Re: Solaris home directories & Firewall test server??

From: Jonathan G. Lampe (jonathan@stdnet.com)
Date: 06/13/02


Date: Wed, 12 Jun 2002 17:49:25 -0500
To: stephen@acgroup.ucsc.edu, focus-sun@securityfocus.com
From: "Jonathan G. Lampe" <jonathan@stdnet.com>


> > 3-) What kind of security risks would we face by using/allowing passive
> > FTP?
>
>What is passive FTP?

Remember that FTP requires separate "control" and "data" connections...and
then think of two flavors of FTP transfers: active and passive.

In ACTIVE mode, the FTP client initiates a "control" connection to the
server on port 21. The FTP server then initiates a "data" connection from
port 20 back to the client on a temporary high port listening on the client.

In PASSIVE mode, the FTP client also initiates a "control" connection to
the server on port 21. However, in passive mode, the FTP client initiates
the "data" connection back to the server from some high port to a temporary
high port on the server.

PASSIVE mode has also been called "firewall friendly" because it allows the
FTP client to initiate both the control and data connections. (It can be
kind of dangerous to let a server to connect to arbitrary high ports on the
Internet, which usually what you have to do if you want to make ACTIVE mode
work.)

PASSIVE mode, however, does suffer one drawback - the client needs to be
able to connect to the server on a RANGE of ports. (Good FTP servers
always allow you to specify this range of ports to mitigate your risk.)

If you use a modern firewall, it can generally interpret (intercept) FTP
commands and open DYNAMIC ports for use with both passive FTP and often
active FTP. This mitigates almost all of the risk of FTP's high ports.

However, both your control channel and your data pass IN THE CLEAR using
normal FTP, so if your connections pass over any kind of untrusted network,
you probably want to look into FTPS (FTP over SSL) or tunneling your
traffic (w/ IPSec, SSH, etc.).

- Jonathan Lampe, GCIA, GSNA
- jonathan@stdnet.com



Relevant Pages

  • Re: Internet Explorer Keeps Timing out on FTP
    ... > This is a problem with the FTP client. ... When the PORT command is used, the FTP client is asking the FTP server to ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: ftp through firewall
    ... > I now wish to use an ftp client, ... > port 21 for this purpose. ... > high-numbered local port and port 21 on the remote ftp server has been ...
    (comp.security.firewalls)
  • Re: FTP strangeness
    ... Listing an empty existing directory shouldn't return an error code. ... servers cannot issue a 550 reply to a LIST command. ... As demonstrated more than just VMS ftp servers do the latter - for situations ... In any case an FTP client should comply with the robustness principle of RFC ...
    (comp.os.vms)
  • ftp through firewall
    ... I now wish to use an ftp client, ... port 21 for this purpose. ... high-numbered local port and port 21 on the remote ftp server has been ...
    (comp.security.firewalls)
  • Re: RMF Spreadsheet Reporter
    ... >PORT statement below do not match my target FTP server.. ... The IP address in the PORT command is the IP address of the FTP *client* ... The FTP client has opened a socket on port 6190 in the ...
    (bit.listserv.ibm-main)