A Journey from FTP to SFTP

File transfer is an important aspect of computing. There is always a need for us to transfer files between a source and a destination. While in the earlier days, certain protocols were used to manage file transfers between the client and server, security was not much of a concern then. But, with the advancements in computing and the rise of different kinds of intrusions, security gradually became a pressing need. Yes, you guessed right. I am talking about FTP and SFTP. Let’s take a look at the journey from FTP to SFTP.

The standard network protocol File Transfer Protocol (FTP) is used to transfer files between a client system and a server. According to Wikipedia, the FTP ran on NCP specifications until 1980. After that, the protocol was replaced by a TCP/IP version named RFC 765 and consequently by RFC 959 in October 1985. RFC 959 is the current specification that FTP follows.

According to the latest specification, FTP should fulfill 4 major objectives namely:

  1. Successful sharing of data files and computer programs.
  2. Using remote systems in an effective way.
  3. Ensuring that the user is not affected by the file storage systems variations.
  4. Transferring relevant data in a reliable way.

The FTP Model as illustrated in RFC 959

In the FTP model, it is assumed that the data connection may be used in both the direction i.e. user-server or server-user. Also, it is not a necessity that the data connection has to exist all the time. As per the FTP model described in the RFC 959 specification, the control connection is initiated by the user-protocol interpreter. Once the user is initiated, the user-PI generates the standard FTP commands and transmits the commands to the server process with the help of the control connection. The server-PI then sends the respective replies to the user-PI over the control connection.

The parameters such as data ports, transfer mode, etc are specified in the FTP commands. In addition, the nature of file operations such as store, retrieve, delete, etc. are also specified in the FTP commands.

There can be a scenario where the control connections can be established between two servers. In this case, the user establishes the control connections between the two servers. The user-PI receives the control information and the data transfer takes place between the two servers. In the server to server connection, the user has to request the opening and closing of the control connections to the server and the server ultimately takes the action.

One important concept of FTP is that it uses two distinct communication channels for multiple goals. These are control connection and data connection. The control connection is the logical connection that is created during the initiation of an FTP session. The FTP commands and replies are processed through the control connection. The control connection is not used to send files. On the other hand, the data connection is established between a client and a server when a file is sent from either the client or the server. When the file transfer is completed, the data connection terminates.

Now that we have got a brief idea about the FTP protocol history and its model, let’s talk about the SFTP. FTP protocol is successfully used for various file transfer operations. So, why SFTP is needed altogether? What are the differences between FTP and SFTP? What additional benefits would we be getting through the use of SFTP protocol in comparison to the FTP protocol? These are some of the questions we will find the answer to in the below sections.

How SFTP is different from FTP?

SSH File Transfer Protocol (SFTP) is also known as Secure File Transfer Protocol. This protocol is used for file access, transfers, and management. The Internet Engineering Task Force (IETF) has designed the protocol as the extension of the Secure Shell Protocol (SSH). SFTP has spanned different versions throughout its journey and currently adheres to the Version 6, Draft 13 specification. As per the specification, some of the main goals of the SFTP protocol include:

  1. Facilitating secure file transfer.
  2. Providing file system access.
  3. Implementing a remote file system service in a secured way.
  4. Implementing a file transfer service in a secured way.

The protocol follows the Secure Shell (SSH) protocol architecture and transfers files over a secure communication channel. The secure channel implies that the client has been authenticated by the server and the client information is available to the protocol. SFTP is quite similar to the FTP if we talk about the basic functionalities. In addition, the SFTP protocol features other advanced functionalities. SFTP protocol prevents both the data and the commands thus facilitating the transfer of information securely over the network.

From the security perspective, FTP and SFTP have big differences. FTP is not a secure network protocol and is prone to various types of security attacks such as Brute force attack, FTP bounce attack, port stealing, spoofing attack and packet capture, etc. FTP protocol manages all the file transfers in plain text format thereby making all the important information vulnerable to attacks. As FTP was created before the use of SSL or TLS encryption standards, it doesn’t have the necessary security features; and even when used in conjunction with SSL or TLS (FTPS/FTPES) it still remains cumbersome and definitely not firewall-friendly. SFTP protocol is the solution to this problem. SFTP protocol facilitates the file transfer over a secure tunnel called SSH.

The SFTP protocol is sought after because of its independent nature and its ability to handle remote file system services, its firewall-friendliness, the inherent forward secrecy, the general robustness, and the overall excellent security.