: Is there any risk to a network if it allows FTP access to third party websites? I was not able to FTP access to my website on my college's network. (The college has a cyberoam-firewalled
I was not able to FTP access to my website on my college's network. (The college has a cyberoam-firewalled newtork). It would fail at point when directory listing would show up othewise. I later found out the college blocks the FTP ports by default. I went to the IT guys and asked them to unblock FTP ports (21 and 22) to my website. They denied it reasoning doing that might raise security concerns.
So, is there really any risk to the network if it allows FTP access to third party websites? Can a newtwork be compromised remotely via FTP? Are there any loopholes?
More posts by @Martha676
2 Comments
Sorted by latest first Latest Oldest Best
FTP is an ugly protocol because it uses dynamic ports, which either needs a wide open firewall or specific configuration within the FTP clients. Also it sends login information in clear by default and the encrypted version FTPS produces even more problems with firewalls. These things together make firewall admins hate the protocol and they better deny requests to allow it for security reasons.
Apart from that you request for port 21,22 was wrong: While port 21 is the FTP control connection port 22 is for SSH and has nothing to do with FTP. But there is SFTP which is a file transfer on top of SSH, which is totally different from FTPS which is FTP with SSL enabled.
But, port 21 is not enough to get FTP through. With FTP active mode you also must allow any connections from the servers port 20 back to the client and with FTP passive mode you must allow connections from any ports on the client to any ports on the server. The firewall might have a FTP proxy or helper to work around this and to get more restrictive policies but the usage is limited and it usually does not work with FTPS so that passwords are transferred in plain text.
Maybe you get from this description why the FTP protocol is considered insecure and hated by firewall administrators. I would suggest that you move instead to SSH/SFTP (needs only port 22) or that you use WebDAV (works with default HTTP/HTTPS ports).
BTW, if you have security questions you might get better answers at security.stackexchange.com.
Its likely that they do not want to spend the time considering all of the possible security issues, so your request was denied. Network Admins are under a lot of pressure to maintain a secure network against unknown threats.
You should look into using a server or service that allows you to connect in via port 80 or 443, but will then forward your traffic to 21, 22.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.