分类:
2010-05-11 23:46:42
The document defines Security Extensions to the FTP protocol. These extensions provide strong authentication, integrity, and confidentiality on both the control and data channels with the introduction of new optional commands, replies, and file transfer encodings.
A widely implemented security extension to the FTP protocol is the use of the SSL (Secure Sockets Layer) version 3.0 or TLS (Transport Layer Security) version 1.0 protocol. It is documented in the Internet-Draft Securing FTP with TLS. The SSL/TLS protocol runs above the transport layer (TCP/IP), but below the application layer protocol. Therefore, it is relativily easy to implement for securing all sort of application protocols such as HTTP, Telnet, POP3, IMAP4, SMTP and FTP.
In actual FTP client and server implementations there exists at least two distinct mechanisms by which the SSL security extension is initiated: explicit (active) and implicit (passive) security:
You can think of implicit security as "always on" and explicit security as "turn on". The following nice drawing, taken from the GlobalScape Inc. website, contrasts implicit and explicit SSL connections:
When using FTP over SSL/TLS, in short FTPS, the control connection is encrypted and therefore unreadable for entities other than the FTP client and the FTP server. As a consequence, NAT/PAT devices and firewalls can no longer monitor the negotiation of the data connection and do smart things with that information. This places some serious limitations on the practical use of the FTPS protocol through all sort of firewalls and Network Address Translators.
Note: a good discussion about some of the issues with running FTP, secured with SSL/TLS, through firewalls can be found in the Internet-Draft . Keep in mind that an Internet-Draft is "work in progress".
It must be clear that the FTP Application Filter on the ISA server cannot help you in this situation. Therefore, you will have a hard time to support FTPS through ISA for SecureNAT clients. In fact, a lot of firewalls will have a problem to support in a secure way fully the FTPS protocol (PORT and PASV mode). However, with the ISA server you should be able to fully support FTPS if the Firewall client is installed on the client machine. In that case you must follow the configuration steps outlined for FTP client access to an FTP server on an alternate port number and for server publishing an FTP server on an alternate port number.
For FTPS client access, the custom FTP protocol definition I refer to (see section 4.3. Firewall client) should be slightly adopted. For the mode Implicit Security the primary connection should be TCP port 990 Outbound. If you have to support also the mode Explicit Security then some more work has to be done. Because Explicit Security uses the standard FTP Control port TCP port 21, you need to first disable the FTP Application Filter. Otherwise, the FTP Application Filter would interfere with the FTPS Control connection. Next, in the custom FTP protocol definition use as primary connection TCP port 21 Outbound. As a consequence, SecureNAT clients will no longer be able to access FTP servers.
6 Conclusion
The FTP protocol is a somewhat messy protocol that definitely wasn’t designed with firewall security in mind. FTP clients can use one of the two modes: PORT and PASV mode. While PORT mode has been around for a longer time, PASV mode is more popular because it doesn’t require a new inbound connection to be made to the FTP client from the FTP server. Modern firewalls and NAT devices have components that are able to handle the connection request details contained in the PORT and PASV commands to improve on the security issues related to the FTP protocol.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! – Stefaan.
