Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FTP Passive mode is more secure that Active mode !? how?


I do understand when I read from books about the operation of FTP Active vs Passive mode,

but the reason why Passive mode is more secure, I do not get it exactly !

appreciate if someone can help me to understand this point.

VIP Gold

You need not to deal with

You need not to deal with incoming TCP streams.

VIP Purple

It always depends on which

It always depends on which aspect of security you are talking about. They are no different in security when it comes to confidentiality and integrity of the transmission. Both are not cryptographically protected. With that, if your data has to be protected, you should avoid FTP.

The main difference in security is about what you have to allow on your firewall. With passive FTP your clients only initiate outbound connections. With active mode, the data-channel is an  inbound connection through your firewall. For sure, that is handled through statefull inspection and only the right traffic is allowed to come in. Still, having inbound connections from an untrusted network directly to your user-systems is considered less secure then only having outbound connections.

For optimum security, there should always be an FTP-proxy in a DMZ.

Don't stop after you've improved your network! Improve the world by lending money to the working poor: