to require encryption, go to the Interfaces page of the Server Manager and for each FTP interface, select the Require Secure Control and  Require Secure Data options.

    For more detailed information, please take a look at our information page describing the different forms of FTP and secure FTP.

  • HTTP Listener X only accepts unencrypted connections

    Background: Connections of type HTTP are always unencrypted and are therefore very susceptible to inspection on a network. System administrators are encouraged to disable HTTP listeners in favor of secure HTTPS listeners.

    Resolution: To resolve this issue the system administrator must disable any HTTP listeners in the system, or set the redirect to HTTPS flag on the HTTP listener to make sure the connection is immediately redirected to HTTPS. HTTPS listeners will not trigger a security issue.

  • HIPAA Non-compliance: One or more listeners allows non-encrypted traffic

    Background: HIPAA requires all data to be encrypted before being sent over a network. You have an active listener that allows data to be transmitted without encryption.

    An FTP listener without the Require Secure Control and Require Secure Data settings will trigger this warning. An HTTP listener that is not configured to redirect to HTTPS will also result in a warning. Allowing SSH SFTP to use no encryption (configured from the Advanced section on the Security page of the Server Manager) will also result in a warning.

    Resolution: To resolve this issue the system administrator must disable any HTTP listeners in the system (or redirect them to HTTP), configure FTP listeners to require encryption, and make sure SSH SFTP listeners are not allowed to use no encryption for connections.

  • FXP is enabled and could leave the server vulnerable to an FTP bounce attack

    Background: FTP bounce attack is an exploit of the FTP protocol whereby an attacker is able to use the PORT command to request access to ports indirectly through the use of the victim machine as a middle man for the request.

    Resolution: Go to the Advanced page of the Server Manager and check the option to Deny FXP Transfers.

  • Server is configured to allow FTP data connection to reserved ports

    Background:You will receive this warning if you have configured Cerberus to allow FTP data connections to ports less than 1025. Ports 1 through 1024 are intended for system services, so those ports are called reserved ports. FTP should normally not be allowed to establish data connections within that port range.

    Resolution: Go to the Advanced page of the Server Manager and check the option to Deny Reserved Ports.

  • You should set a Remote Access password

    Background: Web administration and SOAP API remote access use an admin password to control or deny access to the server.

    Resolution: Go to the Remote page of the Server Manager and set an admin password.