FederThe U.S. National Institute of Standards and Technology (NIST) has established the Federal Information Processing Standards (FIPS) publications 140-3 (the cFile transfer protocol (FTP) file transfer moves data between a client and a remote server over TCP/IP in clear text using the FTP protocol as defined in RFC 959. FTP operates in active or passive mode. In active mode, the server opens a data channel back to the client. In passive mode, the client creates both control and data connections in order to better meet firewall policies. Transfers toggle between ASCII for text and binary for exact byte flow.
FTP was originally specified in the 1970s. Because it sends control traffic, messages and payload unencrypted, the protocol has been replaced by secure protocols such as FTPS or SFTP. Even with these security extensions, the core protocol can remain relevant for internal networks, legacy integrations and workflows that favor speed, simplicity and broad software support.
How FTP file transfers work
FTP uses two concurrent TCP links so commands and data travel separately. Control traffic stays on port 21 while data sockets open only when a file moves.
Here are the steps that occur in a typical FTP file transfer:
- Client sends credentials over the control socket and awaits a status reply
- Server returns three-digit codes that define the client’s next step
- Client requests a data path, then the server assigns an ephemeral port and notifies the client
- A temporary data connection carries the payload while control traffic pauses
- After completion, the data socket closes, and the control link either starts another job or ends the session
This FTP file transfer process was designed to support predictable session management and high throughput during large batch jobs.
FTP file transfer security
FTP can still be occasionally found in controlled networks, but it is not a secure protocol and only gains data protection when paired with upgraded encryption and strict administrative controls.
Some examples of how your organization can add security to its FTP file transfer process are by:
- Applying IP allowlists, rate limits and automatic lockouts to blunt brute force attacks
- Capturing session logs to tamper-evident storage and then monitoring those logs for anomalies
- Disabling anonymous login and limiting each user to an isolated home directory via chroot
- Enforcing strong passwords and multifactor authentication on user accounts
- Restricting service exposure to a DMZ subnet and forwarding only required ports
These security efforts can help raise the barrier against unauthorized access while keeping legacy workflows intact.
How to use FTP file transfers
Many administrators keep FTP in service because data trading partners have legacy scripts and firewalls already tuned for port 21 or rely on applications that may not be compatible with other protocols. For larger files or connections that run inside a VPN, FTP throughput often beats other forms of transfer. However, if your organization still uses FTP, it’s highly recommended that you upgrade to FTPS for improved security.
Some ways organizations use FTP/S file transfers in their daily operations are:
- Auto suppliers receive firmware images from OEMs for plant uploads via a scheduled GET
- Banks collect daily clearing reports by pulling archives from a regional data hub
- Manufacturers drop CAD files to design firms that poll an inbox
- Retailers push nightly EDI orders to distributors using automated PUT jobs
- Utilities send hourly meter data to billing vendors through a VPN-wrapped FTP/S feed
FTP file transfer alternatives
Legacy plain FTP exposes credentials and data, so many trading partners prefer to transfer files through more secure protocols.
These common FTP alternatives include:
- AS2: Signs and encrypts messages over HTTP and is commonly used for EDI document exchange
- FTPS: Layers TLS on the original command set to add data encryption and secure authentication via server or client certificates
- HTTPS: Transfers data that is encrypted through TLS/SSL over the public internet
- SFTP: Runs over SSH on a single port and includes granular permissions plus key-based login
Selecting the best alternative for your team will depend on your organization’s internal and external file-sharing needs.
FTP file transfer FAQs
Use an FTP client or a command shell to create an FTP connection. Enter the server’s hostname or IP address, plus the port on which it listens for traffic (port 21 if unchanged). Then, supply a valid username and password to access the server. The client will open a control socket, receive the server’s 220 greeting, send USER and PASS and wait for the 230 success code that confirms the login.
Choose passive mode if your host is behind a firewall, or select active mode when the server can reach you. Set the transfer type to binary for images and executables or ASCII for text. Change to the required directory with CWD, upload with PUT and download with GET. For encrypted sessions, run FTPS over TLS, or switch to SFTP on port 22.
FTP server port management best practices
Yes, plain FTP is still occasionally used in business networks where partners depend on legacy applications, scripts or firewall rules targeting port 21.
However, the majority of organizations have upgraded security to at least FTPS for these interactions, if not SFTP.
Does FTP have a future?
Plain FTP sends usernames, passwords, and payloads in clear text, so any device that can read the traffic can capture or alter it. That weakness alone keeps the protocol off limits for regulated data, but other technical limits also weigh against its use in modern network design. It doesn’t provide encryption for credentials or files, and it lacks built-in integrity checks such as hashes or digital signatures.
Passive mode forces wide port ranges that strain firewall rules. The protocol also fails to meet HIPAA, PCI DSS and similar compliance benchmarks and offers no native multi-factor authentication or fine-grained access control. These gaps push most external exchanges toward FTPS, SFTP or HTTPS-based methods that provide confidentiality, integrity and straightforward rule sets.
Which file transfer protocols should you support?
The terms can be considered synonymous in most, but not all, cases.
FIPS certified means the cryptographic module has completed a formal evaluation at an NIST-accredited lab and holds a published certificate number on the NIST validation list. That certificate confirms the module passed every required test under FIPS 140-2 or FIPS 140-3 standards. FIPS-certified solutions can also claim that they are FIPS validated.
FIPS compliant can be another way of stating FIPS validation or certification, but it can also refer to certain circumstances, such as:
– The module has not yet been through or finished the FIPS validation process but states that it follows the technical requirements. Procurement teams may
accept a compliant status during evaluation, but federal production workloads usually require the full certificate before deployment.
– The module itself is validated but is used in an environment that combines other solutions. For example, a secure file transfer application like Cerberus FTP Server by Redwood is FIPS validated, but it cannot warrant the physical security of the server hardware on which it’s installed.
