FTP, which means File Transfer Protocol, is a standard network protocol used for the transfer of computer files between a client and a server on a TCP/IP-based network such as the Internet.
At the end of the article you will find a small test that will allow you assess the knowledge acquired in this reading
FTP is a way to enable the secure transfer of files from one location to another and can also enable file management on the server.
In FTP, there are two connection modes: Active FTP and Passive FTP.
Active FTP
In active FTP, the connection is initiated from the client to a command port on the server. When the client requests a file transfer, the server initiates the data connection back to the client.
The flow of information in Active FTP occurs as follows:
- The client connects from a random port (N) to port 21 on the server (the port for FTP) and sends the PORT command to the server. This command tells the server which port to connect to (port N+1).
- Once the server receives this command, it connects from its data port (usually port 20) to the port specified by the client (N+1) and begins data transfer.
Advantages of Active FTP
- Makes server configuration easier: Active FTP is easier to configure on the server side because you only need to open and listen to a single port (port 21).
Disadvantages of Active FTP
- Firewall problems: Clients behind a firewall often encounter problems with Active FTP. This is because the firewall sees the data connection initiated by the server as unsolicited and blocks it.
- Security requirements: It can be a security risk as the server initiates the data connection to the client, which could be exploited by an attacker.
In short, Active FTP is useful and easy to configure from the server side. However, it may have problems with client firewalls and present certain security risks.
For these reasons, many organizations choose to use Passive FTP, which, although it may be more difficult to configure on the server, has fewer issues with firewalls and provides better control over data connections.
Active FTP is generally used in the following scenarios
Servers with strict firewall restrictions: If the FTP server is behind a firewall with strict security policies that limit the ports that can be used for incoming connections, Active FTP could be a viable option since it only needs to open and listen on port 21.
Server resource limitations: In Active FTP, the server only needs to open and listen to a single port for all data connections. This can be beneficial if the server has limited resources and cannot handle opening multiple ports as required in Passive FTP.
Network control: Some network administrators may prefer Active FTP because it allows greater control over data connections. In Active FTP, the server initiates the data connection, which means administrators can have greater control over data transfers.
Passive FTP
Passive FTP was designed to overcome the problems of firewalls and routers in the Active FTP data connection. Unlike Active FTP, in Passive FTP it is the client who initiates both connections (the command connection and the data connection) with the server.
The information flow in Passive FTP is as follows:
- The client connects from a random port (N) to port 21 on the server (the port for FTP) and sends the PASV command to the server. This command tells the server that it is in passive mode and is waiting for a response from the server with a port for the data connection.
- The server responds from port 21 to the client's port N, providing a non-privileged port (greater than 1023) to receive the data connection.
- The client then initiates the second connection from another random port (N+1) to that unprivileged port specified by the server. Once this connection is established, data transfer begins.
Advantages of Passive FTP
- Overcoming problems with firewalls and routers: Firewalls and routers typically allow client-initiated connections, so Passive FTP generally does not have the firewall issues that occur with Active FTP.
- Enhanced Security: Because the client initiates all connections, there is less risk of attacks from the server.
Disadvantages of Passive FTP
- More complex server configuration: In Passive FTP, the server must be able to provide and open multiple unprivileged ports for data connections, which can be more difficult to configure and manage than in Active FTP.
- Increased load on the server: As the server has to handle multiple connections initiated by the client, it may require more server resources.
In conclusion, Passive FTP provides a solution to the firewall problems that often occur with Active FTP, and can also provide improved security. However, it can be more difficult to configure on the server and may require more server resources.
Passive FTP is generally used in the following scenarios
Clients behind a firewall: Passive FTP is useful when the client is behind a firewall that does not allow incoming connections. In Passive FTP, it is the client who initiates all connections, so firewalls usually allow these connections.
NAT (Network Address Translation): If the client is behind a NAT, it may have problems with Active FTP because the NAT may not know how to handle the data connection initiated by the server. Passive FTP can avoid this problem because all connections are initiated by the client.
Safety: Some organizations may prefer Passive FTP due to security considerations. Since all connections are initiated by the client, there is less risk of attacks from the server.
Large-scale data transmission: Passive FTP can handle a large number of simultaneous data transfers, since each transfer has its own data connection. This can be beneficial in scenarios where many simultaneous data transfers are needed.
Configuration examples on a Cisco device
Configuration for Active FTP
In this case, you have defined the interface from which the router initiates FTP connections, and you have specified the username and password to use for FTP connections.
Router(config)# ip ftp source-interface FastEthernet 0/0
Router(config)# ip ftp username myusername
Router(config)# ip ftp password 0 mypassword
Passive FTP Configuration
The 'ip ftp passive' command configures the router to use Passive FTP instead of Active FTP. The username and password for FTP connections can be configured in the same way as Active FTP.
Router(config)# ip ftp passive
Configuration examples on a MikroTik device
Configuration for Active FTP
This 'fetch' command initiates a file transfer from the MikroTik router (client) to the FTP server. The default mode is Active FTP.
[admin@MikroTik] /tool fetch> print
mode: ftp
address: 192.168.88.1
src-path: myfile.txt
user: myusername
password: mypassword
port: 21
Passive FTP Configuration
By adding the 'passive: yes' option, the 'fetch' command will use Passive FTP instead of Active FTP.
[admin@MikroTik] /tool fetch> print
mode: ftp
address: 192.168.88.1
src-path: myfile.txt
user: myusername
password: mypassword
port: 21
passive: yes
Comparative table of Active FTP and Passive FTP connection modes
Active FTP | Passive FTP | |
---|---|---|
Advantages | 1. Easier configuration on the server: only a single port needs to be opened and listened to. | 1. Fewer issues with firewalls and NAT because the client initiates all connections. |
2. Lower demand on server resources: The server only needs to open and listen to a single port. | 2. Improves security since all connections are initiated by the client. | |
3. Greater network control: The server initiates data connections. | 3. It can handle a large number of simultaneous data transfers as each transfer has its own data connection. | |
Disadvantages | 1. Problems with firewalls and client-side NAT: they can block the data connection initiated by the server. | 1. More complex configuration on the server: multiple ports must be provided and opened. |
2. Possible security risks: The server initiates the data connection to the client. | 2. Increased demand on server resources: The server has to handle multiple connections initiated by the client. |