You all know that FTP is File Transfer Protocol. Basically, FTP is a group of rules that governs how computers would transfer your files between systems over the internet. It is quite common to see companies using FTP to upload files on other end, or websites using FTP for uploading and downloading files from webservers.
It works by simultaneously opening 2-connections that link the computers which are attempting to communicate with each other. First connection is designated for the 'commands' and 'replies' that are sent to/from these two clients. Second, connection handles the actual transfer of your data.
Regardless of your clients whether they are computers, servers, or proxy servers, there are 4-commands that are used during the FTP transmission of your data:
1. Send
2. Get
3. Change Directory
4. Transfer
As far as the transmission of data is concerned, there are 3-modes:
A. Stream mode
This mode enables FTP to manage information in a string of data without any boundaries between them.
B. Block mode
This mode separates your data into BLOCKS.
C. Compress mode
In this mode, FTP transmission happen after compressing your data using an algorithm, viz., Lempel-Ziv algorithm.
The primary purpose of using FTP over other methods is to perform 'Large' sized file transfers. Because when you use FTP, you can send 100s of GB data at once and still you can a smooth transmission. Companies know that this can greatly enhance their workflows. How?
Your workflows are greatly enhanced because with FTP you can send 'multiple files at once.' You can select several files and then send them all at the same time. If you don't use FTP, then you will have to send them one by one. This may stop you doing other works simultaneously. Right?
Even if it takes 15-20 minutes to send a file, your FTP can handle it smoothly, making you free to attend other tasks.
-
What Are Various Types of FTP ?
-
First is FTP Plain. It is your normal FTP and without any encryption and it uses port 21 by default. Most web browsers have native support for this.
-
Next is FTPS, i.e., FTP Secure. This uses SSL encryption which makes it secure.
-
Third one is FTPES. It is your FTP over 'Explicit' Transport layer security. This FTP begins like your normal FTP using port 21. Then a few special commands are performed to upgrade it a TLS/SSL-encrypted transmission. Since this FTPES works with most NGFWs, many companies prefer it over FTPS.
It is very common to use FTP via web browsers, or software clients such as FileZilla etc. If you may not know but most Operating Systems you use, come equipped with FTP client capabilities as a command line
-
How FTP is different from SFTP?
SFTP stands for Secure Shell (SSH) File Transfer Protocol.
Your FTP does not give you any SECURE CHANNEL for transferring files. In comparison to it, SFTP transfers your files and this transfer is 'secured via SSH', which actually provides your full access to 'Shell' accounts which are made on a remote server.
FTP also makes use of two channels for transferring your data, but sftp only uses a single channel.
The inbound connections that each protocol uses are different as well. FTP allows inbound communication to port 21, but SFTP allows inbound communication on port 22.
The manner in which data is transferred is also significantly different. FTP uses direct transfer, and that makes it less secure by default. Whereas, SFTP uses a 'tunneling' method to transfer data. The tunneling method brings benefits of additional security.
-
What are security concerns of FTP?
Your critical data needs to remain secure and under your control, but FTP was not designed with secure file transfer in mind and even SFTP lacks 'security controls' to handle today’s cyber threats. For example:
-
Data transmitted through FTP is a relatively slow-moving target for spoofing, sniffing, brute force, and other kinds of attacks. Through simple port scanning, a hacker could check an FTP transmission and attempt to exploit its vulnerabilities.
-
When you or your users who using username and passwords to login to your company's FTP server, these username and passwords are not protected always. You may not believe, but it is true that FTP uses clear-text passwords, which are passwords that do not undergo an encryption process. In other words, "Jhoney2@21" looks exactly like “Jhoney2@21". In more secure protocols, an algorithm is used to mask the actual password. Therefore, “Jhoney2@21” may end up looking like “d7s6a8ddj18387sak10sng8937d9d889.” --> Remember, your FTP does not secure passwords like this. That's why, hackers can still figure out those passwords.
-
FTP was not designed to provide a secure tunnel through which information could travel. Hence, there is no encryption. Even the encryption is an afterthought because it requires some extra steps and IT expertise. That's make sending your files safely a little difficult, expensive and time-consuming.
-
Most FTP clients are common software and free. That's why every hacker can access them and use them too. The security vulnerabilities of FTP makes it easy for them to intercept FTP-based file transfers.
-
In case when your FTP transfer is breached or intercepted making your files exposed, you can't do anything, because FTP doesn’t log security violations or authenticate users. But in the hindsight, you know that you need a system which is logging such security violation, which is authenticating your users too. In the absence of these basic capabilities, you cannot detect and stop breaches.
-
How to secure your FTP connections?
There is not any special way to secure your FTP file transfer other than mentioned above.
But you need to recall that your FTP Servers are usually deployed in the DMZ. And you can undertake many steps to secure DMZ using next-generation firewall(s).
(Note: I have already shared a post on how to secure DMZ. If you haven't read it, you are advised to read it. Thanks)
There some more issues with using FTP for file transfers, because FTP sends files on a first-come, first-served basis. When happens then is that you cannot create enforceable policies to schedule critical transfers above lower-priority file transfers. You cannot reserve transmission channels for sensitive transfers based on your business requirements. You may miss Service Level Agreements (SLAs), which can result in fines. You cannot interrupt and re-prioritize transfers on the fly to take advantage of last-minute opportunities or deal with emergencies.
Another well-known practical issue with FTP is that it cannot notify you when a delay or failure (in transmission) happens. It cannot send any notification to your team to allow them to fix the issue quickly. Nor does it present any LOG file activity across your entire IT environment, thereby not allowing you to proactively address the issues.
With FTP, you are often in fire-fighting mode. Because FTP cannot even recover a failed connection automatically. You have no choice but to restart the process again manually. There is no checkpoint restart and you are required to resend ENTIRE files regardless of how much was previously sent. You have to discover the failure on your own, which further delays resending the affected files. Or the affected parties would be calling you to inform that they haven't received the files that you say 'you have sent already.'
There is one more approach that is far better, where your company adopts the services of 'Managed File Transfer (MFT)' platforms.
-
What is MFT?
MFT products or platforms are built using the FTP network protocol. Since many federal regulations such as SAX, GLBA, HIPAA, etc., require that MFT products meet strict regulatory compliance standards, most MFT solutions include mechanisms to ensure a higher level of security and help you in keep in your information private and secure.
These MFT applications offer your business automation too, along with reporting and non-repudiation. A MFT solution is capable of simplifying the management of file transfers and they ensure regulatory compliance while supporting all current security standards and methodology, including SSL encryption, X.509 encryption and proxy certificates.
According to Gartner, a well-rounded managed file transfer suite should have four components:
-
A server for management of all aspects of file transfer: communications channels, multiple protocols, workflow, provisioning, APIs, etc.
-
A client for tight server integration.
-
A proxy to conceal IP address and ports.
-
Plug-ins to integrate with applications.
Managed File Transfer (MFT) is a type of software solution that brings all your file transfer tasks under one roof, securely. You can create single or recurring file transfers with internal and external trading partners, automate your regular data exchanges, and monitor both user and file movements from a single interface with MFT.
Most MFT solutions support multiple file transfer protocols and help with data translation, which makes it simple to connect with multiple trading partners where they’re at, by using their preferred protocol, data format, and type of encryption.
-
Kindly write 
your comments on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comments on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
______
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM