The Internet Protocol Journal - Volume 2, No. 3

One Byte at a Time

One Byte at a Time: Is Your FTP Active or Passive?
by Thomas M. Thomas, NetCerts

What many people don't know is that the File Transfer Protocol (FTP) has multiple modes of operation that can dramatically affect its operation and, as a result, the security of your network. These modes of operation determine whether the FTP server or FTP client initiates the TCP connections that are used to send information from the server to the client. The FTP protocol supports two modes of operation, as follows:

  • The first FTP mode of operation is known as normal, though it is often referred to as active. This mode of operation is typically the default.
  • The second FTP mode of operation is known as passive. In active (normal) FTP, the client opens a control connection on port 21 to the server, and whenever the client requests data from the server, the server opens a TCP session on port 20. In passive FTP, the client opens the data sessions, using a port number supplied by the server.

Active FTP Operation

The active mode of operation is less secure than the passive mode. This mode of operation complicates the construction of firewalls, because the firewall must anticipate the connection from the FTP server back to the client program. The steps of this mode of operation are discussed below and are shown in Figure 1.

  • The client opens a control channel (port 21) to the server and tells the server the port number to respond on. This port number is a randomly determined port greater than 1023.
  • The server receives this information and sends the client an acknowledgement "OK" (ack). The client and server exchange commands on this control connection.
  • When the user requests a directory listing or initiates the sending or receiving of a file, the client software sends a "PORT" command that includes a port number > 1023 that the client wishes the server to use for the data connection.
  • The server then opens a data connection from port 20 to the client's port number, as provided to it in the "PORT" command.
The client acknowledges and data flows.

Figure 1: Active-Mode FTP Connection


*Note:Click above for larger view

Passive FTP Operation

This mode of operation is assumed to be more secure because all the connections are being initiated from the client, so there is less chance that the connection will be compromised. The reason it is called passive is that the server performs a "passive open." The steps of this mode of operation are discussed below and are shown in Figure 2.

  • In passive FTP, the client opens a control connection on port 21 to the server, and then requests passive mode through the use of the "PASV" command.
  • The server agrees to this mode, and then selects a random port number (>1023). It supplies this port number to the client for data transfer.
  • The client receives this information and opens a data channel to the server assigned port.
The server receives the data and sends an "OK" (ack).

Figure 2: Passive-Mode FTP Connection


*Note:Click above for larger view

References

  1. Internetworking With TCP/IP, Volume 1: Principles, Protocols, Architecture, Third Edition, by Douglas E. Comer, ISBN 0-13-216987- 8, Prentice Hall, 1995.
  2. R. Braden, "Requirements for Internet hosts application and support," RFC 1123, October 1989.
  3. S. Bellovin, "Firewall-Friendly FTP," RFC 1579, February 1994.
  4. P. Deutsch, A. Emtage, A. Marine, "How to Use Anonymous FTP," RFC 1635, May 1994.

THOMAS M. THOMAS II has recently founded his own company, NetCerts (www.netcerts.com), to assist network engineers working toward their Cisco Certifications. Before starting NetCerts, Tom worked as a Course Developer at Cisco Systems for the Worldwide Training division. He worked as part of a team on a new course on Multilayer Switching. He also wrote the book OSPF Network Design Solutions for Cisco Press. Tom has also worked as a senior network engineer and group leader of the Advanced Systems Solutions Engineering Team for MCI's Managed Network Services. In this capacity, he developed network maintenance Standard Operating Procedures and performed various in house training duties. Before joining MCI, Tom worked as a technical team leader at AT&T Solutions, where he provided technical support and network management for Cisco routers over ATM and Frame Relay and configured various networking protocols. E-mail: tothomas@netcerts.com