Words By Van Glass
Last Updated:
FTP, FTPS, and SFTP differ in data exchange, security, and firewall considerations. FTP uses separate command and data channels, is unencrypted, and often faces firewall issues. FTPS adds SSL/TLS encryption to FTP, enhancing security but maintains similar data exchange and firewall needs. SFTP, based on SSH, encrypts both data and commands in a single connection, simplifying firewall configurations by requiring only port 22.
- Blog
- Managed File Transfer
- Secure File Transfer
- SFTP
Three common protocols still used in file transfer today are FTP, FTPS, and SFTP. While the acronyms for these protocols are similar, there are some key differences among them, in particular, how data is exchanged, the level of security provided, and firewall considerations. Learning these key differences can help you choose a secure file transfer protocol or troubleshoot common connection issues. FTP (file transfer protocol) is a network protocol that has been around for decades. It was first proposed in RFC 114 over 40 years ago and eventually evolved into RFC 959, the standard FTP clients and servers follow today. The FTP protocol exchanges data using two separate channels known as the command channel and the data channel. The command channel typically runs on server port 21 and is responsible for accepting client connections and handling the exchange of simple commands between an FTP client and server. The USER and PASS commands used for authenticating an FTP user are examples of commands that are exchanged on the command channel. The command channel remains open until the client sends the QUIT command to disconnect or the server forcibly disconnects the client due to inactivity or other reasons. The data channel runs using on-demand temporary ports listening on the server (passive mode) or on the client (active mode) and is responsible for exchanging data in the form of directory listings and file transfers. The LIST, STOR, and RETR commands used for getting a server directory listing, uploading a file, and downloading a file are examples of commands (sent using the command channel) that open a data channel. Unlike the command channel, which remains open during the entire FTP session, the data channel is closed once the transfer of data is complete. In order to handle concurrent file transfers or directory listings, a range of data channel ports must be used. When using FTP, both the command and data channels are unencrypted. Any data sent over these channels can be intercepted and read. One common exploit that takes advantage of this particular vulnerability is the man-in-the-middle attack using ARP poisoning and a packet sniffer. Interested in experiencing enhanced security firsthand? JSCAPE is known for this: Get a free trial and discover how our solutions make secure file transfer easier and more efficient for your business.FTP
Data Exchange
Security
Firewall
Server - Allow inbound connections on port 21. Define the passive port range (e.g., 2000-2500) for file transfers and directory listings and allow inbound connections on the passive port range. Consult your server documentation for instructions on how to set a passive port range.
Client - Allow outbound connections to port 21 and the passive port range defined by the server.
Many firewall issues encountered when using FTP are caused by a poor understanding of FTP's two modes: active and passive. The settings you must make on your server-side firewall or client-side firewall will largely depend on which mode you choose. To avoid these issues, we suggest you take time for a deeper discussion on active and passive FTP.
FTPS
When the FTP protocol was initially drafted, security was not a concern. Since then, many things have changed, and sending data over any public network without encryption is considered very risky and, in some cases, prohibited. For instance, PCI-DSS and HIPAAcontain provisions that require data transfers to be protected by encryption.
In order to address this issue, a set of security extensions to create a more secure FTP protocol was proposed in RFC 2228 to protect data as it travels over the network using secure sockets layer (SSL) and now transport layer security (TLS). This encryption can be done manually, but is time-consuming and error-prone, so organizations use FTPS servers/FTPS clients to provide data security.
Data Exchange
See FTP
Security
Secure variants of FTP include FTPS Implicit SSL and FTPS Explicit SSL. Both use SSL/TLS encryption.
FTPS Implicit SSL (Implicit FTPS)
In implicit SSL mode, a required SSL session is established between client and server before any file sharing occurs. As its name suggests, the use of SSL is implied, and any attempt to make an FTPS connection without using SSL will be refused by the server. FTPS implicit SSL services generally run on port 990. Although still in use today, FTPS Implicit SSL is considered by many to be obsolete in favor of FTPS Explicit SSL.
FTPS Explicit SSL (Explicit FTPS)
In explicit SSL mode the client and server negotiate the level of protection used. This is very useful because the server can support unencrypted FTP and encrypted FTPS sessions on a single port. In an explicit SSL session, the client establishes an unencrypted FTP service connection. Prior to sending user credentials, the client requests that the server switch the command channel to an SSL encrypted channel by sending the AUTH TLS or AUTH SSL command. Upon successfully setting up the SSL channel, the client sends user credentials to the FTP server.
The SSL channel automatically encrypts these credentials and any other commands sent to the server during the FTP session. Similar to the way in which the command channel may be protected, the level of protection used on the data channel is negotiated between the client and server using the PROT command.
Firewall
Server - Allow inbound connections on port 21 and/or 990. Define the passive port range (e.g., 2000-2500) for file transfers and directory listings and allow inbound connections on the passive port range. Consult your server documentation for instructions on how to set a passive port range.
Client - Allow outbound connections to port 21 and the passive port range defined by the server.
SFTP
SSH file transfer protocol (SFTP) is often confused with FTPS even though these protocols have nothing in common except their ability to securely transfer files. SFTP is based on the SSH (Secure Shell) protocol, which is best known for providing secure access to shell accounts on remote servers.
Recommended post: How To Install A SFTP Server on Windows
Data Exchange
Unlike FTP/S, SFTP does not use separate command and data connections. Both data and commands are transferred in specially formatted packets via a single connection.
Security
All data sent between the client and server is encrypted using an agreed-upon encryption cipher. SFTP sessions can also be further protected through the use of public and private keys, which offer an alternative form of authentication known as public key authentication. This can be used as an alternative to or in conjunction with the traditional form of authentication of usernames and passwords.
Firewall
Server - Allow inbound connections on port 22.
Client - Allow outbound connections to port 22.
Get Your Free Trial
Would you like to try this yourself? JSCAPE MFT Server is platform-agnostic and can be installed on Microsoft Windows, Linux, Mac OS X and Solaris, and can handle any file transfer protocol and multiple different protocols from a single server. Additionally, JSCAPE functionality enables you to handle any file type, including batch files and XML. Get started with your trial of JSCAPE MFT Server now.
Related Content
Active vs. Passive FTP Simplified: Understanding FTP Ports
How To Auto Upload Files To A Server From A Local Directory
Tutorial For Working With The FTP Command Line
FTP Binary And ASCII Transfer Types And The Case Of Corrupt Files
Popular Articles
View more by JSCAPE
How to setup SFTP public key authentication on the command line
14min read —
SFTP Public Key Authentication enhances security by allowing users to access SFTP services without passwords, favoring automated transfers. The setup process involves creating a .ssh directory, generating a key pair with ssh-keygen, securing permissions, and copying the public key to the server, ensuring a secure connection without the need for passwords
Read ArticleActive vs. passive FTP Simplified
24min read —
The difference between active FTP and passive FTP modes lies in how connections are made. In active mode, the client initiates the connection with a PORT command, making the server connect back for data. In passive mode, the client uses a PASV command, gets a server port, and starts the data transfer connection.
Read ArticleActive-active vs. active-passive high-availability clustering
7min read —
Active-active high availability clusters distribute workloads evenly across all nodes, ensuring optimal load balancing. In contrast, an active-passive setup keeps nodes on standby, activating them only when the primary fails, leading to potential delays. Active-active configurations offer reduced downtime and improved performance, making them the preferred choice for continuous system availability.
Read Article
Posts By Category
Explore All Topics
- JSCAPE MFT
- Managed File Transfer
- Secure File Transfer
- Tutorials
- Business Process Automation
- Videos
- News
- SFTP
- Triggers
- FTP
- AS2
- FTPS
- File Transfer Clients
- Ad-Hoc File Transfers
- Reverse Proxy
- Accelerated File Transfer
- file transfer
- Case Studies
- mft solutions
- sftp server
- ssh
- webdav
- webdav server
- Client Certificate Authentication
- Configuration
- EDI
- JSCAPE SaaS
- RSA 4096
- authentication
- encryption
- file transfer protocol
- load balancing
- security
- transfer protocols
- ASCII
- AWS
- Amazon S3
- Clustering
- DSA
- DSA vs RSA
- FTP Server
- FTP command line
- FTP/S
- HMAC
- High Availability
- Integration
- Load
- Load Balancer
- MDN
- OpenPGP keys
- Product Release
- RSA vs DSA
- S3
- SCP
- SMTP ports
- Transfer mode
- Windows SFTP Client
- binary mode
- binary transfer
- client certificate
- data streaming
- decrypt
- diffie-hellman-group1-sha1
- digital certificates
- forward proxy
- ftp active mode
- ftp active vs passive
- ftp client
- ftp commands
- ftp passive mode
- ftp put command
- gnu privacy guard
- gpg
- key exchange
- key fingerprint
- licenses
- mft gateway
- passive ftp
- pgp
- port 25
- port 587
- proxy server
- reverse proxy server
- sftp port
- sftp port number
- windows ftp
Related Content
Read more about Managed File Transfer
7 alternatives to an SFTP platform you probably didn’t know
10min read —
Explore seven secure alternatives to SFTP for business file transfers, from SCP and OFTP to MFT solutions. Understand the pros and cons of each option, and learn why Managed File Transfer (MFT) might offer the most comprehensive security, automation, and integration features for your organization's needs. Discover the best solution for your file transfer requirements today.
Read ArticleThe benefits of secure file transfer software
11min read —
Secure file transfer software protects your data during transit with encryption, authentication, and advanced controls. Learn how IT professionals can mitigate data security risks, achieve regulatory compliance, and enhance automation with solutions like Managed File Transfer (MFT). Discover the key benefits and recommended tools for robust and efficient file transfers today.
Read ArticleFixing SSH/SFTP client connection issues involving Diffie-Hellman-Group1-SHA1
7min read —
If you're troubleshooting SSH/SFTP connection issues related to Diffie-Hellman-Group1-SHA1, you’re likely dealing with outdated and insecure key exchange algorithms. This article explains the root cause of the problem and provides four practical solutions to fix it. Learn how to enhance your connection security and maintain compatibility. Read on to find the best solution for your needs.
Read Article
