Home > Networking > FTP is dead, now will someone tell developers!

FTP is dead, now will someone tell developers!

Today’s post is all about FTP, or rather about why FTP shouldn’t be around anymore. FTP, which stands for file transfer protocol, was created almost 40 years ago when networks looked completely different. At that time networks were small. FTP was a great way to move files between hosts. It worked great for the 70’s, 80’s, and even part of the 90’s for most people.

In the 90’s two major changes happened that basically killed FTP:

  1. Firewalls were making their way corporate network perimeters. With the www introduced in 1990 it wasn’t long before companies were becoming ‘connected’. With this new form of communication came new security risks, and of course new security measures. Firewalls were the cure-all security solution of the 90’s.
  2. NAT was being used so corporate computers could utilize a private IP over the Internet. NAT’s were configured on network devices such as routers, proxy’s, or even firewalls.

To illustrate why FTP is no longer a valid protocol its time look at how FTP works on a basic level. There are two modes for transferring data via FTP: PORT (active) and Passive.

PORT (Active) mode FTP

Here is a sample of PORT (Active) mode communication initialization:

  1. FTP client connects to a server.
    1. The source port for the client is a random number over 1023, this port will be used for commands on the client side.
    2. The destination port on the server is 21, this port will be used for commands on the server-side.
  2. The server replies to the FTP client on the client control port.
  3. Server initiates data connection to the clients data port.
    1. Server data source port is 20
    2. Client data port is client control port plus 1
  4. Client Acknowledges the data ports to be used.

Here is a sample of the above:

***note: For this example I chose 1024 for the RANDOM client control port, which in turn caused the client data port to be 1025

PORT (Active) mode FTP sample

PORT (Active) mode FTP sample

 

As you can see above the client side of FTP communications in PORT mode has a random port assigned. Also notice the FTP server initiates data connections, even though it was the client that initiated the control connection.

This is what causes many problems with getting FTP through firewalls. Typically a server would only be allowed to access certain ports through a firewall, if at all. Since the data port is a random number over 1023 it is unlikely the server can send data via FTP using Active Mode.

NAT will also have problems in the above scenario because the IP and port being referenced in the control will be the Private IP and port, as opposed to the Public IP and port.

The point is: If you have an old application that is using PORT mode, get rid of that application!

Passive mode FTP

Passive mode overcomes some of the limitations of Active mode. Here is a sample of Passive  mode communication initialization:

  1. FTP client connects to a server.
    1. The source port for the client is a random number over 1023, this port will be used for commands on the client side.
    2. The destination port on the server is 21, this port will be used for commands on the server side.
  2. The server replies to the FTP client on the client control port.
  3. Client initiates data connection to the server data connection port.
    1. Client data port is client control port plus 1
    2. Server data port is a random number specified by the server
  4. Server Acknowledges the data ports to be used.

Here is a sample of the above:

***note: For this example I chose 1024 for the RANDOM client control port, which in turn caused the client data port to be 1025

***note: For this example I chose 2048 for the RANDOM server data port.

Passive mode FTP sample

Passive mode FTP sample

 

As you can see above the client side of FTP communications in PORT mode has a random port assigned. With Passive mode the servers Data port is also random. Also notice the FTP client initiates data connections, which is the opposite of how Active mode sessions work.

With Passive mode the FTP administrator can set a range of ports to choose from for data connections. These ports can in turn be allowed through the firewall by the Network Administrator. This overcomes the issues caused by firewalls that causes Active mode to fail.

From a network security perspective this is not a good solution. It means opening more ports on the firewall, a rather large amount of ports actually!

It’s also a pain to troubleshoot FTP issues. Many times you will be working with applications that only support Active FTP. Or maybe you’ll have a client that supports Passive FTP but the firewall on either end is still unable to make a proper connection.

The point is: If you have an old application that is using FTP (Active or Passive), get rid of that application!

Alternative to FTP

Here we are 15 years after FTP should have been dead and developers are still using it. Recently I asked a developer why he was using FTP. His simple answer: FTP is simple to use/implement and it’s what I’ve always done. (I really hate the “its always been that way” answer).

There is a good alternative to FTP, it’s called SFTP. SFTP stands for SSH file transfer protocol (not secure file transfer protocol as some might think). SSH stands for Secure Shell. SSH provides a secure connection for the file transfer. Even if you don’t think any data being transmitted needs to be secured, it’s a good idea to always use secure communications.

SFTP is not simply FTP implemented with security. Let me repeat SFTP is NOT a new implementation of the older FTP specification. Instead SFTP is a new specification that has all of the capabilities the older FTP specification. In fact the same commands are available for use. For developers there is very little that need be done differently to use SFTP as opposed to FTP.

Also, there are no longer different control and data streams. The server has only one port, typically 22, the same as other SSH protocols. No more mucking around with random server ports or having to troubleshoot passive connections!

I won’t go any more into why SFTP is a good replacement for FTP. If you want more info on SFTP I would recommend going to the OpenSSH website or RTFM on the OpenBSD website.

One final plea: Developers, please STOP using FTP.. its dead, or at least should have been dead 15 years ago!!!

Advertisements
Categories: Networking Tags: , ,
  1. Juliano
    June 20, 2011 at 14:05

    I agree! Thanks for making me know I’m not alone having problems with this jurassic protocol.

  2. December 3, 2013 at 12:47

    I really wish more people were familiar with the fact that FTP is dead and it has no place in a modern (or even not so modern) development workflows. To developers who are not familiar with this – see Git, SVN, etc.

  1. January 6, 2011 at 10:40

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: