When to Use FTP vs. FTPS or SFTP

Image

File Transfer Protocols:The Classics

FTP, FTPS, SFTP, and SCP are four of the key protocols for transferring files. However, just because a protocol is a classic, doesn’t mean you should be using it for every kind of file transfer.

If you’re not sure what protocol you should be using and for what situations, this is the perfect opportunity to learn and pick the one that best serves your organization's security needs.

• FTP is a standard network protocol used to exchange files over a Transmission Control Protocol (TCP) and Internet Protocol (IP) network.
• FTPS is FTPS, or FTP over Secure Sockets Layer/ Transport Layer Security (SSL/TLS). This protocol offers secure file transfer and allows you to connect and securely exchange files with trading partners, customers, and users.
• SFTP is also known as FTP over SSH (Secure Shell). SFTP is a secure FTP protocol that sends files over SSH and delivers a higher level of file transfer protection as it uses AES, Triple DES, and other algorithms to encrypt data that flows between systems.
• SCP, or Secure Copy Protocol allows users to securely transfer files between a local host and a remote host, or between two remote hosts. Secure Shell (SSH) encrypts the data and authenticates systems, protecting data while it is in transit.

What is FTP?

The original file transfer protocol, FTP, is a standard network protocol which is implemented in order to exchange files over a Transmission Control Protocol (TCP) and Internet Protocol (IP) network.

This file transfer method has been around longer than the World Wide Web (WWW) – and it hasn’t changed much since its invention. FTP uses one channel (port 21) for sending authentication commands and receiving acknowledgements. However, it must open another port dynamically in order to transfer data – this is called the data channel.

Disadvantages of Using FTP

First and foremost, FTP lacks the security needed when exchanging sensitive information. Specifically:

• Data is unencrypted and sent in plain text. This includes valuable details such as passwords, usernames and the data contained in files transferred.
• There are no integrity check mechanisms when FTP is used, so data is vulnerable to tampering or corruption while in transit.
• Large files cannot be compressed, so transfer speeds are slow.
• Multiple ports need to be opened for FTP transfers, which can open up security vulnerabilities.
• FTP can’t stand up to the demands of long-distance networks or networks with high latency, with performance suffering from slow transfer speeds or interruptions.
• FTP has not kept up with the more modern, demanding needs of file transfers today, including auto-retry, file integrity, and secure authentication methods.
• FTP lacks automation
• Compliance requirements cannot be met with FTP.

Overall, as a protocol, FTP wasn’t constructed to deal with the kind of cybersecurity threats we now face and the demands of today’s IT environment.

When Should You Use FTP?

FTP should only be used when you are exchanging or sending files that aren’t sensitive in nature. Other than that, FTP is an outdated protocol that lacks the security options to protect your data and it opens the door for cyberattacks.

While using an open-source FTP tool may be tempting due to its free nature, it is not a worthwhile option. No new FTP security features are added or updated, so your organization can outgrow FTP quickly. When you consider the need to meet compliance regulations, trading partner requirements, general data security standards, and the expectation from the public that their data will be kept safe, FTP is a solution to forget.

What is FTPS?

FTPS, or FTP over Secure Sockets Layer/ Transport Layer Security (SSL/TLS), is a secure file transfer protocol that allows you to connect and securely exchange files with trading partners, customers, and users.

To authenticate a connection, FTPS uses a combination of user IDs, passwords, and/or certificates to verify a system’s authenticity. Like basic FTP, FTPS uses two connections: a command channel and a data channel. You can choose to encrypt both connections – or only the data channel. FTPS implements strong algorithms like AES and Triple DES to encrypt critical file transfers.

However, FTPS can be more difficult to connect through firewalls with high levels of security. It uses multiple port numbers for implicit (port 990) and explicit (port 21) connection types, which can open you up to vulnerabilities.

When Should You Use FTPS?

FTPS is your best option for secure file transfer in the following examples:

• Your trading partner requires third party verified SSL certificates to establish trust. SSL certificates have Certificate Authorities (CA), whereas SSH keys do not.
• You have a requirement for Extended Binary Coded Decimal Interchange Code (EBCDIC) or American Standard Code for Information Exchange (ASCII) data transfers.
• You have internal traffic and are transferring large files.

What is SFTP?

SFTP, also known as FTP over SSH (Secure Shell), is a secure FTP protocol that sends files over SSH and provides organizations with a higher level of file transfer protection. SFTP implements AES, Triple DES, and other algorithms to encrypt data that flows between systems.

SFTP offers several ways to authenticate a connection – with a user ID and password, SSH keys, or a combination of a password and SSH keys. This provides organizations with a high level of protection for file transfers shared between their systems, trading partners, employees, and the cloud.

SFTP is simple to implement and is more friendly to today’s client-side firewalls since it only requires a single port (port 22) to be open for sending controls and for sending or receiving data files

When Should You Use SFTP?

If you need a free or otherwise inexpensive way to send and receive secure file transfers to a handful of trading partners, an SFTP server and client tool might be a good fit for you. You can achieve basic needs like authenticating your users, transferring unlimited files per server connection, and controlling your port usage.

Additionally, SFTP is your best option for transferring files securely if:

• Your trading partner requires SSH Public Key authentication
• Your trading partner or firewall teams prefer a single port to be leveraged
• You need to comply with federal regulations

Know Your Terms: GoAnywhere Glossary