Secure FTP Proxy

FTP is one of the oldest and simplest ways to transfer files within your network. Although newer alternatives to FTP may offer greater convenience and/or security, there still are times when working with specific applications or devices, FTP may be the solution of choice.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for FTP users, requiring network administrators to choose between two equally unacceptable alternatives: prevent FTP from passing through the firewall, accepting the resulting loss of ability to transfer files to/from the devices beyond, or allow FTP to pass through the firewall, accepting the associated security risks.

FTP is especially difficult for firewalls due to its use of separate control and data connections. While control connections are always directed at a well-known port, data connections use dynamically assigned ports, making it difficult to configure the firewall to allow only the needed ports. Making matters worse, the direction in which the data connection is initiated depends on whether requested transfer mode is active or passive, making it difficult to implement a policy preventing initiation of connections from less secure network zones to more secure network zones.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for FTP traffic, enabling FTP client applications to extend their reach beyond firewalls, while mitigating the associated security risks. All FTP control connection traffic is carefully inspected by the ZoneRanger, and data connections are matched with known outstanding transfer requests, before being allowed to pass.

The ZoneRanger FTP proxy feature supports all FTP protocol transactions defined in RFC 959, including:

  • Get File Request (from devices in a firewall-partitioned zone)
  • Put File Request (to devices in a firewall-partitioned zone)
  • List Directory Request
  • Delete File Request
  • Rename File Request

In addition to supporting active and passive mode file transfers, the ZoneRanger FTP proxy feature also includes an optional active-to-passive conversion feature, allowing an FTP client’s active mode transfer requests to be presented to clients as passive mode requests, so that clients that only support active mode are able to exchange files with servers that only support passive mode.

FTP is part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • HTTP / HTTPS
  • ICMP
  • NetFlow / sFlow
  • NTP
  • SNMP
  • Syslog
  • TACACS+ / RADIUS
  • Telnet / SSH
  • TFTP