How Deep Inspection Firewalls can Interfere with FTP Uploads and Downloads

Deep inspection firewalls, also known as deep packet inspection (DPI) firewalls, analyze the content of network traffic beyond basic header information, inspecting the payload of packets to enforce security policies, detect anomalies, and filter out malicious data. While this provides enhanced security, deep inspection can interfere with FTP uploads and downloads due to the unique characteristics of the FTP protocol.

Here’s how DPI firewalls can interfere with FTP:

1. FTP’s Use of Multiple Connections (Control and Data Channels):

• Control Connection: FTP uses a control connection on port 21 to send commands (e.g., file transfers, authentication, directory listing).
• Data Connection: FTP uses a separate data connection for transferring actual files, which can be dynamically established on a different port.
  • In Active Mode, the server initiates the data connection to the client on a dynamically chosen port.
  • In Passive Mode, the client initiates the data connection to the server on a dynamically chosen port provided by the server in response to a “PASV” command.

Since FTP opens these two separate connections, DPI firewalls can interfere in several ways:

2. Difficulty with Dynamic Port Allocation:

• Deep inspection firewalls often have rules about which ports are allowed for certain types of traffic.
• FTP’s dynamic port selection for the data connection (especially in Passive Mode, where the server selects a port above 1024) can confuse firewalls. If the firewall doesn’t properly recognize the dynamic port, it may block the data connection, preventing files from being uploaded or downloaded.
• Firewalls need to track and inspect the control connection to understand which port will be used for the data connection. However, if the firewall struggles to parse the FTP commands or dynamically adjust to new ports, it can result in blocked or failed transfers.

3. Interference with Plaintext Protocols:

• FTP, by default, transmits commands, file names, and data in plain text (unencrypted). DPI firewalls inspect this traffic for security threats, such as malware in files or malicious commands.
• During uploads and downloads, the firewall may block or delay file transfers if it detects something suspicious (e.g., non-compliant file types, suspicious patterns, or oversized files) in the traffic, even if the traffic is legitimate.
• Even benign file transfers may be slowed down or dropped if they contain patterns (like certain file signatures or code) that match firewall security policies.

4. Active vs. Passive FTP Mode Complications:

• Active Mode: In active mode, the firewall may block the incoming data connection initiated by the FTP server back to the client (due to security concerns about unsolicited inbound connections). Since the firewall inspects and blocks these connections, active mode transfers often fail unless the firewall is specifically configured to allow FTP’s active data connections.
• Passive Mode: In passive mode, the client initiates the data connection, but it does so using the dynamic port given by the server. DPI firewalls may block or interfere with the dynamically chosen port, which they might not recognize as part of the FTP session.

5. FTPS Encryption Obfuscating Traffic:

• When FTP is secured using TLS/SSL (FTPS), it encrypts both the control and data channels. While this improves security, it also prevents the DPI firewall from inspecting the contents of the FTP session.
• Since DPI firewalls rely on inspecting the actual packet content to make decisions, encryption prevents them from reading the FTP commands (such as the “PASV” command or port numbers), leading the firewall to block or mismanage the traffic.
• To mitigate this, special configurations (such as allowing FTP over TLS traffic or bypassing DPI for certain trusted connections) may be needed.

6. Inspection-Induced Latency:

• Deep packet inspection is a computationally intensive process. As the firewall analyzes both control and data channels, it can introduce latency or slow down the transfer, especially with large files or in high-traffic environments. In extreme cases, the file transfer may timeout or get interrupted due to delays caused by firewall inspection.

7. File-Type Filtering:

• Some DPI firewalls enforce policies that block certain file types (e.g., executable files like “.exe”, or potentially malicious documents like “.docm”). If the firewall inspects the FTP traffic and determines that the file type violates security policy, the transfer may be blocked or filtered, regardless of whether the transfer is legitimate.

In Summary:

1. Dynamic Ports: Firewalls may block dynamic data ports, especially in Passive Mode, leading to failed transfers.
2. Blocking Active Mode: Firewalls often block incoming connections, interfering with Active FTP transfers.
3. Inspection of Plaintext Traffic: Firewalls may block or delay FTP commands and file transfers if they detect suspicious content.
4. FTPS Encryption: DPI firewalls can’t inspect encrypted traffic, leading to potential blocking or interference if the control and data channels are encrypted.
5. Latency and Timeouts: Deep inspection can slow down file transfers, potentially causing timeouts or interrupted sessions.
6. File-Type Blocking: Firewalls may block certain file types or sizes, disrupting legitimate transfers.

Mitigating Interference:

• Configure the firewall to handle dynamic ports used by FTP (especially for Passive Mode).
• Use FTP over TLS (FTPS) and configure the firewall to allow encrypted FTP traffic through without deep inspection.
• Enable specific FTP inspection modules on the firewall (some firewalls have built-in FTP helpers to manage dynamic port assignments).
• Use SFTP (Secure File Transfer Protocol) as an alternative to FTP. Since SFTP operates over a single encrypted connection via SSH (port 22), it avoids many of the issues that arise with FTP’s multiple connections and unencrypted data.