FTP, FTPS and SFTP are the most widely used file transfer protocols in the industry today. All 3 of them are different in terms of the data exchange process, security provisions and firewall considerations. Let’s discuss how these are different so it’s easier for you to select the right protocol based your requirement.

FTP.png

 

File Transfer Protocol (FTP)

FTP works in a client-server architecture. One computer acts as the server to store data and another acts as the client to send or request files from the server. FTP typically uses port 21 for communication and the FTP server will listen in for client communications on the port.

FTP exchanges data using two separate channels:

  • Command Channel: The command channel is typically used for transmitting (send and receive) commands (e.g. USER, PASS commands) over port 21 (on the server side) between the FTP client and server. This channel will remain open until the client sends out the QUIT command, or if the server forcibly disconnects due to inactivity.
  • Data Channel: The data channel is used for transmitting data. For an active mode FTP the data channel will normally be on port 20 (on the server side). And for passive mode, a random port will be selected and used. In this channel, data in the form of directory listings (e.g. LIST, STOR and RETR commands) and file transfers (e.g. normal uploading and downloading of a file). Unlike the command channel, the data channel will close connection on the port once the data transfer is complete.

  

FTP is an unencrypted protocol and is susceptible to interception and attacks. The requirement of ports to remain open also poses a security risk.

 

File Transfer Protocol over SSL (FTPS)

FTPS is just an extension to FTP which adds support for cryptographic protocols such as Transport Layer Security (TLS) and Secure Sockets Layer (SSL). FTPS allows the encryption of both the control and data channel connections either concurrently or independently. There are two types of FTPS methods possible:

  • Implicit FTPS: This is a simple technique which involves using standard secure TLS sockets in place of plain sockets at all points.  Since standard TLS sockets require an exchange of security data immediately upon connection, it is not possible to offer standard FTP and implicit FTPS on the same port.  For this reason another port needs to be opened – usually port 990 for FTPS control channel and port 989 for FTPS data channel.
  • Explicit FTPS: In this technique, the FTPS client must explicitly request security from an FTPS server, and then step up a mutually agreed encryption method. If a client does not request security, the FTPS server can either allow the client to continue in unsecure mode or refuse/limit the connection.

 

The primary difference between both the techniques is that in the explicit method the FTPS-aware clients can invoke security with an FTPS-aware server without breaking overall FTP functionality with non-FTPS-aware clients. Whereas in the implicit method, all clients of the FTPS server must be aware that SSL is to be used on the session, and so becomes incompatible with non-FTPS-aware clients.

 

SSH File Transfer Protocol (SFTP)

SFTP is not FTP run over SSH, but rather a new protocol designed from the ground up to provide secure file access, file transfer, and file management functionalities over any reliable data stream. Here, there is no concept of command channel or data channel. Instead, both data and commands are encrypted and transferred in specially formatted binary packets via a single connection secured via SSH.

  • For basic authentication, you may use a username and password to secure the file transfer, but for more advanced authentication, you can use SSH keys (combination of public and private keys).
  • Though SFTP clients are functionally similar, you cannot use a traditional FTP client to perform file transfer via SFTP. You must use an SFTP client for this.

 

A major functionality benefit in SFTP over FTP and FTPS is that in addition to just file transfer, you can also perform file management functions such as permission and attribute manipulation, file locking, etc.

 

 

FTP

FTPS

SFTP

Security

Unencrypted information exchange in both command and data channels.

Communication is human readable.

Encryptions happens on both command and data channels via either implicit SSL or explicit SSL.

Communication is human-readable.

All information exchange between the FTP server and client are encrypted via SSH protocol. SFTP can also encrypts the session.

Communication is not human-readable as it’s in a binary format.

Firewall Port for Server

Allow inbound connections on port 21

Allow inbound connections on port 21 and/or 990, 989

Allow inbound connections on port 22

Firewall Port for Client

Allow outbound connections to port 21 and passive port range defined by server

Allow outbound connections to port 21 and passive port range defined by server

Allow outbound connections to port 22

  

Choosing which protocol you want to use for file transfer is totally dependent on what your requirement is and how secure you want the file sharing method to be. An effective way would be to use a third-party managed file transfer server which supports all these 3 options so it’s more convenient for you to adjust based on your need.