For a protocol with nearly fifty years on the clock, FTP can sometimes be a lot more complicated than most would assume. In particular, there is often a strong misunderstanding of the differences between active and passive FTP sessions, which can lead to confusion around port numbers in use and how the protocol really works.
So what are the differences between active and passive FTP; and what are the advantages and disadvantages of using either mode?
Despite its name giving it the air of supremacy or preference, active FTP sessions are very rare in today's networks.
In this mode, port 21 is used to setup the control channel and authenticate the client (the one initiating the connection) against the server (the one receiving the connection).
Once the client has authenticated, it issues a PORT command to the server, informing it that it must connect back to the client on another port - typically a dynamic port - and the IP address that the client detects as belonging to it.
The server then opens this second channel back to the client - known as a data port - and facilitates the transfer of files.
To summarise, when using FTP in active mode, the client creates the control channel and the server creates the data channel.
- Better security/less attack surface on the server side as only port 21 needs to be open inbound.
- Easier to set up for the server side administration team.
- FTP clients are often using NAT behind firewalls; and if a movable device, such as a laptop, will have an ever-changing external IP address. This means that the IP address sent to the server, using the PORT command will have to be re-configured each time the external IP address changes.
- Where ever the FTP client is, at the time of initiating an FTP session, it will need to ensure that the dynamic data port has been allowed in any firewalls between the server and the client.
The passive mode of FTP was created to alleviate some of the responsibility for firewall configuration from the client-side. In comparison to active FTP, in passive FTP the client initiates both the control and the data channels.
The sequence of actions begin the same way with the client opening a control channel on port 21 with the server, using this for set up and authentication. However, rather than the client issuing a PORT command for the server to open a data channel back. The client sends the PASV command, which instructs the server to return an IP address and port number for the client to create a data channel on.
- The configuration responsibility is placed on the server-side, which is less likely to be changing or mobile.
- No inbound firewall requirements for the client.
- On the server-side, the administration team will need to allow for the data channel in the firewall, by opening a range of dynamic ports.
Between Active FTP or Passive FTP, Which is the Most Secure?
This is really a trick question as neither is any more secure than the other. In both cases, the data transferred between client and server is unencrypted and therefore open to sniffing attacks. For more secure file transfers, we recommend using FTP/S or SFTP.
Would you like to assistance with your file transfer protocol set up? We have over eleven years' of experience with managed file transfer solutions and workflows. If you would like to speak to one of our solution specialists, you can book a call today by clicking here.