FTP
Use of FTP is on the decline across the Internet because many sites are choosing to offer HTTP file download instead. Still, FTP will be a part of many networks for some time. Secure FTP (SFTP), which uses Secure Shell (SSH), is more appropriate, where available on your internal network. There are two modes (active or passive) in which FTP operates; one is easy to pass through a firewall, and the other is not.
Active Mode
Active mode is the default mode for FTP and the harder of the two modes to pass through a firewall. In this mode, the FTP transfer follows these steps:
|
1. |
The client initiates a TCP connection from a random high port to port 21 (FTP Command) on the FTP server.
|
|
2. |
When the client is ready to download, it sends the PORT command over this TCP connection, informing the FTP server to which port it should connect on the client machine. This is always a high port above 1023.
|
|
3. |
The server initiates a connection from port 20 (FTP Data) to the high port specified by the PORT command.
|
|
4. |
File transfer occurs.
|
The problem with this mode is that the server is opening a connection to the client in addition to the client having a connection with the server. Without a firewall that is aware of how activemode FTP works, the perimeter access control rules would have to allow traffic from port 20 inbound to any high port on any machine. It is for this reason that some organizations without FTP-aware firewalls (usually basic stateless ACLs) choose not to allow active mode; the security risks are too great. FTP-aware firewalls watch for the PORT command from the client and dynamically open the connection from the server to the client.
Passive Mode
Passive mode is a more secure option than active mode because all communications are initiated by the client. The following steps occur:
|
1. |
The client initiates a TCP connection from a random high port to port 21 (FTP Command) on the FTP server.
|
|
2. |
When the client is ready to transfer files, it sends the PASV command to the server, indicating that the client wants to enter passive mode. The server responds with an OK followed by a high port number to use for the transfer.
|
|
3. |
The client opens a new TCP connection to the server from a different high port to the high port indicated in the OK reply.
|
|
4. |
File transfer occurs.
|
Most web browsers support passive-mode FTP natively. Use passive mode whenever possible.