Which File Transfer Protocol Should I Support?

You're planning to install an FTP server but you're not sure which protocol to support - FTP, SFTP or FTPS. The FTP server is intended to be accessible from the Internet.

Which protocol should you support, and why?


The short answer is to use an FTP server that supports all three protocols. You probably want to avoid allowing plain, unencrypted FTP if security is a primary concern (and isn't it always?) but both the SSH2 File Transfer Protocol (SFTP) and FTP over TLS/SSL (FTPS) are considered secure file transfer protocols.

SSH2 File Transfer Protocol (SFTP)

Despite the name, SFTP is a completely different protocol from traditional FTP. SFTP is definitely the favorite these days because of its robust security model and easier setup than FTP and FTPS. Unlike traditional FTP, SFTP runs over an SSH channel and provides security and integrity by default. SFTP is also considerably more firewall friendly than FTP because it only requires one port to establish a connection and carry out file operations.

File Transfer Protocol (FTP and FTPS)

FTP is the original File Transfer Protocol and enjoys wide support from a variety of clients and devices. Unfortunately, FTP is by default an insecure protocol, transferring commands and data over an unencrypted connection. This can allow eavesdropping of passwords and data. FTPS was introduces to solve the problem of unencrypted data being transferred and adds SSL or TLS encryption to the FTP protocol.

FTP and FTPS require multiple ports (one port to issue commands and a separate port for each and every directory listing or file transfer) to accomplish the same thing that SFTP can do with one port. The requirement to setup forwarding for large numbers of ports can be a problem in many environments and can make troubleshooting problems difficult. However, FTP and FTPS have been around a lot longer than SFTP and there are still many devices and clients that only support FTPS.

Security

The original FTP protocol offers no security and transmits commands and data in an open, easily eavesdropped connection. FTP should generally be avoided in favor of FTPS and SFTP.

In terms of security, both the SFTP and FTPS protocols are considered secure. The requirement to open up multiple ports with FTPS can be viewed as a security concern but there is nothing inherently more secure about the SFTP protocol over the FTPS protocol. Either is appropriate when a secure connection is required but SFTP tends to be easier to configure and more firewall friendly.

Performance

The only real advantage I would give FTPS over SFTP would be performance. SFTP runs over a considerably more robust and generic protocol than FTPS, and that robustness imparts a significant performance impact. There is a lot more overhead involved in SFTP. The overhead in the SFTP protocol is because SFTP runs on top of the SSH2 protocol, and because SFTP implements its own handshaking mechanism. If you want the highest transfer speeds possible over a secure connection then you want FTPS.

Conclusion

There are good reasons to support both FTPS and SFTP for secure file operations, and FTP for legacy devices. Organizations rarely have the option of supporting only one file transfer protocol, and solutions that supports all 3 are common-place today.