Mikael Olsson wrote:
>
> Graham Wheeler wrote:
> >
> > For `dumb' firewalls (i.e. simple packet filtering systems), allowing
> > passive mode only is more secure. For `smart' firewalls (i.e.
> > application proxy or SPFs) either can be supported, but active has the
> > advantage that once the PORT command has been inspected, all the details
> > of the expected connection attempt are known (client and server
> > addresses and ports) - and the necessary incoming `hole' can be opened
> > up for a short period while waiting for the connection attempt.
>
> .... but you still don't know if the port that the inside client
> requested is safe or not. It could be a bogus request from a java
> applet, and no firewall in the world would be able to tell the
> difference :)
>
> For the client side, passive FTP always provides better security.
Unless it is a rogue client.
> For clients, active mode has no "advantages" the way I see it,
> only drawbacks. And big ones at that.
Unless it is a rogue client.
Anyway, I (mostly) agree - I was talking purely about the packet
filtering `holes' that have to be opened, not about what happens once
the connection through that hole has been established. For active mode,
the details of the hole are known, so the hole can be precisely
specified, while for passive mode, although there is undoubtedly a
security advantage of having the client connect, the packet filtering
hole on the firewall has to allow a whole range of ports on the client
side.
Put another way - with passive mode, you are more open to exploits from
the inside, while with active mode you are more vulnerable to exploits
from the outside.
It should of course also be noted that someone could easily set up a
rogue FTP server and exploit clients that use either mode. To help
reduce the risk of this, a good firewall will also check the flow of
data over the data connection - it should be unidirectional and
correspond to whether the client is doing an upload or a
download/directory listing.
gram
--
Dr Graham Wheeler E-mail: [EMAIL PROTECTED]
Director, Research and Development WWW: http://www.cequrux.com
CEQURUX Technologies Phone: +27(21)423-6065
Firewalls/VPN Specialists Fax: +27(21)424-3656
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
