Daily Archives: October 31, 2013

Secured FTP – SFTP Vs. FTPS

I do work using various protocols such as FTP, SFTP, FTPS etc. as my application does interact with other application using these protocols for various integration needs. Recently i came to an interesting topic while looking for various protocols for evaluation purpose. All the various file transfer protocol namely FTP, SFTP and FTPS come into evaluation and it sparked a debate as to which one should be included for secured FTP, SFTP or FTPS. To answer this i had to do a bit of research on the internet and i don’t have to do anything of my own in my post. I just had to plagiarize various content in the internet as written by awesome authors. The reference for these have been given in my reference section below my post.

While doing the research i managed to pull out some important points in some structured manner which i would like to present below:

FTP protocol – takes roots in year 1980

Disadvantages

  • Lack of the uniform format for directory listing (this problem has been partially solved by introducing MLST command, but it’s not supported by some servers).
  • Presence of the secondary connection (DATA connection).
  • Standard FTP doesn’t provide security requirements as required in modern day application integration and this is the main reason for looking for other options to transfer data in a much secured fashion.
  • Even though the protocol is simple, it still isn’t very firewall friendly, because of the need to open two ports per session and the need in one of the more efficient permutations, to open one of the ports inbound.

The two mainstream protocols available for Secure FTP transfers are named

  • SFTP (SSH File Transfer Protocol – FTP over SSH) – Ideally SFTP doesn’t have anything to do with FTP or FTPS. It’s called as FTP over SSH as the FTP standard is there for a long time and it’s a popular one for file transfer. So some people do refer SFTP as FTP over SSH.
  • FTPS (FTP over SSL/TLS)

Advantages (Both)

  • Offer a high level of protection since they implement strong algorithms such as AES and Triple DES to encrypt any data transferred. To be more precise they use a combination of an asymmetric algorithm (RSA, DSA), a symmetric algorithm (DES/3DES, AES, Twhofish and so on), and a key-exchange algorithm.
  • Support a wide variety of functionality with a broad command set for transferring and working with files.

Notable differences between SFTP and FTPS is how connections are authenticated and managed.

SFTP (SSH File Transfer Protocol – FTP over SSH)

In General:

  • A connection gets authenticated using different techniques.  For a basic authentication it just requires a user id and password to connect to the SFTP server. The important difference with respect to standard FTP is that in this case any user ids and passwords supplied over the SFTP connection will be encrypted.
  • SSH keys and fingerprinting can also be used to authenticate SFTP connections in addition to, or instead of, passwords; whereas FTPS does not support this.
  • With respect to implementation, SFTP is a clear winner as opposed to FTPS, as it is more firewall friendly. It requires only a single port number 22 to be opened through the firewall. This port will be used for all SFTP communications, including the initial authentication, any commands issued, as well as any data transferred.

Pros:

  • Has good standards background that strictly defines most (if not all) aspects of operations
  • Has only one connection (no need for DATA connection)
  • The connection is always secured
  • The directory listing is uniform and machine-readable
  • The protocol includes operations for permission and attribute manipulation, file locking, and more functionality

Cons:

  • The communication is binary and can’t be logged “as is” for human reading
  • SSH keys are harder to manage and validate
  • The standards define certain things as optional or recommended, which leads to certain compatibility problems between different software titles from different vendors
  • No server-to-server copy and recursive directory removal operations

FTPS (FTP over SSL/TLS)

In General:

  • With FTPS, a connection is authenticated using a user id, password and through certificate(s).  Like SFTP, the users and passwords for FTPS connections will also be encrypted. When a FTPS client connects to a FTPS server, the client verifies if the server’s certificate is trusted. The certificate is considered trusted if either the certificate was signed off by a known certificate authority (CA), like Verisign, or if the certificate was self-signed (by your partner) and you have a copy of their public certificate in your trusted key store.
  • FTPS can be very difficult to patch through a tightly secured firewall since FTPS uses multiple port numbers. The initial port number (default of 21) is used for authentication and passing any commands.  However, every time a file transfer request (get, put) or directory listing request is made, another port number needs to be opened.  You and your trading partners will therefore have to open a range of ports in your firewalls to allow for FTPS connections, which can be a security risk for your network.

Pros:

  • Widely known and used
  • The communication can be read and understood by humans
  • Provides services for server-to-server file transfer
  • SSL/TLS has good authentication mechanisms (X.509 certificate features)
  • FTP and SSL/TLS support is built into many Internet communication frameworks

Cons:

  • Doesn’t have a uniform directory listing format
  • Requires a secondary DATA channel, which makes it hard to use behind the firewalls
  • Doesn’t define a standard for file name character sets (encodings)
  • Not all FTP servers support SSL/TLS
  • Doesn’t have a standard way to get and change file and directory attributes

Summary/Conclusion

In summary, SFTP and FTPS are both very secure with strong authentication options.  In general, SFTP is technologically superior to FTPS. Since SFTP is much easier to port through firewalls, and FTPS due to this reason (needs a range of opts to be opened) puts additional security treats to the network, I believe SFTP is the clear winner in case you need a secure FTP for your application integration needs.

In our protocol evaluation, considering the above points, I feel we can go with SFTP for secured file transfer and can omit FTPS. FTPS is omitted not because it is not suitable, but because it does the same things as SFTP and is superior in many ways as opposed to FTPS.

Reference

http://blog.goanywheremft.com/2011/10/20/sftp-ftps-secure-ftp-transfers/

http://www.codeguru.com/csharp/.net/net_general/internet/article.php/c14329/FTPS-vs-SFTP-What-to-Choose.htm

https://www.eldos.com/sbb/articles/4672.php?page=all

Page Visitors: 2249