Posted on November 25, 2020
by Heath Kath
| Categories: FTP
The Classics: FTP, FTPS, & SFTP
FTP, FTPS, and SFTP are three of the key protocols for transferring files. However, just because a protocol is a classic, doesn’t mean you should be using it for every kind of file transfer.
If you’re not sure what protocol you should be using and for what situations, this is the perfect opportunity to learn and pick the one that best serves your organization's security needs.
What is FTP?
The original file transfer protocol, FTP, is a standard network protocol which is implemented in order to exchange files over a Transmission Control Protocol (TCP) and Internet Protocol (IP) network.
This file transfer method has been around longer than the World Wide Web (WWW) – and it hasn’t changed much since its invention. FTP uses one channel (port 21) for sending authentication commands and receiving acknowledgements. However, it must open another port dynamically in order to transfer data – this is called the data channel.
However, with FTP, user credentials are sent as plain text and files are not encrypted when they are transferred. With both channels unencrypted, this leaves data vulnerable to being intercepted and taken advantage of.
Along with the encryption skills it’s lacking, it’s also missing features like automation and does not meet compliance requirements. Additionally, FTP users often report problems like connection errors and inconsistent functionality too.
Overall, as a protocol, FTP wasn’t constructed to deal with the kind of cybersecurity threats we now face and the demands of today’s IT environment.
When Should You Use FTP?
FTP should only be used when you are exchanging or sending files that aren’t sensitive in nature. Other than that, FTP is an outdated protocol that lacks the security options to protect your data and it opens the door for cyberattacks.
While using an open-source FTP tool may be tempting due to its free nature, it is not a worthwhile option. No new FTP security features are added or updated, so your organization can outgrow FTP quickly. When you consider the need to meet compliance regulations, trading partner requirements, general data security standards, and the expectation from the public that their data will be kept safe, FTP is a solution to forget.
What is FTPS?
FTPS, or FTP over Secure Sockets Layer/ Transport Layer Security (SSL/TLS), is a secure file transfer protocol that allows you to connect and securely exchange files with trading partners, customers, and users.
To authenticate a connection, FTPS uses a combination of user IDs, passwords, and/or certificates to verify a system’s authenticity. Like basic FTP, FTPS uses two connections: a command channel and a data channel. You can choose to encrypt both connections – or only the data channel. FTPS implements strong algorithms like AES and Triple DES to encrypt critical file transfers.
However, FTPS can be more difficult to connect through firewalls with high levels of security. It uses multiple port numbers for implicit (port 990) and explicit (port 21) connection types, which can open you up to vulnerabilities.
When Should You Use FTPS?
FTPS is your best option for secure file transfer in the following examples:
- Your trading partner requires third party verified SSL certificates to establish trust. SSL certificates have Certificate Authorities (CA), whereas SSH keys do not.
- You have a requirement for Extended Binary Coded Decimal Interchange Code (EBCDIC) or American Standard Code for Information Exchange (ASCII) data transfers.
- You have internal traffic and are transferring large files.
What is SFTP?
SFTP, also known as FTP over SSH (Secure Shell), is a secure FTP protocol that sends files over SSH and provides organizations with a higher level of file transfer protection. SFTP implements AES, Triple DES, and other algorithms to encrypt data that flows between systems.
SFTP offers several ways to authenticate a connection – with a user ID and password, SSH keys, or a combination of a password and SSH keys. This provides organizations with a high level of protection for file transfers shared between their systems, trading partners, employees, and the cloud.
SFTP is simple to implement and is more friendly to today’s client-side firewalls since it only requires a single port (port 22) to be open for sending controls and for sending or receiving data files
When Should You Use SFTP?
If you need a free or otherwise inexpensive way to send and receive secure file transfers to a handful of trading partners, an SFTP server and client tool might be a good fit for you. You can achieve basic needs like authenticating your users, transferring unlimited files per server connection, and controlling your port usage.
Additionally, SFTP is your best option for transferring files securely if:
- Your trading partner requires SSH Public Key authentication
- Your trading partner or firewall teams prefer a single port to be leveraged
- You need to comply with federal regulations