Difference Between SFTP, FTPS, FTP Over SSH, SCP

Introduction.

We are going to discuss various file transfer options in brief and the security concerns associated with them. By understanding how these solution operate we can have an informed decision over its usage across the organization .

Let's see if we could find answers to below question. 

• Differences between FTP, SFTP, FTPS and FTP over SSH?
• Why not just use FTP?
• Why should I use SFTP instead of FTP?
• Is SFTP better than FTPS?

Following are the basic File transfer protocol around 

• FTP
• SFTP
• SCP
• Rsync (out of the scope for our discussion)
• TFTP (out of the scope for our discussion)

Following are the basic secure communication protocol

• SSH
• TLS/SSL
• IPSec

FTP - File Transfer Protocol

FTP is an application layer client/server protocol used to transfer files between computer over a TCP/IP network

The FTP protocol uses two separate channels:

• Control Channel - to exchange commands
• Data Channel – to exchange files.

Commercial/Opensource tools

• FileZilla.
• Cyberduck.
• WinSCP.

Security Concerns

• Data in motion is not encrypted hence vulnerable to data theft thru man-in-the-middle attacks using arp poisoning
• UserID and Password are sent in clear text hence vulnerable to password sniffing attack
• Does not provide the level of auditing that organizations need to document compliance with data security regulations.
• FTP users run the risk of compromising login information when trying to automate the file transfer process by storing the credential in clear text.
• People sharing these scripts are also sharing user credentials.

RFCs for Reference.

• 0959 File Transfer Protocol.
• 2428 FTP Extensions for IPv6 and NATs.
• 2577 FTP Security Considerations.
• 2585 Internet X.509 Public Key Infrastructure Operational Protocols: FTP and HTTP.

FTP over SSH

• It is FTP tunneled through an SSH connection.
• Only control channel are tunneled.
• Utilizes port forwarding capabilities of SSH to tunnel the FTP session.

Security Concerns 

• Since the data channel is still outside of SSH tunnel the data is still sent in unencrypted form.
• A user with little hacking skill can sniff the traffic and steal any data sent over data channel.
• Port forwarding itself pose a risk that any data could be tunnelled thru SSH without getting monitored or alerted.
• Difficult to maintain a inventory and have an operational control over such port forwarding throughout the organization.

Firewall Rules Considerations
Server Side- Allow inbound connections on port 22.
Client Side - Allow outbound connections to port 22.

SFTP - SSH File Transfer Protocol.

• In layman's language this is Secure file Transfer Protocol designed by IEEE as an extension to SSH (Secure Shell protocol), providing high level security using AES, 3DES and other algorithm to encrypt all data that flows between systems.
• SFTP also protects against password sniffing and man-in-the-middle attacks
• It protects the confidentiality and integrity of the data using encryption and cryptographic hash functions.
• Authenticates both the server and the user, preventing unauthorized access to data stream.
• Offers several ways to authenticate a connection using UserID/Password, SSH Keys or combination of both.
• SFTP can also help meet file transfer-related needs for PCI DSS, HIPAA, SOX, and more.

Note: Don't confuse SFTP with FTP over SSH

Security Concerns

• SSH key pairs must be generated beforehand.
• SSH keys are not easy to manage and validate
• The communication is binary and can't be logged "as is" for human reading.
• Sftp could be prone to brute force attack if password are not complex enough.
• May end up using out dated encryption such as Blowfish, DES etc.
• Since SFTP protect data in motion only, the data at rest is in still in unencrypted form and vulnerable to data theft.

Firewall Rules Considerations

• Server Side- Allow inbound connections on port 22.
• Client Side - Allow outbound connections to port 22.

RFCs for Reference

• RFC4250 - The Secure Shell (SSH) Protocol Assigned Numbers
• RFC4251 - The Secure Shell(SSH) Protocol Architecture
• RFC4252 - The Secure Shell (SSH) Authentication Protocol
• RFC4253 - The Secure Shell (SSH) Transport Layer Protocol
• RFC4254 - The Secure Shell (SSH) Connection Protocol
• RFC4255 - Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints 
• RFC4256 - Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)
• RFC 4716 - The Secure Shell (SSH) Public Key File Format 
• draft-ietf-secsh-filexfer-02 Full documentation of the SFTP protocol 

Commercial /Opensource Solutions

• IBM Sterling Secure File Transfer.
• Tectia SSH Server and Client.
• SolarWinds SFTP/SCP Server
• OpenSSH.
• Bitvise SSH Server
• Cerberus SFTP
• GlobalScape EFT Server
• GoAnywhere MFT
• JScape MFT Server
• FileZilla

FTPS - FTP over SSL or FTP Secure

• FTPS is an extension to existing ftp that adds support for the TLS/SSL to encrypt the control session and if required the data session.

Note: SSL is now prohibited by RFC 7568 

• FTPS implements strong algorithms like AES and Triple DES to encrypt file transfers.
• FTPS uses a combination of user IDs, passwords, and/or certificates to verify authenticity.
• X.509 certificates are used to authenticate these connections.

Note: Certificates signed by a CA are Trustworthy and are easy to validate using the chain of trust that is built into the standard. To validate self-signed certificates, you must have a copy of the trading partner’s public certificate in your trusted key store

• Supports two methods to invoke security connection:

• Implicit
• Explicit

Implicit FTPS

• Uses port 989 for the data channel and port 990 for the control channel.
• In this mode FTPS client initiate a "implicit" encrypted connection with server, that means any connections made to this port (990) require immediate negotiation of certificates and SSL/TLS, avoiding any communication in plain text.

Explicit FTPS

• Uses port 20 for the data channel and port 21 for the control channel
• Communication initially starts in plain text until the client issues an authentication command (AUTH TLS , AUTH SSL), which then leads to certificate verification and a secure SSL connection being negotiated to encrypt the control session.
• Data channel encryption is requested with the PROT command.

With e-FTPS the control session is always encrypted, but the data session might not be. Why is this?

If you are NOT pre-encrypting the file, then you may want the data session to be encrypted so that the file in transit is encrypted. However, if you are pre-encrypting the file then you do not need to have the data connection encrypted this may add the overhead of encrypting the data connection, since the file is already encrypted.
e-FTPS offer flexibility to decide which part of FTPS session could be plaint text and which part could be encrypted based on the requirement such security or data speed.

Note: Understand that SFTP is SSH file transfer and FTPS is FTP with SSL/TLS

Firewall Rules Consideration
Explicit FTPS with Active and Passive Mode

Implicit FTPS with Active and Passive Mode


RFC For Reference

• 2228 FTP Security Extensions.
• 4217: Securing FTP With TLS

Commerical/OpenSource Solutions

• GlobalSCAPE Secure FTP Server
• RaidenFTPD.
• IBackup’s FTP server

Security Concerns

• Inherit the all risk associated with the usage of self-signed certificates.
• Not a firewall friendly protocol due to that fact that certain complexities are involved like ability of the firewall to inspect the encrypted traffic and determine the dynamic port that needs to be opened for data channel.

SCP - Secure Copy Protocol

• SCP is a protocol based on SSH that provides file transmission between hosts on a network.
• SCP is a descendant of the ancient “rcp" protocol and provides a similar command-line syntax.
• With SCP, you can quickly transfer files between hosts along with basic file attributes such as access permission and timestamps that are not always available via FTP.
• SCP is a native command in most Operating Systems, such as MacOS, Windows, or Linux.
• SCP was introduced in SSH 1.x, then more robust SFTP protocol was introduced in SSH2.

Comparison Chart

Note: The commercial and opensource solutions mentioned here are for reference purpose only and should not be construed as an endorsement to it. 

Brief Firewall Perspective

Every firewall vendor deploy their own algorithms to determine what type of traffic is flow thru the firewall, they use various marketing terms to promote their product capabilities.

App-ID is a traffic classification technology is used by NGFW like Palo Alto. more detailed information can be found here http://www.paloguard.com/App-ID.asp

ALG, Deep Inspection is the application inspection technology used by Juniper, Cisco and Checkpoint

There are various parameter on which these technology rely on such as port number, protocol number, commands sent thru the control message, protocol behavior, RFCs etc there are other application and protocol aspect that could be utilized to generate detection signature.

You can refer the vendor documentations for detailed information how their solution handle such application.

Further Reading

• https://www.howtogeek.com/194740/what-is-the-difference-between-ftps-and-sftp/
• https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol
• https://www.ssh.com/manuals/client-user/53/tunnel-ftp.html
• https://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch11_02.htm
• https://www.sftp.net/
• https://www.openssh.com