The File Transfer Protocol (FTP): Risks and Security Measures
The File Transfer Protocol (FTP) is a standard network protocol used to transfer files from one host to another over a TCP-based network, such as the Internet. FTP is built on a client-server architecture and uses separate control and data connections between the client and server applications.
FTP is commonly used to transfer website files from a local development environment to a remote production server. It can also be used to transfer files between servers, such as backing up files from one server to another. FTP is also used by some software applications to upload updates or patches.
2. The File Transfer Protocol (FTP)
2.1 Sub-constituents of FTP
There are several sub-constituents which make up the File Transfer Protocol:
The User Datagram Protocol (UDP) port 20 for the control connection
The Transmission Control Protocol (TCP) port 21 for the command connection
A dynamically assigned TCP port > 1023 for the data connection
RFC 959 defines the specifications for FTP, however there have been many extensions and updates since then. These include RFC 1579 (firewall-friendly FTP), RFC 2228 (Security Extensions for FTP) and RFC 2428 (FTP Extensions for IPv6 and NATs).
There are two types of mode in FTP i.e., Active and Passive. In active mode, after a control connection is established between client and server, the server starts listening on port 20 for incoming data connections from the client. The client then initiates a new data connection to port 20 on the server machine; this is known as an “outbound” connection from the firewall’s perspective, and so requires no special configuration. In passive mode, after establishing the control connection, both clients & servers exchange information regarding which ports they will use for data connections. Once this handshake is complete, all subsequent data connections will be made from port 20 on the server machine to an arbitrary high numbered port on the client machine; this is known as an “inbound” connection from the firewall’s perspective, & so will require additional configuration if firewalls are employed. As a result of this difference in behavior, active mode FTP can sometimes work when passive mode cannot – particularly when accessing an FTP server through a corporate firewall that allows all outbound traffic but restricts some inbound traffic.
2. 2 Security in FTP
FTP was not designed with security in mind and therefore it suffers from several vulnerabilities:
Passwords are sent in plain text over the network, making them susceptible to eavesdropping attacks
The data channel is not encrypted, so sensitive data can be intercepted
There is no host authentication, so it’s possible to masquerade as another host
Files can be tampered with or corrupted during transit
There are several measures that can be taken to mitigate these risks:
Use FTPS (FTP over SSL/TLS) instead of regular FTP – this encrypts both the control and data channels using SSL/TLS
If FTPS is not available, use SFTP (SSH File Transfer Protocol) – this uses SSH to encrypt both the control and data channels
Only connect to trusted FTP servers – look for signs that the server may not be genuine, such as a different hostname in the control channel than the data channel
Use strong passwords and change them regularly
Restrict access to the FTP server to only those who need it
Monitor FTP server activity for suspicious behavior
3. The FTP Environment
3.1 The FTP 1-1 Protocol
FTP 1-1 is a new protocol developed by Microsoft which aims to address the security shortcomings of the traditional FTP protocol. It uses an encrypted control channel and can optionally use encrypted data channels as well. In addition, it supports host authentication and integrates with Windows Authentication services, so that only users who have been verified by the server can access files. Finally, it can be configured to use port forwarding rules from a firewall, so that it can work through corporate firewalls that block the standard FTP ports.
3. 2 The Internet Information Services (IIS)
Internet Information Services (IIS) is a web server software package provided by Microsoft. It includes an FTP server component which can be used to host FTP sites. IIS supports both FTPS and FTP 1-1, so it can be used to provide a secure FTP service. In addition, IIS provides a graphical user interface (GUI) for managing FTP sites and users, making it easier to set up and administer an FTP server than with other software packages.
FTP is a widely used protocol for transferring files over the Internet. However, it suffers from several security vulnerabilities which can be exploited by attackers. To mitigate these risks, it is recommended to use FTPS or SFTP instead of regular FTP, and to restrict access to trusted users only.
When configuring an FTP server, care should be taken to properly secure it. In particular, consider using FTPS or SFTP instead of regular FTP, and restricting access to only trusted users. By taking these precautions, you can help to ensure that your FTP server is safe and secure.