FTP or File Transfer Protocol is one of the most popular data transfer methods available for various use cases.
FTP has different secure variations available, known as FTPS and SFTP, which incorporates some subtle and some not-so-subtle differences in how they work. These differences relate to how data is exchanged, the level and type of security in communication, and firewall considerations.
Knowing how these protocols work and the differences among these popular transfer mechanisms can help you choose which one works best for your needs.
FTP is the decades-old File Transfer Protocol originally proposed under RFC 114. This later evolved as RFC 959, which is the standard in use today.
FTP works on two channels to exchange information: one for commands and the other for data. This requires two ports for FTP to work – the command channel and the data channel.
The command channel works on port 21, which accepts connections from clients and handles the passing of commands. The command channel remains open for the whole duration of the FTP session until the client sends QUIT command or the server forcibly disconnects due to inactivity or any other possible reason.
The data channel uses an on-demand temporary port listening on the server (passive mode) or the client (active mode). This channel is responsible for sharing actual data between server and client in the form of directory listings and file transfers.
Unlike the command channel, the data channel remains open only for the duration of file transfer, and as soon as it finishes, the data channel is closed. For concurrent transfer of multiple files or directory listings, multiple data channel ports are required.
FTP is an inherently insecure protocol as both command and data channels transfer information in an unencrypted form, which is easily susceptible to interception by anyone using man-in-the-middle attacks.
As earlier discussed, FTP requires an inbound connection on port 21/tcp on the server side for the command channel. A passive port range is defined for file transfers and directory listings and allows inbound connections. This definition process may vary based on the FTP server in use. Refer to its documentation for further details. On the client side, outbound connection on port 21/tcp should be allowed along with passive port range defined on the server.
Authentication in FTP
FTP authentication information is passed over the command channel during initial connection establishment. FTP can use a username and password for authentication, or it can be anonymous to allow anyone to log in and access the server.
Active and Passive FTP Modes
FTP uses either Active or Passive mode for setting up connections.
In active mode, a user connects from a random port on the FTP client to the FTP port 21/tcp on the server and sends the PORT command, specifying the client port server should connect to. This port will be used for the data channel.
The server then connects from port 20/tcp to the client port earlier specified with PORT command by the client. This data channel is then used for file transfers between server and client.
In passive mode, the client connects from a random port from the FTP client to port 21/tcp on the server and sends the PASV command. The server then replies with a random port that should be used for the data channel. The client then uses another random port to connect to the port replied by a server in the earlier step. This data channel connection is then used for file transfer between server and client.
So, in active mode, the initial connection request is initiated by the client while the data channel connection request is initiated by the server.
On the other hand, in passive mode, both initial connection requests and subsequent data channel requests are initiated by the client to the server. This subtle difference sometimes affects how a firewall allows/blocks traditional FTP requests owing to the direction of inbound/outbound connection type.
Even if you’re willing to take risks associated that comes with FTP with unencrypted data transmission and main-in-the-middle attacks, industry requirements compel you to use a more secured alternative like FTPS and SFTP, which are comparatively much more secure.
In 1990, with changing security landscape, Netscape created SSL or Secure Sockets Layer (SSL, now known as TLS) protocol to protect communication over a network. SSL was applied to FTP which became FTPS or File Transfer Protocol Secure. FTPS or FTP/S commonly runs on port 990/tcp, but it can also be seen on port 21/tcp. Similarly, for data channel port 989/tcp is the common port used for FTPS. If the command port is 21/tcp, its data port is expected to be 20/tcp.
Like FTP, FTPS uses two channels for communication: command and data channel. Either the data channel can be encrypted with FTPS, or both command and data channels can be encrypted for more security.
FTPS, like FTP, also uses multiple ports for command and data channels. So, port 21/tcp is used for the initial connection and authentication information transmission. Later, different ports will be needed to set up data channels for each file transfer or directory listing request from client. Thus, like FTP, it needs a range of ports to be allowed in your firewall.
Authentication in FTPS
Authentication for FTPS works using a username and password along with a server certificate for encryption. When FTPS client connects to a server, it checks if the server’s certificate is trusted to proceed with the connection. This certificate can be requested from the client and the server.
Unlike FTP and FTPS, SFTP (SSH File Transfer Protocol) is a completely different protocol built on SSH (or Secure Shell). SFTP, by default, works on port 22/tcp, the same as SSH though it can be configured to use a custom free port on the server.
SFTP is a secure FTP protocol that uses SSH underneath to send and receive files. SSH being completely encrypted, SFTP is a robust and secure method to transfer files over a network.
SFTP, unlike FTP and FTPS, uses a single communication channel to transfer commands and data traffic, all of which are passed in encrypted form along with initial authentication.
Authentication in SFTP
Authentication in SFTP can be done via a simple username and password, but unlike FTP, all of the information, including authentication details, are passed encrypted over the network.
SFTP also supports authentication using SSH key pair, private and public keys combination, where the client provides the private key for the specified user, and the server should have the corresponding public key for authentication to succeed. It is more secure than using a username/password combination. It is possible to authenticate the same user using password and SSH keys if both methods are configured on the SFTP server.
This article summarises the basic features of different popular file transfer protocols namely FTP, FTPS, and SFTP and highlights the subtle and major differences between these protocols. It covers the ports one needs to allow in a firewall to set up a working FTP/FTPS/SFTP server while also highlighting the need to switch to more secure protocols like FTPS and SFTP.
When I say FTP here, I’m referring to any discussed protocols in this article. The reason being FTP is decades old, and even newer secure versions are sometimes referred to as FTP instead of their designated name for day-to-day use.