Pages

Thursday, 18 July 2013

Active FTP vs Passive FTP

Let's discuss Active vs Passive FTP today, as we all know both are FTP which can be use to upload or download files but they have difference in their working. For a network security engineer (specially for firewall administrator) it's quite important to know this difference in working of Active vs Passive FTP so starting with Active FTP
Active FTP is old concept in which control connection is initiated by client but data connection is initiated by server. as we know two ports are being used by FTP (by default TCP port 20 & 21) one for control connection which is 21 and another for data connection which is 20 and these ports are mapped to server client is supposed to use dynamic port > 1023. let's take one example to understand working of active FTP suppose client "C" want to access server "S" then


step 1 - C from port X (where X>1023) send connection request to S on port 21 (assuming default for FTP) and C send a port to use for data transfer which is generally X+1

step 2 - after processing connection request S port 21 will send ACK to C on port X

step 3 - now S from port 20 initiate a data connection to C on port what he got from C in step 1(X+1)

step 4 - C from port X+1 sends ACK to S on port 20

in active FTP if client is behind firewall then client side firewall may create problem (depends on type and working of firewall) for step 3 as in step 3 connection is initiated by server on a different port so in this case server firewall should be configured to allow communication to S on TCP port 20 & 21 but on client firewall it should be configured to allow communication to C on all TCP port > 1023 which is challenge for us. it will create security risk to our network but if i am going to host a public FTP my objective will be to allow any client to connect even they are behind firewall and i can't force them to allow all TCP port > 1023 on their firewall then what to do, here Passive FTP can help let's see how passive FTP will address this problem i am going to take same example again to explain working of passive FTP (assuming client "C" server "S") here after getting request from client server is suppose to offer a dynamic port instead of fixed port 20 to client for data transfer and start listening on offered port to client then connection should be initiated from client itself let's take a look how it works

step 1 - C from port X (where X>1023) send connection request to S on port 21 (assuming default for FTP) and C send a PASV signal instaed of PORT

step 2 - after processing connection request S port 21 will send ACK to C on port X and because he has received PASV signal in step 1, S will open a dynamic port for data transfer and send this port info as well to C (assuming S send port Y>1023 to C for data transfer).

step 3 - now C from port X+1 initiate a data connection to S on port Y (what he got from S in step 2)

step 4 - S from port Y start data transfer to C on port X+1

so in passive FTP both control and data connections are initiated by client only, no connection initiated by server but here we have risk with server security because now server firewall should be configured to allow communication on all TCP port > 1023 as C will send second request for data connection on dynamic port to S. just to address this security risk to such server which are configured for passive FTP we are recommended to define certain range of port to be offered by server to client instead of giving them freedom use any port and then we need to configure firewall to allow communication for given port range only in this way we will be able to reduce risk but we can't remove it completely.

Summary
Active FTP 
C:X ==> S:21  - Control connection (command) - Client to Server
S:20 ==> C:X+1 - Data Connection   - Server to Client

Passive FTP
     C:X ==> S:21 - Control connection (command) - Client to Server
C:X+1 ==> S:Y - Data connection  - Client to Server

 I hope above Active FTP and Passive FTP discussion is clear & understandable to you :-)

Note - Please send you suggestion if any and acknowledge if you find this blog meaningful to you.

No comments:

Post a comment