Active FTP vs Passive FTP

Let's discuss Active vs Passive FTP today, as we all know both are FTP which can be use to upload or download files but they have difference in their working. For a network security engineer (specially for firewall administrator) it's quite important to know this difference in working of Active vs Passive FTP so starting with Active FTP
Active FTP is old concept in which control connection is initiated by client but data connection is initiated by server. as we know two ports are being used by FTP (by default TCP port 20 & 21) one for control connection which is 21 and another for data connection which is 20 and these ports are mapped to server client is supposed to use dynamic port > 1023. let's take one example to understand working of active FTP suppose client "C" want to access server "S" then

step 1 - C from port X (where X>1023) send connection request to S on port 21 (assuming default for FTP) and C send a port to use for data transfer which is generally X+1

step 2 - after processing connection request S port 21 will send ACK to C on port X

step 3 - now S from port 20 initiate a data connection to C on port what he got from C in step 1(X+1)

step 4 - C from port X+1 sends ACK to S on port 20

in active FTP if client is behind firewall then client side firewall may create problem (depends on type and working of firewall) for step 3 as in step 3 connection is initiated by server on a different port so in this case server firewall should be configured to allow communication to S on TCP port 20 & 21 but on client firewall it should be configured to allow communication to C on all TCP port > 1023 which is challenge for us. it will create security risk to our network but if i am going to host a public FTP my objective will be to allow any client to connect even they are behind firewall and i can't force them to allow all TCP port > 1023 on their firewall then what to do, here Passive FTP can help let's see how passive FTP will address this problem i am going to take same example again to explain working of passive FTP (assuming client "C" server "S") here after getting request from client server is suppose to offer a dynamic port instead of fixed port 20 to client for data transfer and start listening on offered port to client then connection should be initiated from client itself let's take a look how it works

step 1 - C from port X (where X>1023) send connection request to S on port 21 (assuming default for FTP) and C send a PASV signal instaed of PORT

step 2 - after processing connection request S port 21 will send ACK to C on port X and because he has received PASV signal in step 1, S will open a dynamic port for data transfer and send this port info as well to C (assuming S send port Y>1023 to C for data transfer).

step 3 - now C from port X+1 initiate a data connection to S on port Y (what he got from S in step 2)

step 4 - S from port Y start data transfer to C on port X+1

so in passive FTP both control and data connections are initiated by client only, no connection initiated by server but here we have risk with server security because now server firewall should be configured to allow communication on all TCP port > 1023 as C will send second request for data connection on dynamic port to S. just to address this security risk to such server which are configured for passive FTP we are recommended to define certain range of port to be offered by server to client instead of giving them freedom use any port and then we need to configure firewall to allow communication for given port range only in this way we will be able to reduce risk but we can't remove it completely.

Summary
Active FTP 
C:X ==> S:21  - Control connection (command) - Client to Server
S:20 ==> C:X+1 - Data Connection   - Server to Client

Passive FTP
     C:X ==> S:21 - Control connection (command) - Client to Server
C:X+1 ==> S:Y - Data connection  - Client to Server

 I hope above Active FTP and Passive FTP discussion is clear & understandable to you :-)

Note - Please send you suggestion if any and acknowledge if you find this blog meaningful to you.

Forward Proxy vs Reverse Proxy

Today we are going to discuss about two well known categories of proxy named as forward proxy and reverse proxy. First of all what is proxy? in computer networking this term proxy is use to represent a node or application which is acting on behalf of client or server, it's neither original source nor original destination instead it's intermediate which is acting on behalf of either client (source) or server (destination). based on it's placement and working it can be categorized as forward proxy and reverse proxy .

Forward Proxy - Such type of proxy generally used on closer side to client or a group of client and and help to hide source identity. for example if i want to allow my LAN to access internet resource but i don't want to reveal their identity to outsiders then forward proxy is helpful to me. in forward proxy implementation case all LAN users are suppose to generate request for internet or external resources with their own identity to server hosted on internet or outside to your network then this packet will be processed by proxy and depending on your configuration proxy will perform filtering and authentication if it's allowed packet then proxy use to forward it destination to server hosted on internet or outside with proxy identity as source. once packet delivered to server response will be generated by server and delivered to proxy as server will assume proxy as his client,  server ( or any other node beyond proxy ) won't get any idea about internal client in LAN and then this response will be forwarded to original client in LAN by proxy.
                                                              we have one more concept of Open Proxy in this category, Open proxy is again a forward proxy which is accessible to any internet users to place web service or any internet service request anonymously any internet user can use open proxy to hide it's own identity, generally it's used by attackers to make tracking difficult (it's not impossible to track but it's difficult) as it use to hide source identity.

Reverse Proxy - Such type of proxy generally used on closer side to server or a group of servers and help to hide server's identity for example if i am having a server or multiple server hosted in my DMZ and i want to allow secure access to these server for internet users or outsiders but i don't want to share my server's details with them then Reverse proxy is helpful to me. in revery proxy implementation case i have to advertise that all my services are hosted on proxy's IP but actually they will hosted on a internal server or may be multiple internal servers, because i am advertising proxy's IP for my services so all external or internet users request will be destination to proxy then proxy will accept those request on behalf of server/servers and depending on your configuration perform filtering and authentication (we may configure different filtering and authentication for different server) if it's allowed packet forward to appropriate server  then server will process this packet and generate response for the same , this response will be forwarded to proxy and then proxy will remove server's identity and forward this packet to client with self identity. this complete process is hidden from client and for all external or internet client proxy will be acting as final server client will assume that all these response are coming from proxy itself he won't get any idea about internal servers hosted in DMZ so for all external and internet users proxy will be acting as server.

I hope i made these Forward and Reverse Proxy understandable to you , if not please let me know your valuable suggestion to make it more clear and understandable. :-)

NAT vs Proxy

Hello friends, lets have some discussion on NAT & Proxy today. in this article i am going to highlight some differences between NAT & Proxy specially from security point of view, as we all knows these two terms can be define as follows

NAT - Network Address Translation which can be used to translate source/destination address and source/destination port as per our need.

Proxy - Proxy is a node which works on behalf of server/client

now if we will compare these two from security point of view starting from NAT it can be used to mask your original address/port from outsiders with the help of translation but it used to create direct circuit ( communication path ) between client and server. if a client request for a session through NAT this packet will be processed by NAT enforcement node and only address/port will be translated within header as per your configuration and packet will be forwarded to server having all other header information intact and vice versa for reply packet so outsiders will not be able see original address/port but rest of header information will be visible. on other hand proxy can be used to mask you original address along with few more security options like authentication and in case of proxy there is no direct circuit between client and server that's why proxy can be referred as Circuit Level Gateway as well, because it use to break your circuit and maintain two circuits one between client to proxy and other between proxy to server. if a client request for a session through proxy then this request packet will be processed by proxy itself and it start pretending as server for client and take only payload of client packet excluding complete header information and then craft a new packet for the server with new header information and to server it start pretending as client and vice versa for reply packet so outsiders will not be able to see any header information including your original address/port they can see proxy header instead.

In summary proxy is more secure than NAT as it hides complete header and it may provide authentication & caching too but NAT is faster than proxy when it comes to performance.

I hope it will help you to understand security differences between these two widely used security options in today's computer networks. :-)

Protocol vs Service

Just think HTTP, FTP, SMTP, PPP,  SLIP, SNMP, etc these should be treated as Protocol or Service? or which one is protocol & which one is service? In computer networking sometime it's become challenge to identify Protocols and services and it's not wise to remember this list so let's discuss some point which can help us to differentiate protocols and services . as we know we can define these two terms as follows:-

Protocol - Set of rules
Service - Serving something

from above definition it's quite simple that all services should be treated as protocols as without following rules it's not possible to deliver a service but reverse is not true all protocols aren't a service, to make this more simpler we can take reference of OSI & DOD/TCP model that anything which goes beyond Transport layer should be service and below transport layer it should be protocol or in short we can say "when protocol got mapped with a port no. it becomes service else it should be treated as protocol" as we know port no. is related to transport layer and anything which is going beyond transport should be using port no whether it's TCP port or UDP port and bellow transport we don't have ports. let's get back to our original discussion and check if this article help us to identify them correctly
HTTP, FTP, SMTP, & SNMP - all these protocols are using certain port so they should be categories as Service where PPP & SLIP should be categorize as Protocol as they work without port.

I hope it will help you to understand protocol and service in computer networking. :-)