Re: Secure FTP Basics

Steve Bireley wrote:

SFTP (FTP with SSH) is available on the i at extra cost.

Wrong. SFTP (OpenSSH) has always been free. It was first available for V5R3, and had to be ordered separately. Starting with V5R4, it's also shipped with the OS -- no special order necesssary.

FTPS and SFTP are equally secure when properly implemented. FTPS uses
two ports which can cause some challenges getting through firewalls.

It's not because it uses "two ports". Each file transfer negotiates a port number (which might result in many ports -- one for each transfer.) But the big problem is that it negotates the file transfer port at run-time and communicates the negotiated information through the socket. That means that a firewall has to allow all potential ports through, or needs to be adapted at run-time to open the port as FTP negotiates it.
In order to do the latter, the firewall has to be able to read what is sent over the socket -- which is not possible when it's encrypted by SSL.

Worse is NAT routers (which aren't, strictly speaking, firewalls - though they often are bundled together). NAT needs to be able to change the address/port in the packet on the fly. If the data is encrypted, it doesn't know what to change it to. Regular FTP has always been tough through a firewall, but SSL FTP is much tougher due to the fact that an appliance can't see what is sent.


You say the two are equally secure... and cryptographically, that's true. However, many folks end up disabling cryptography for part of the transfer with SSL FTP in order to make it work through a firewall -- making it less secure. Or, they end up opening up wide ranges of ports on the firewalls.

So while they might be "equally secure" in a perfect world -- in practice, SSH is more secure.

SSH has none of these problems, it always runs on one port (usually 22).