File transfer is a common requirement in most Enterprises. While there are numerous ways to get a file from Point A to Point B over a network, perhaps the most common method still in use is FTP – File Transfer Protocol. FTP is a network file transfer protocol that was first described in RFC 959 in 1980 and has gone through numerous changes and additions since that time.
By itself, FTP offers no meaningful security. Connections are password-protected, but all data (including passwords) is sent in plain text over the network. These days, of course, security is a chief concern and plain old FTP is no longer an option for moving sensitive data over the Internet.
To address these security concerns, a strategy was devised to add a layer of security to FTP using SSL/TLS. This new protocol is known as FTPS and is described in RFC 2228. Today, most FTP clients and servers support this FTPS protocol out of the box without requiring significant expertise on behalf of the user.
Still, when attempting to set up a new FTPS connection in most off-the-shelf FTP clients, the users still must choose from a bewildering array of choices with names like FTPS Implicit and FTPS CCC, among others.
This article will explain what these choices mean and how to successfully determine which options are right for your connection.
First, a little background on TCP/IP (the underlying protocol of the Internet) is necessary. Most people are aware that an IP address is a numeric way of identifying a computer on the Internet. When a user connects to an FTP server with a URL of, say, ftp.myhost.com, that address is translated behind the scenes into an IP address which uniquely identifies that server.
While the IP address is necessary for getting your computer talking to a server on the Internet, it is not sufficient. We also need a way to tell that server which program on that server you want to access. For example, the same server computer could be running a web server, an FTP server, an email server, etc.
Ports are a simple numeric method for identifying these different programs (aka services). So, to connect to an FTP server on the Internet, your FTP client software will use both an IP address (to identify the server) and a port number (to signify it wants to connect via FTP).
One early attempt to establish a standard method for securing FTP with SSL required that the client connect on a special port to tell the FTP server that the client wishes to use SSL to secure the FTP connection. While plain old FTP uses port 21 to establish a connection, FTPS implicit uses port 990 instead.
This method is considered deprecated, but is still widely in use and is still supported by most commercial secure FTP clients and servers.
The aforementioned RFC 2228 which defines the FTPS standard uses a different method for determining whether or not to use SSL/TLS to secure an FTP connection. Rather than use a special port to establish a connection, explicit FTPS (also known as FTPES) uses port 21, the same port as plain, unsecure FTP.
It uses negotation to determine how and if the connection should be secured. Behind the scenes, the client software tells the server software what method it wants to use to secure the connection based on the configuration choices you make in the client software.
Explicit FTPS is generally the preferred method of securing an FTP connection and is widely supported by commercial FTP clients and servers.
When configuring most FTP clients, users are presented with more than just two choices for FTPS (implicit and explicit). That is because Explicit FTPS breaks down into three different options that identify which parts of the FTP connection will be secured.
An FTP session basically consists of two streams of data:
- The control channel (all the FTP commands, user names, passwords, and responses from the server)
- The data channel (the actual files you are attempting to upload and download)
This leaves three main options for which parts of the session will be encrypted:
- Control + Data – everything is encrypted
- Data only (sometimes called CCC or clear control channel) – the files you upload and download are encrypted, but FTP commands and responses are sent in clear text (usernames and passwords are still encrypted)
- Control only (sometimes called CDC or clear data channel) – the files you upload and download are not secured, but FTP commands and responses as well as usernames and passwords are encrypted
These three options are available for Explicit FTPS only. Implicit FTPS only has one “flavor” – both control and data channels are encrypted.
It is also worth noting that because Explicit FTPS is the official standard, many FTP clients simply call it FTPS. A common list of choices might look like this:
- FTPS Implicit
- FTPS Control + Data
- FTPS Control Only
- FTPS Data Only
How Do I Choose?
When you have a requirement to transmit data to or from an FTPS server, you are limited to the options supported by that server. This, of course, leads to the question: How do I know what a particular server supports?
In many cases, the server administrator will provide all the information you need to connect to the server, such as your user name, password, and which configuration options are supported. If you are not provided with instructions on which FTPS options to choose, in most cases the best way forward is simply to try each one until you find one that works.
By far, the most common choice is FTPS (Explicit) with control and data channels encrypted.
Which Option is Best?
Both Implicit and Explicit FTPS offer comparable levels of encryption (assuming that with Explicit FTPS you choose the option to encrypt both the data and control channels).
From a practical standpoint, Explicit FTPS offers some advantages that make it a superior choice. For example:
- It is the standard, supported version of FTPS and is more likely to be widely supported well into the future
- It uses the same ports as plain FTP, so requires no additional firewall configuration (assuming your firewall is already configured for plain FTP).
Most users connect to the Internet from behind a NAT firewall. This poses problems for FTPS connections.
The FTP protocol requires the client and server to pass IP address information back and forth. When you are connecting to the Internet from behind a NAT firewall, the FTP client needs to be able to send the FTP server the IP address of the NAT firewall and not of the computer actually running the FTP client.
Because plain FTP sends all information in clear text, most NAT firewalls automatically detect this and replace the IP address reported by the client with its own IP address. With FTPS, this technique is not possible if all the control channel information sent from the FTP client is encrypted.
If you are using FTPS Explicit, one option is to use the CCC mode described above. This mode sends the commands which include the IP address in clear text so the NAT firewall can perform address translation. However, not all FTP servers support this mode. Many FTPS clients offer an option for “My IP Address” (or some similar name) to tell the client which IP address to send to the server.
A similar problem happens when the FTP server is running on a computer that is behind a NAT firewall. By default, most FTP clients connect to an FTP server using something called “passive mode.” This mode requires the FTP server to send its IP address back to the FTP client. Just like in the previous case, the NAT firewall needs to replace the IP address of the FTP server with its own IP address, which it can’t do because the data coming from the FTP server is encrypted. Many FTPS clients offer options to work around this limitation. For example, when setting up the connection you may need to select an option for “Restrict IP Address” (or some similar name) which tells the client to ignore the incorrect IP address sent by the FTP server and use the IP address used to connect to the FTP server in the first place.