Use of FTP is on the decline across the Internet because many sites are choosing to offer HTTP file download instead. Still, FTP will be a part of many networks for some time. Secure FTP (SFTP), which uses Secure Shell (SSH), is more appropriate, where available on your internal network. There are two modes (active or passive) in which FTP operates; one is easy to pass through a firewall, and the other is not.

Active Mode

Active mode is the default mode for FTP and the harder of the two modes to pass through a firewall. In this mode, the FTP transfer follows these steps:


The client initiates a TCP connection from a random high port to port 21 (FTP Command) on the FTP server.


When the client is ready to download, it sends the PORT command over this TCP connection, informing the FTP server to which port it should connect on the client machine. This is always a high port above 1023.


The server initiates a connection from port 20 (FTP Data) to the high port specified by the PORT command.


File transfer occurs.

The problem with this mode is that the server is opening a connection to the client in addition to the client having a connection with the server. Without a firewall that is aware of how activemode FTP works, the perimeter access control rules would have to allow traffic from port 20 inbound to any high port on any machine. It is for this reason that some organizations without FTP-aware firewalls (usually basic stateless ACLs) choose not to allow active mode; the security risks are too great. FTP-aware firewalls watch for the PORT command from the client and dynamically open the connection from the server to the client.

Passive Mode

Passive mode is a more secure option than active mode because all communications are initiated by the client. The following steps occur:


The client initiates a TCP connection from a random high port to port 21 (FTP Command) on the FTP server.


When the client is ready to transfer files, it sends the PASV command to the server, indicating that the client wants to enter passive mode. The server responds with an OK followed by a high port number to use for the transfer.


The client opens a new TCP connection to the server from a different high port to the high port indicated in the OK reply.


File transfer occurs.

Most web browsers support passive-mode FTP natively. Use passive mode whenever possible.

Part I. Network Security Foundations

Network Security Axioms

Security Policy and Operations Life Cycle

Secure Networking Threats

Network Security Technologies

Part II. Designing Secure Networks

Device Hardening

General Design Considerations

Network Security Platform Options and Best Deployment Practices

Common Application Design Considerations

Identity Design Considerations

IPsec VPN Design Considerations

Supporting-Technology Design Considerations

Designing Your Security System

Part III. Secure Network Designs

Edge Security Design

Campus Security Design

Teleworker Security Design

Part IV. Network Management, Case Studies, and Conclusions

Secure Network Management and Network Security Management

Case Studies



Appendix A. Glossary of Terms

Appendix B. Answers to Applied Knowledge Questions

Appendix C. Sample Security Policies

INFOSEC Acceptable Use Policy

Password Policy

Guidelines on Antivirus Process


Network Security Architectures
Network Security Architectures
ISBN: 158705115X
EAN: 2147483647
Year: 2006
Pages: 249
Authors: Sean Convery

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net