Amer Networks E5Web GUI User Manual

File Transfer Protocol (FTP) is a TCP/IP-based protocol for exchanging files between a client and a
server. The client initiates the connection by connecting to the FTP server. Normally the client
needs to authenticate itself by providing a predefined login and password. After granting access,
the server will provide the client with a file/directory listing from which it can download/upload
files (depending on access rights). The FTP ALG is used to manage FTP connections through the
Clavister Security Gateway.

FTP Connections

FTP uses two communication channels, one for control commands and one for the actual files
being transferred. When an FTP session is opened, the FTP client establishes a TCP connection
(the control channel) to port 21 (by default) on the FTP server. What happens after this point
depends on the FTP mode being used.

FTP Connection Modes

FTP operates in two modes: active and passive. These determine the role of the server when
opening data channels between client and server.

•

Active Mode

In active mode, the FTP client sends a command to the FTP server indicating what IP address
and port the server should connect to. The FTP server establishes the data channel back to
the FTP client using the received address information.

•

Passive Mode

In passive mode, the data channel is opened by the FTP client to the FTP server, just like the
command channel. This is the often recommended default mode for FTP clients though
some advice may recommend the opposite.

A Discussion of FTP Security Issues

Both active and passive modes of FTP operation present problems for Clavister Security
Gateways. Consider a scenario where an FTP client on the internal network connects through the
security gateway to an FTP server on the Internet. The IP rule is then configured to allow network
traffic from the FTP client to port 21 on the FTP server.

When active mode is used, cOS Core does not know that the FTP server will establish a new
connection back to the FTP client. Therefore, the incoming connection for the data channel will
be dropped. As the port number used for the data channel is dynamic, the only way to solve this
is to allow traffic from all ports on the FTP server to all ports on the FTP client. Obviously, this is
not a good solution.

When passive mode is used, the security gateway does not need to allow connections from the
FTP server. On the other hand, cOS Core still does not know what port the FTP client will try to
use for the data channel. This means that it has to allow traffic from all ports on the FTP client to
all ports on the FTP server. Although this is not as insecure as in the active mode case, it still
presents a potential security threat. Furthermore, not all FTP clients are capable of using passive
mode.

The cOS Core ALG Solution

The cOS Core FTP ALG deals with these issues by fully reassembling the TCP stream of the FTP
command channel and examining its contents. By doing this, the cOS Core knows what port to
open for the data channel. Furthermore, the FTP ALG also provides functionality to filter out

Chapter 6: Security Mechanisms

389