Using Proxy-DE to Secure FTP ============================ Author: Dave Edwards Date written: Nov 18, 2006 Last updated: Nov 24, 2006 (c) Copyright by Dave Edwards, 2006. All rights reserved. 1. Introduction 2. Requirements 3. Method 4. An Example 1. Introduction --------------- In my ongoing quest to secure tcp/ip communications between clients and servers, FTP (the File Transfer Protocol, RFC 959) has been a problem area, because, in addition to the control connection used for logging in and entering commands, a separate data connection is used for each file transfer or directory listing, and the port number for each data connection is negotiated between client and server. This makes it difficult to use a single proxy server (such as Proxy-DE, www.geocities.com/proxyde1 ) at each end to provide an encrypted tunnel between the FTP client and server. However, if Passive Mode (PASV) is used, and the server listens on one of a small number of configurable port numbers for the data connections, it is possible to use multiple instances of the proxy to secure all the tcp/ip traffic between the FTP client and server. First of all, what do we mean by "secure communications", and what context of client/server machines does this method apply to? A properly secured communication between a client and server provides the following: (1) Authentication: The client authenticates itself to the server, and vice-versa, so that each side knows it is dealing with a trusted party. This is in addition to the FTP username and password the client uses to log in to the server. In the case of a secure tunnel set up via the Proxy-DE program, authentication is done via a "shared secret" (a long password) which the client and server each know, but which is not actually transmitted. (2) Data confidentiality: All data (commands, responses, user names, log-in passwords, data files, directory listings, etc.) between client and server is encrypted and cannot be read by a third party. (3) Data integrity: All data between the client and server is protected from being modified by a third party. This includes deletion and insertion of data. Any such attempt is detected by the proxies and causes an error. The context of this discussion is a client machine running Windows and a remote server machine running Windows. Both machines are assumed to be under your control, since you need to run the required instances of Proxy-DE on each machine. If either machine is behind a firewall and/or NAT (Network Address Translation) router, you also have to be able to configure them to allow the required tcp/ip connections. The firewall and router do not have to be FTP-aware (although most current routers are), since the FTP commands and responses are encrypted by the proxies and not visible to the firewall and router anyway. By the way, another good way of securing all tcp/ip communications between two Windows machines in this context is to use IPSec. IPSec (Internet Protocol Security) is part of Windows 2000 Professional and Windows XP Professional. Once it has been set up on each machine, all tcp/ip traffic between the two machines is secure. IPSec has the advantage that it is transparent to tcp/ip applications, including FTP. However, it is not very easy to set up. For more info, look for IPSec in the Windows Help index. 2. Requirements --------------- (1) You need an FTP client and server that support Passive Mode (the PASV command in the FTP protocol). (2) You must be able to configure the FTP server (FTPD) to use only a small number of specific port numbers that the server will use as a listening port when establishing each data connection. Usually this feature is called a "Passive Mode port range" option in the server documentation. We require this because, for each possible data connection listening port number that the server may use, we need to set up a pair of instances of Proxy-DE (one running on the client and one on the server) and the port number needs to be known in advance. Ideally the number of port numbers in the range should be a small number such as 2 or 3. If only one FTP session is used at a time, you may even be able to use only 1 port number in the range. In "normal" mode (active or non-passive) FTP, to set up each data connection, the client picks a random port number and listens on it. It tells the server the port number by sending it a PORT command. The server than connects to that port, and the data connection is thus established. In Passive Mode, the client first sends the PASV command, which tells the server to use Passive Mode. This is done for each data connection. Then the server chooses a port number (either random or in the specified range of port numbers), listens on that port, and tells the client the port number as part of the 227 message that is the response to the PASV command. The client connects to that port, and the data connection is thus established. The directory listing or file can now be transferred over the data connection. Once the data has been transferred, the data connection is terminated (but the control connection, used for FTP commands and responses, continues). Most FTP clients support Passive Mode, and use it automatically. A notable exception is the ftp.exe client program in Windows: the ftp.exe command in Windows does not support Passive Mode. Most web browsers include an FTP client that supports Passive Mode. The browser uses it for URL's of the form ftp://somesite.com[:port]. If no port number is specified, 21 is assumed. In the case of Microsoft Internet Explorer, you must tell it to use Passive Mode in Tools / Internet Options / Advanced / "Use Passive FTP". Other FTP clients that support Passive Mode are MUSIC/SP's FTP command (e.g. as in the MUSIC/SP 6.2 Demo system under Sim390), and WS_FTP LE (e.g. version 5.06). Most FTP servers also support Passive Mode, and many of them allow you to specify a port range. These include MUSIC/SP's FTPD (you need the upd1.zip update to the 6.2 Demo system), and War-FTPD version 1.82 (the Passive Mode port range is specified via the file nat.conf). In MUSIC/SP's FTPD as updated by upd1.zip, the port number range is specified by the parameters DPORT1=n,DPORTM=m in the FTPD executor file. For example, DPORT1=15001,DPORTM=3 specifies that the server will use one of the 3 port numbers starting with 15001, as its listening port in Passive Mode. It first tries 15001. If that port is already in use, it tries 15002, etc. For the Sim390 emulator and the MUSIC/SP Demo system, see www.geocities.com/sim390 and http://webpages.mcgill.ca/staff/group3/dedwar1/web . 3. Method --------- To secure FTP with Proxy-DE, we need to provide encrypted tunnels for the control connection and for each of the possible data connections. Each tunnel involves a pair of instances of Proxy-DE: one running on the client machine and one on the server machine. The FTP client connects locally (using name localhost = 127.0.0.1) to its proxy. That proxy connects to the server-side proxy, which finally connects locally to the FTP server (again using localhost = 127.0.0.1). The two proxies authenticate each other (via the shared secret) and encrypt all data passing between them, thus making the "tunnel". FTP client ----> Proxy ================> Proxy ----> FTP server tunnel |______________________| |______________________| Client machine Server machine If the FTP server is configured to use Passive Mode listening port numbers 15001 thru 15003, for example, we would define 4 tunnels (4 pairs of proxies): 1 for the FTP session's control connection and 3 for the 3 possible port numbers for the data connections. If the client-side proxy for the control connection listens on port 2000, for example (this port number is arbitrary), the user of the FTP client program would connect to localhost:2000, instead of connecting directly to port 21 (or whatever) of the server. Once the proxies are started on each machine, you can minimize their screens and forget about them, until you have to restart Windows. I find it handy to create a text file with the commands needed to start the proxies, so that I can copy and paste the commands when I need to start the proxies. 4. An Example ------------- The setup will be clearer if we use a concrete example. Suppose the client machine has IP address 200.101.230.25 and the server machine has IP address 150.99.220.7. Assume we have configured the FTP server's Passive Mode port range to be 15001 thru 15002 i.e. only 2 possible port numbers for the data connections. Also assume the FTP server is configured to listen for connections on port 1421, instead of the usual port 21. The user of the FTP client will connect to localhost:2000 instead of 150.99.220.7:1421. Then the commands to start the 3 proxies on the client side are: proxy 2000 150.99.220.7 3000 -f=c:\mydata\proxy_parm1.txt proxy 15001 150.99.220.7 3001 -f=c:\mydata\proxy_parm1.txt proxy 15002 150.99.220.7 3002 -f=c:\mydata\proxy_parm1.txt The commands to start the 3 proxies on the server side are: proxy 3000 127.0.0.1 1421 -f=c:\mydata\proxy_parm2.txt proxy 3001 127.0.0.1 15001 -f=c:\mydata\proxy_parm2.txt proxy 3002 127.0.0.1 15002 -f=c:\mydata\proxy_parm2.txt The client-side proxy parameter file (proxy_parm1.txt) is: * Client-side parameters for Proxy-DE for securing FTP tunnel options minmsglen 256 msglenmult 256 encrtype rc4 filter accept 127.0.0.1 filter deny all tunnel clientside username mytunid secret tp95-RK0684371*mmv+36 The server-side proxy parameter file (proxy_parm2.txt) is: * Server-side parameters for Proxy-DE for securing FTP tunnel options minmsglen 256 msglenmult 256 encrtype rc4 filter accept 200.101.230.25 filter deny all tunnel serverside username mytunid secret tp95-RK0684371*mmv+36 For added security, these parameter files could be defined as encrypted files in the Windows NTFS file system. If you are using MUSIC/SP's FTPD, its executor file could be named $000:myftpd and contains: /COM ** FTPD executor for encrypted tunnel. /SYS REG=512,TIME=MAX /LOAD XMON FTPD N($TCP:FTPD.LMOD) TRFLAG=F, PUBCOD='$PUB','$PUB','$PUB','$PUB','$PUB', ANONOK=F, UPANON=F,F,F,F,F, ANONID='anonymous','ANONYMOUS','anonymou','ANONYMOU','ftp', AUTOTY=T,AUTOFL='$TCP:FTPD.FILETYPES', MTRANS=T,DIRFRM=1,PASVOK=T,OK3RDP=F,BANNER='FTPD - ready', DROP=60, PORT=1000,DPORT1=15001,DPORTM=2, BS=20480 Note that anonymous FTP logins are not allowed (ANONOK=F). Since we want this FTPD to listen on a nonstandard port number 1421, we must add it to file $tcp:inetd.ports (and restart MUSIC/SP): ; INETD definitions 21 stream 0 $tcp:ftpd 1421 stream 0 $000:myftpd 80 stream 0 $tcp:httpd The MUSIC/SP command to connect to the server from the client machine is: ftp localhost -l -p2000