The behavior of FTP

Java Security,Windows code security, Windows Server 2003 Security,Internet Explorer 7 Security and Internet Firewalls questions and answers

(Continued from previous question...)

The behavior of FTP

Or, ``Why do I have to open all ports above 1024 to my FTP server?''

FTP doesn't really look a whole lot like other applications from a networking perspective.

It keeps one listening port, port 21, which users connect to. All it does is let people log on, and establish ANOTHER connection to do actual data transfers. This second connection is usually on some port above 1024.

There are two modes, ``active'' (normal) and ``passive'' mode. This word describes the server's behaviour.

In active mode, the client (5.6.7.8) connects to port 21 on the server (1.2.3.4) and logs on. When file transfers are due, the client allocates a dynamic port above 1024, informs the server about which port it opened, and then the server opens a new connection to that port. This is the ``active'' role of the server: it actively establishes new connections to the client.

In passive mode, the connection to port 21 is the same. When file transfers are due, the SERVER allocates a dynamic port above 1024, informs the client about which port it opened, and then the CLIENT opens a new connection to that port. This is the ``passive'' role of the server: it waits for the client to establish the second (data) connection.

If your firewall doesn't inspect the application data of the FTP command connection, it won't know that it needs to dynamically open new ports above 1024.

On a side note: The traditional behaviour of FTP servers in active mode is to establish the data session FROM port 20, and to the dynamic port on the client. FTP servers are steering away from this behaviour somewhat due to the need to run as ``root'' on unix systems in order to be able to allocate ports below 1024. Running as ``root'' is not good for security, since if there's a bug in the software, the attacker would be able to compromise the entire machine. The same goes for running as ``Administrator'' or ``SYSTEM'' (``LocalSystem'') on NT machines, although the low port problem does not apply on NT.

To sum it up, if your firewall understands FTP, it'll be able to handle the data connections by itself, and you won't have to worry about ports above 1024.

If it does NOT, there are four issues that you need to address:

* Firewalling an FTP server in active mode
You need to let your server open new connections to the outside world on ports 1024 and above * Firewalling an FTP server in passive mode
You need to let the outside world connect to ports 1024 and above on your server. CAUTION!!!! There may be applications running on some of these ports that you do NOT want outside people using. Disallow access to these ports before allowing access to the 1024-65535 port range.
* Firewalling FTP clients in active mode
You need to let the outside world connect to ports 1024 and above on your clients. CAUTION!!!! There may be applications running on some of these ports that you do NOT want outside people using. Disallow access to these ports before allowing access to the 1024-65535 port range.
* Firewalling FTP clients in passive mode
You need to let your clients open new connections to the outside world on ports 1024 and above.

Again, if your firewall understands FTP, none of the four points above apply to you. Let the firewall do the job for you.

(Continued on next question...)

Other Interview Questions

• Is Java secure?
• What are the risks?
• How common are security breaches?
• Who is at risk?
• How can I protect myself?
• What about products that claim to detect malicious applets?
• What about products that claim to block Java applets at a firewall?
• Which is more secure: Java or ActiveX?
• Which version of my browser should I use?
• What about ``hostile applets?''
• I run a Web server. Am I at risk?
• What about JavaScript?
• What’s the difference between code-based security and role-based security? Which one is better?
• How can you work with permissions from your .NET application?
• How can C# app request minimum permissions?
• What’s a code group?
• What’s the difference between authentication and authorization?
• What are the authentication modes in ASP.NET?
• Are the actual permissions for the application defined at run-time or compile-time?
• # What’s the difference between local, global and universal groups?
• # I am trying to create a new universal user group. Why can’t I?
• # What is LSDOU?
• # Why doesn’t LSDOU work under Windows NT?
• # Where are group policies stored?
• # What is GPT and GPC?
• # Where is GPT stored?
• # You change the group policies, and now the computer and user settings are in conflict. Which one has the highest priority?
• # You want to set up remote installation procedure, but do not want the user to gain access over it. What do you do? gponame–>
• # What’s contained in administrative template conf.adm?
• # How can you restrict running certain applications on a machine?
• # You need to automatically install an app, but MSI file is not available. What do you do?
• # What’s the difference between Software Installer and Windows Installer?
• # What can be restricted on Windows Server 2003 that wasn’t there in previous products?
• # How frequently is the client policy refreshed?
• # Where is secedit?
• # You want to create a new group policy but do not wish to inherit.
• # What is "tattooing" the Registry?
• # How do you fight tattooing in NT/2000 installations?
• # How do you fight tattooing in 2003 installations?
• # What does IntelliMirror do?
• # What’s the major difference between FAT and NTFS on a local machine?
• # How do FAT and NTFS differ in approach to user shares?
• # Explan the List Folder Contents permission on the folder in NTFS.
• # I have a file to which the user has access, but he has no folder permission to read it. Can he access it?
• # For a user in several groups, are Allow permissions restrictive or permissive?
• # For a user in several groups, are Deny permissions restrictive or permissive?
• # What hidden shares exist on Windows Server 2003 installation?
• # What’s the difference between standalone and fault-tolerant DFS (Distributed File System) installations?
• # We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box.
• # Where exactly do fault-tolerant DFS shares store information in Active Directory?
• # Can you use Start->Search with DFS shares?
• # What problems can you have with DFS installed?
• # I run Microsoft Cluster Server and cannot install fault-tolerant DFS.
• # Is Kerberos encryption symmetric or asymmetric?
• # How does Windows 2003 Server try to prevent a middle-man attack on encrypted line?
• # What hashing algorithms are used in Windows 2003 Server?
• # What third-party certificate exchange protocols are used by Windows 2003 Server?
• # What’s the number of permitted unsuccessful logons on Administrator account?
• # If hashing is one-way function and Windows Server uses hashing for storing passwords, how is it possible to attack the password lists, specifically the ones using NTLMv1?
• # What’s the difference between guest accounts in Server 2003 and other editions?
• # How many passwords by default are remembered when you check "Enforce Password History Remembered"?
• #1: Default protection from potentially dangerous Active X controls
• #2: Per-zone control of Active X opt-in
• #3: Site and zone locking for Active X controls
• #4: Protection against phishing
• #5: Cross-domain security
• #6: Locked down security zones
• #7: Better SSL/TLS notification and digital certificate info
• #8: Privacy protection features
• #9: Address bars
• #10: International character alert
• What is a network firewall?
• Why would I want a firewall?
• What can a firewall protect against?
• What can't a firewall protect against?
• What about viruses and other malware?
• Will IPSEC make firewalls obsolete?
• Where can I get more information on firewalls on the Internet?
• What are some of the basic design decisions in a firewall?
• What are the basic types of firewalls?
• Network layer firewalls
• Application layer firewalls
• What are proxy servers and how do they work?
• What are some cheap packet screening tools?
• What are some reasonable filtering rules for a kernel-based packet screen?
• What are some reasonable filtering rules for a Cisco?
• What are the critical resources in a firewall?
• What is a DMZ, and why do I want one?
• How might I increase the security and scalability of my DMZ?
• What is a `single point of failure', and how do I avoid having one?
• How can I block all of the bad stuff?
• How can I restrict web access so users can't view sites unrelated to work?
• What is source routed traffic and why is it a threat?
• What are ICMP redirects and redirect bombs?
• What about denial of service?
• What are some common attacks, and how can I protect my system against them?
• Do I really want to allow everything that my users ask for?
• How do I make Web/HTTP work through my firewall?
• How do I make SSL work through the firewall?
• How do I make DNS work with a firewall?
• How do I make FTP work through my firewall?
• How do I make Telnet work through my firewall?
• How do I make Finger and whois work through my firewall?
• How do I make gopher, archie, and other services work through my firewall?
• What are the issues about X11 through a firewall?
• How do I make RealAudio work through my firewall?
• How do I make my web server act as a front-end for a database that lives on my private network?
• But my database has an integrated web server, and I want to use that. Can't I just poke a hole in the firewall and tunnel that port?
• How Do I Make IP Multicast Work With My Firewall?
• What is a port?
• How do I know which application uses what port?
• What are LISTENING ports?
• How do I determine what service the port is for?
• What ports are safe to pass through a firewall?
• The behavior of FTP
• What software uses what FTP mode?
• Is my firewall trying to connect outside?
• The anatomy of a TCP connection
• Glossary of Firewall-Related Terms