Many companies and organizations rely on some method to move files across different sites or between clients and users. FTP (File Transfer Protocol) has been used by many organizations over the years and is still very standard in order to download and upload files between systems.
Back when security wasn’t very mainstream this was a very popular choice. However, now it should be strictly avoided even if you are performing FTP via your internal network. I would recommend using SFTP (Secure File Transfer Protocol) not to be confused with FTPS (FTP over SSL which is known as FTP-ES, FTP-SSL and FTP Secure). SFTP is not FTP over SSH it uses SSH and SSL/TLS to secure the connection and encrypt using Public/Private Key authentication.
FTP Security Issue
It has come to my attention that people simply do not understand the risks involved with FTP. Here is an example below of a program used to sniff and capture the data going between 2 systems. Notice in red the username and password are sent in plaintext and are clearly seen via the capturing tool.
Imagine if this was a piece of malware sending your credentials or users credentials to another location for intelligence and further attacks. You could be losing very sensitive information or having other files you do not want uploaded to your server.
SFTP Security Encrypted
Again here I am capturing the packets again but this time I am connecting via SFTP. Notice the difference no usernames or passwords are sent in plaintext the entire communication is encrypted and we cannot make out the information here.
Summary
Use SFTP and move away from FTP. Even though FTPS versions of implicit and explicit exist they are still not as secure and supported as SFTP. Not only will you be better protected against attacks you can be assured that your files and accounts are being protected during the transaction and connection process. If you are still using an FTP server I strongly recommend creating a migration plan. Microsoft Windows Server does not include an SFTP server in their operating systems but there are many highly stable third party products that can perform the task.
Addendum (11/20/2014) – Why SFTP is more secure than FTPS or FTP/S
- Only 1 connection is established via SFTP, both efficient and secure.
- SFTP uses SSH for the protocol
- SFTP has security built into the protocol although FTPS or FTPES can support this security features they require configuration to be made. If you don’t set these settings up correctly you may not be as secure. So although you may have all the settings correct the 3rd party may not. Instead of trying to verify if the data being transferred is secured you might as well use SFTP as it is less configuration steps required and is secure by design.
- Also, generally SFTP only uses port 22. FTP/S can use many different ports such as 21/990
- On the efficiency scale my SFTP connections transfer data with less overhead than my FTP connections.