Company Computer Routes All Connectivity Through FTP-ALG

[Chris J Beausoleil]

I am having a very difficult time posting. I am unable to post because I am getting errors. Something is obstructing my attempts please be patient.

Summary: A household member uses a Company Computer and works from home. The computer is part of the company domain, it has a policy that disables the user any administrative privilege, and it had been configured to route all connectivity through the FTP-ALG port.

19 Oct 2020 I found that a company computer was routing all traffic (not ping) through ftp-alg. I couldn't find any info and none of my searches returned anything about ftp-alg. Recently I found information related:

This post was made a month after I made my finding:

How to disable FTP_ALG?

I see input box for port number in WAN / NAT Passthrough / FTP_ALG Port, but how can I disable FTP_ALG completely?

www.snbforums.com

Disable FTP_alg script.

So i contacted asus about how to completly disable ftp alg and i got response from asus poland that they will contact headquarters and reply back. So my question is how to apply those scripts to work like firewall-start scripts work for merlin users? I want to add those 2 because from what...

www.snbforums.com

here, user juched wrote "I have been turning off all ALG items for a few months now due to security issues"

An aside: I don't know why I never found this before as my search term was exactly the same "site:snbforums.com ftp-alg" and I search every so often.

Backstory
=======

A user in the household uses a company windows surface computer. The company is large with one or two IT workers in each office. The company uses teamviewer and forticlient. We use an asus rt-ac68u.

Neither teamviewer or forticlient required ftp-alg (port 2021):

Forticlient requirements
Fortigate open ports
Teamviewer port requirements

I have been trying to post all day. I am unable to post to this forum and unable to start conversations. I don't know what is interfering. This post is unfinish.

will continue if and when able.

The FTP-ALG port bugged me and on my firmware there is no disable option so I changed the FTP-ALG port (default is 2021) number and found the company computer lost all internet connectivity for the browser and many other apps like windows store; windows reported it had no internet connection but I was able to ping 8.8.8.8.

 

[Chris J Beausoleil]

Backstory
=======

A user in the household uses a company windows surface computer. The company is large with one or two IT workers in each office. The company uses teamviewer and forticlient. We use an asus rt-ac68u.

Neither teamviewer or forticlient required ftp-alg (port 2021):

Forticlient requirements
Fortigate open ports
Teamviewer port requirements

I have been trying to post all day. I am unable to post to this forum and unable to start conversations. I don't know what is interfering. This post is unfinish.

will continue if and when able.

The FTP-ALG port bugged me and on my firmware there is no disable option so I changed the FTP-ALG port (default is 2021) number and found the company computer lost all internet connectivity for the browser and many other apps like windows store; windows reported it had no internet connection but I was able

 

[MichaelCG]

I'm not sure what your question is here? Are you asking why the enterprise laptop is sending all traffic to TCP 2021 somewhere? My initial guess would be that the company uses a hosted proxy solution that happens to use TCP 2021. What are you trying to do here? You should not be trying to manipulate traffic flows for the enterprise device. Let the enterprise deal with that. If you don't like that flow on your network, get the enterprise device off your network then.

 

[Chris J Beausoleil]

When I posted in July the above I was being blocked; I was unable to complete my posts that is why the messages are broken. I tried for 2 or three days to post but every day I was blocked.

All browser traffic for the company computer was being routed through ftp-alg port. I could find very little information on ftp-alg in my google searches. At the time I had no idea the traffic was being routed through ftp-alg and didn't know it could even be done I just thought the work computer was using ports 80 and 443 for web browser data transfer.

When I changed the port number of the ftp-alg port all traffic to the browser and I think some other components of the machine were blocked. When the IT guy was queried, had he configured the computer to pass all traffic through ftp-alg (port 2021) he gave no reasonable comment, however immediately, port 2021 was no longer being exploited for browser (and whatever else) traffic. Also I think that the IT guy left his position and went to something else.

You should not be trying to manipulate traffic flows for the enterprise device.

I was not trying to manipulating traffic for the enterprise device. It was an accidental discovery.

What are you trying to do here?

I was maintaining my network as responsibly as I am able with my limited not-in-the-club knowledge with which club members have been so blessed; some do their best some are just well dressed.

I did not know that browser traffic was coming through the ftp-alg port and my wife had not been told her work computer was configured so. I had my router set up with security in mind. The discovery that all browser traffic (and who knows what else) was transmitting through the ftp-alg port was accidental and realized only when I changed the ftp-alg port and saw that all the internet connectivity had been stopped. Ping and some other tools where able to connect to the internet, but all browser traffic was broken when ftp-alg port was changed.

The company did not need to run traffic through ftp-alg and this is verified by the fact that when discovered the activity immediately stopped with no loss in the company computer's communicative functionality. All necessary resources to my knowledge (port 80, 443) were available for effecting proper communication between our home network and the remote workplace environment. The apps used for remote, and vpn etc had all the necessary resources to work properly.

So my question was why would someone push web browser traffic into a home network via ftp-alg port when it seems it was unnessessary. Has anyone ever heard of this? Is this common? Do all company IT workers sneak traffic into home networks through ftp-alg? Is this a security concern. I read that ftp-alg could be a security concern. I had no idea it was possible to run all browser traffic (and who knows what else) through ftp-alg port 2021 and certainly didn't expect anyone to do it when ports 80 and 443 are available. Furthermore, I hadn't at the time found any information on the net about browser traffic being routed through ftp-alg (port 2021). I thought that was just for FTP file transfer stuff.

This seems an important if not interesting situation that deserved attention. I mean, I haven't seen any tutorials that show how to pass traffic though a router firewall by using ftp-alg port 2021. So maybe it is inside information? Like so many other things?

If you don't like that flow on your network, get the enterprise device off your network then.

I read somewhere about online etiquette; how easy it is to abuse or misuse tone. "get the enterprise device off your network then"? The work computer? During Covid lockdown?

 

[ColinTaylor]

It is difficult to follow what you're describing, probably because you're missing certain pieces of information and making incorrect assumptions.

I think your main mistake is thinking that port 2021 is some sort of reserved port that must only ever be used for "ftp-alg". It's not. Port 2021 is an arbitrary port that Asus chose to use for FTP servers. They could have chosen almost any other number, it makes no difference. From what you've said it sounds like your company happens to have chosen this same number for their purposes. That's just an unfortunate coincidence.

What is more unclear is what your company is using port 2021 for. It could be a VPN port, but you haven't said anything about VPNs. It might just be a proxy port for web traffic. That is common practice for a work computer.

The solution, which I think you have found yourself, is to simply change the router's FTP-ALG port to something else so there is no conflict.

 

[Chris J Beausoleil]

It is difficult to follow what you're describing, probably because you're missing certain pieces of information and making incorrect assumptions.

It is difficult to follow what you're describing

And it was very difficult trying to post it. I was blocked from posting to the forum for two or three days. I just opened an account and this was the second or so post. As I wrote the post using the browser logged into the site, every so often all the text I was typing into the browser environment was being deleted. I finally gave up trying to use the browser and I used text editor. After three days of trying to post I had to leave it.

probably because you're missing certain pieces of information

By missing certain pieces of information do you mean a) information about ftp-alg or b) that I was missing certain pieces of information from my post, i,e, I didn't provide enough information about my situation?

regarding a) I web searched in several sessions of an hour or more noise filtering the internet and found very little helpful information regarding ftp-alg or the security issues related to the employment of ftp-alg. Recently my search results have changed and I have found a bit more information.

regarding b) I don't know which information I should have provided.

you're making incorrect assumptions

I don't think I am making assumptions. Please don't bump it in that direction, thank you. My concern and interest regarding this situation has always been centered around security: by passing all connectivity through "ftp-alg" ftp port does this create opportunity to exploit ALG's abilities for example NAT slipstreaming:

More on nat-slipstreaming

...ALG (application level gateway), and is the primary component within the NAT that facilitates the NAT Slipstreaming attack...

... that risk is especially great when it comes to unmanaged devices, as those don't have inherent security capabilities, and often offer interfaces for controlling them and accessing their data with little-to-no authentication, within the internal network. Exposing these interfaces directly to the Internet is a serious security risk. Examples include:

An office printer that can be controlled through its default printing protocol, or through its internal web server. An industrial controller that uses an unauthenticated protocol for monitoring and controlling its function. An IP camera that has an internal web server displaying its feed, which can commonly be accessed with default credentials.

Using the new variant of the NAT Slipstreaming attack to access these types of interfaces from the Internet, can result in attacks that range
from a nuisance to a sophisticated ransomware threat. https://www.armis.com/research/nat-slipstreaming-v20/

Also see

Samy Kamkar - NAT Slipstreaming v2.0

exploit NAT/firewalls to access TCP/UDP services bound to any system behind victim's NAT

samy.pl

I think your main mistake is thinking that port 2021 is some sort of reserved port that must only ever be used for "ftp-alg"

No. That supposition never entered my thinking. I wasn't coming from that direction. I was interested in the security.

From what you've said it sounds like your company happens to have chose this same number for their purposes. That's just an unfortunate coincidence.

It's not my company.

You said earlier that I was making incorrect assumptions. If I am able, I avoid unhealthy assumption. I tried communicating with the IT department about this and there was no returned interest. I wrote nothing to lead any reader to conclude the corporation chose port 2021 "for their purposes" and that it is part of company IT infrastructure policy. "That's just an unfortunate coincidence." Maybe, Maybe not. It supports the company saying it that way, but I am not conviced, and why agree and suppose the companies IT policy when I don't have that information? Proxy for web traffic? Maybe. But I still wonder about pushing all a computers web traffic through ftp.

It could be a VPN port, but you haven't said anything about VPNs.

I did. I listed applications the company used for VPN and secure remotecorrespondece. In my first post I listed the VPN apps:

The company uses teamviewer and forticlient...

Neither teamviewer or forticlient required ftp-alg (port 2021):

Forticlient requirements
Fortigate open ports
Teamviewer port requirements

I have thoughts about why company IT pushed data through 2021 which on my asus router is the ftp-alg port; the IT guy asked my wife what kind of router we had and so he knew it was an asus.

Is it a security concern that the company computer was pushing web traffic through ftp? If it is maybe ftp-alg should have a disable button in case the router owner has limited resources or doesn't know how to access the router via ssh and command line interface.

Thank you.

 

[ColinTaylor]

Sorry, I forgot about Fortigate being a VPN as I read those links 5 months ago.

By missing certain pieces of information do you mean a) information about ftp-alg or b) that I was missing certain pieces of information from my post, i,e, I didn't provide enough information about my situation?

Neither. I meant that you don't know all the technical details of how the computer is communicating with the company. You've asked the "IT guy" for this but you haven't received any useful explanation.

My concern and interest regarding this situation has always been centered around security:

Then I was misunderstanding your original post. I thought you were asking why things stopped working when you changed the FTP-ALG port.

by passing all connectivity through "ftp-alg" ftp port does this create opportunity to exploit ALG's abilities for example NAT slipstreaming:

NAT slipstreaming doesn't require the user to be sending data through the FTP-ALG port.

I wrote nothing to lead any reader to conclude the corporation chose port 2021 "for their purposes" and that it is part of company IT infrastructure policy.

I thought this was the whole crux of your initial post (with port 2021 being the router's FTP-ALG port): "The computer is part of the company domain, it has a policy that disables the user any administrative privilege, and it had been configured to route all connectivity through the FTP-ALG port."

Is it a security concern that the company computer was pushing web traffic through ftp? If it is maybe ftp-alg should have a disable button in case the router owner has limited resources or doesn't know how to access the router via ssh and command line interface.

AFAICT they are not pushing anything (web or otherwise) "through ftp", although they do appear to be using port 2021 for "something" but we don't know what. In any case changing the router's FTP-ALG port to something other than 2021 shouldn't break anything. The fact that it does is the confusing part.

 

[Chris J Beausoleil]

FTP-ALG port to something other than 2021 shouldn't break anything. The fact that it does is the confusing part.

Yes. I am thinking the same thing. Really though, dead stop; when I change the port number everything on the laptop lost all communication, boom jjjjooost like dat; ping and a few

Thank you for all the time you put into this post. I really appreciate the way you communicate. That NAT slipstreaming sure is interesting though eh?