Home| Products| Services| Support| Affiliates| Store| Company
TRILENT FTP PROXY


 

Valid XHTML 1.0 Transitional

 
Home > Products > Software > FTP Proxy > Application Note

APPLICATION NOTE

Why would I need the Trilent™  FTP Proxy? When would I use one? What are the network configurations that require or benefit from the use of it? This section addresses such questions by describing its application environment,  the Internet. What follows is a short bird’s eye view of the Internet as it is today, and the role the Trilent FTP Proxy plays in the big picture.


Example Network

The majority of networks connected to the Internet look like the picture below. These are small, single-subnet networks connected to the Internet at a single point called a gateway.


Example Network


The gateway may have different physical forms (a dedicated computer, a router, DSL modem, etc.) The feature common to all gateways is that they have at least two interfaces. One interface is connected to the internal network (we will call it inside interface), while the other (the outside interface) is connected to the Internet, typically through an Internet Service Provider (ISP.) The Trilent FTP Proxy is usually installed on the gateway computer.


Network Addresses

The IP (Internet Protocol) is the "language" of the Internet. Every computer (interface) on an IP network is identified by a unique IP address which facilitates the routing of information. An IP address looks like this: 172.16.94.97. Each of the dot-separated numbers can range from 0 to 255, for a total of over 4 billion possible addresses. Using our example network: Each of the four computers on the inside network has an IP address. The gateway host has two addresses, one for each interface.

The growth of the Internet has created an IP address shortage because there are only so many unique addresses. This is a big problem. The solution to this problem is found in the common use of RFC1918 addresses. These are three ranges of private IP addresses originally set aside for testing purposes, namely, 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255. The routers on the Internet are prohibited from forwarding information to any of these addresses making them unreachable, and therefore "invisible."

How does the use of the private IP addresses help relieve the address shortage? Consider our example network. All computers on the internal network, including the inside interface of the gateway host, have been assigned the private addresses. Only the outside interface of the gateway, connected to the outside world, has a "real" (i.e. publicly known and globally unique) IP address. The whole network now uses only a single "real", or public, IP address. The private IP addresses of the internal computers are invisible from the Internet. They can be reused in another network without causing problems, such as addressing ambiguity.

The inside computers can still communicate with the Internet through the gateway, provided that it can translate between private and public IP addresses. For each connection (exchange of information) the gateway must transparently substitute internal private IP addresses with its own public address. To the outside world it appears that all connections originate from the gateway host. The two technologies used to perform this substitution are Network Address Translation (NAT) and the use of Application Proxies. Both will be described in this document.


Firewalls

The isolation of the inside network resulting from the use of private addresses gives it a measure of security. In the real world this security proved inadequate. Non-compliant routers can forward to private addresses, and address "spoofing" technique (substituting false addresses for correct ones) can be used to confuse computers. For example, a malicious outside connection can masquerade as an innocent one originating from the inside network, and therefore to be trusted.

Enter the use of firewalls. A firewall is a program installed on the gateway host. It analyzes and filters the information traffic flowing between the inside network and the outside world. The function of the firewall is to block all traffic deemed harmful from entering the inside network. The "block/no block" decision is based on a set of criteria or rules of what constitute harmful traffic.

A simple rule for our example network would be to block all connections from private IP addresses (e.g. 168.0.0.7) arriving on the outside interface (i.e. from the Internet.) In an ideal world, this would never happen. Remember - routers are prohibited from forwarding to/from such addresses. However, non-compliant routers and address spoofing make it possible.

Creating firewall filtering rules is a whole science, but obviously the more the firewall knows about the nature of the connection the better filtering job it can do. More about that later.


Network Address Translation (NAT)

As its name implies, Network Address Translation (NAT) is a technology in which the gateway substitutes internal private IP addresses with its own public address. This substitution is performed on every connection to and from the Internet. The great advantage of NAT is its transparency to users and easy configuration, the primary reasons for its widespread popularity. For example, Microsoft ICS (Internet Connection Sharing) for Windows is based on NAT technology.

The generic nature of NAT makes building truly secure firewalls difficult. Since all types of connections are indiscriminately translated, their variety makes it difficult to develop effective filtering rules to detect and block all harmful traffic.

Another drawback of NAT is that is does not scale well. While it is not immediately obvious, the address translator (also known as a circuit-level proxy) must keep track of all its connections so it can return information from a server to the specific client that requested it. As the network size grows, this database of connections quickly becomes unwieldy.


Application Proxies

In this model, the firewall blocks all traffic with the exception of a few, well-defined holes in its wall. Each hole allows a single application to access the Internet. The gateway must still translate private IP addresses to/from its public address. This is done separately for each application by an application-specific program called a proxy.

The most popular Internet application is the World Wide Web (the Web.) The firewall is configured to specifically pass Web traffic, while the application proxy, in this case the Web proxy, is responsible for address translation for Web connections. The Apache Server is an example of a popular Web proxy for Windows.

FTP (File Transfer Protocol) is another popular application. Another hole in the firewall would accept FTP traffic, and an FTP proxy would translate addresses. The Trilent FTP Proxy was developed for this purpose.

Application proxies contribute to security of firewalls. Application-level proxies "understand" the nature of connections their respective applications require. For example, the Trilent FTP Proxy uses the FTP protocol to pass files. During its operation, this proxy enforces file transfer protocol rules on the traffic sequence. This has the effect of blocking unwanted non-FTP traffic, which is unlikely to follow these rules, from accessing the protected network.

Some proxy servers support proxying at the transport layer. They are called circuit-level proxies or transparent proxies, as they do not require configuration. These proxies operate on the same principle as the NAT described above, and share its strengths and weaknesses.

There are also intelligent circuit-level proxies, based on SOCKS protocol. These proxies are transparent to the user, but require support for SOCKS to be built into client applications for proxying to work. SOCKS proxies are beyond the scope of this document.


Reverse Proxying

Application proxies are mainly used to allow multiple computers on a private network to access the Internet through a single shared Internet connection. That implementation has been described in the previous sections of this document for our example network.

Proxy servers are increasingly being used for inbound connections as well. When an application proxy handles a connection coming into the private network from the Internet, the process is called reverse proxying.

Reverse proxying is used to make servers on a private, firewall-protected network accessible from the Internet. This allows users located beyond the firewall to transfer files to and from the network. The arrangement is shown here:

Reverse Proxy


The reverse proxy forwards client connections to a single server (e.g. the internal FTP server on the diagram above). This differentiates the reverse-proxy mode from the normal proxy operation where servers are selected by clients. Unlike the regular application-level proxy, the reverse proxy is completely transparent to users. To FTP clients on the Internet it appears that the FTP server is installed directly on the gateway computer.

Then why not install the server on the gateway and get rid of the proxy altogether? There may be many valid reasons. For example, the server and the gateway may run different operating systems. The proxy makes it is easy to change or replace servers and to provide server backup.

The most serious drawback of the setup presented here is weak security. If the internal FTP server is ever compromised, the intruder has a complete access to the private network. Therefore, only the application-level proxies provide suitable security for reverse proxying. Transparent (or circuit-level) proxies that indiscriminately translate all connections are too risky.

The reverse proxy is most useful in providing temporary or limited access to the private network by a selected group of users (such as company sales force). It is not suitable for commissioning high-volume public servers. Such servers should be installed on a separate sub-network protected by additional firewalls. The details are beyond the scope of this document.


File Transfer Protocol

The File Transfer Protocol (FTP) is a primary Internet standard for file transfer. It is commonly used to exchange files between computers on the Internet while transparently handling the translation problems that occur when different types of computers communicate.

One of the oldest protocols still in use today, FTP was first developed in 1971. Current specification (RFC-959) dates back to 1985, almost 20 years ago. This longevity is a testimony to the protocol's robustness and utility.

The most common use for the FTP is to download files from the Internet servers. FTP allows also to upload files to a server and to update (i.e. delete, rename, move, or copy) files at a server. Internet users use FTP all the time, sometimes without realizing it.

Users connect to FTP servers using FTP client programs installed on their computers. These ubiquitous programs present a uniform command-oriented or graphical user interface for accessing and transferring files. An FTP server usually requires user to supply a user name and password for authentication. Some public FTP servers accept "anonymous" as user name, and require no password.

A great advantage of these command-oriented FTP clients is their ability to support scripting. A batch of commands can be written into a script and executed automatically. For example, several files constituting an entire Web site can be uploaded to a server via FTP with a single mouse click.

Today, most Web browsers can also connect to FTP servers using URLs (Uniform Resource Locators). This allows viewing FTP sites and manipulation of server files via FTP through a familiar interface similar to that used for Web pages. An FTP URL takes the following form (username, password, and port are optional):
ftp://<username>:<password>@<ftpserver>:<port>

While Web browsers utilize FTP protocol to talk to FTP servers directly, their proxy support is limited to CERN-type proxies. A CERN-type proxy avoids the complexities of proxying the FTP protocol by talking to a Web browser via HTTP (Hyper Text Transfer Protocol) while talking to an FTP server via FTP. The operation is shown here:

CERN Proxy

The CERN-type proxy thus behaves like a Web proxy on a client side and like an FTP proxy on a server side. Both Netscape Navigator and Microsoft Internet Explorer support CERN-type proxying. (Note: The current version of Trilent FTP Proxy is strictly an FTP-to-FTP proxy. Several excellent CERN-type proxies are available on the market.)

Disadvantages of the FTP protocol are:

Passwords and file contents are sent in clear text over the Internet, allowing potential unwanted eavesdropping.

It is hard to filter FTP traffic using a firewall since the data connection is made to an arbitrary port on a client computer. (Note: Firewall-friendly Trilent FTP Proxy eliminates this disadvantage through the use of passive data connections.)

It is possible to tell a server to send data to an arbitrary port of a third computer. (Note: Trilent FTP Proxy disallows such requests, if so configured.)

Despite these disadvantages, the FTP is and will likely remain one of the most popular protocols on the Internet.


Legal| Privacy| Contact Us
 © 2003-2008 TRILENT LLC. All rights reserved.