Mikael Olsson wrote:
>
> Graham Wheeler wrote:
> >
> > Mikael Olsson wrote:
> > >
> > > For the client side, passive FTP always provides better security.
> >
> > Unless it is a rogue client.
> >
> > [snip]
> >
> > Put another way - with passive mode, you are more open to exploits from
> > the inside, while with active mode you are more vulnerable to exploits
> > from the outside.
>
> Considering that inside users (processes, if you like) can always
> connect out through some means or another,
| sed s/always/mostly/
I know of sites where firewalls are protecting web servers and databases
which are accessible from outside and from inside - but other than that,
no traffic is allowed out through the firewall (i.e only incoming HTTP
is allowed). Another example might be a file repository that people on
the outside can upload to, but that should not allow anything out.
[Please note, Mike, I'm not suggesting that active FTP is better in the
latter case - although it might be, depending on the situation - just
that there are situations in which firewalls are deployed in which the
only allowed traffic is incoming].
> I'd rather have my
> firewall concentrate on keeping external Bad Guys out, rather than
> attempting to concentrate on the futile task of keeping internal Bad
> Guys inside.
>
> ... but that's just my point of view, I guess ;)
Shared by most people in most situations, but there are (always)
exceptions. I was noting what the risks were; people can make their own
decisions based on these risks, and on their situation and requirements,
to decide which way they want to configure their FTP access.
gram
--
Dr Graham Wheeler E-mail: [EMAIL PROTECTED]
Director, Research and Development WWW: http://www.cequrux.com
CEQURUX Technologies Phone: +27(21)423-6065
Firewalls/VPN Specialists Fax: +27(21)424-3656
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
