Re:FTP Basics

Steve Bireley wrote:

SFTP (FTP with SSH) is available on the i at extra cost.

Wrong. SFTP (OpenSSH) has always been free. It was first available for
V5R3, and had to be ordered separately. Starting with V5R4, it's also
shipped with the OS -- no special order necesssary.

I already got called on this one and stand corrected.

FTPS and SFTP are equally secure when properly implemented. FTPS uses
two ports which can cause some challenges getting through firewalls.

It's not because it uses "two ports". Each file transfer negotiates a
port number (which might result in many ports -- one for each transfer.)

>But the big problem is that it negotates the file transfer port at

run-time and communicates the negotiated information through the socket.

>That means that a firewall has to allow all potential ports through,

or needs to be adapted at run-time to open the port as FTP negotiates it.
In order to do the latter, the firewall has to be able to read what is
sent over the socket -- which is not possible when it's encrypted by SSL.

I agree, it was an over simplification of the issue. The two ports present an issue because of the way the protocol was designed (as you described).

Some FTP servers allow you to set the data port to a single port or small range of ports to limit the firewall exposure. FTP clients have also adapted to overcome the NAT issue by connecting the data port (in PASV mode) to the same IP as was used by the control port. Both of these are industry modifications to the protocol to help overcome some of the practical implementation issues.

Steve