Understanding FTPS

File transfer is a common requirement in most Enterprises. While there are numerous ways to
get a file from Point A to Point B over a network, perhaps the most common method still in use
is FTP – File Transfer Protocol. FTP is a network file transfer protocol that was first described in
RFC 959 in 1980 and has gone through numerous changes and additions since that time.

By itself, FTP offers no meaningful security. Connections are password-protected, but all data
(including passwords) is sent in plain text over the network. These days, of course, security is a
chief concern and plain old FTP is no longer an option for moving sensitive data over the
Internet.

To address these security concerns, a strategy was devised to add a layer of security to FTP
using SSL/TLS. This new protocol is known as FTPS and is described in RFC 2228. Today, most
FTP clients and servers support this FTPS protocol out of the box without requiring significant
expertise on behalf of the user.

Still, when attempting to set up a new FTPS connection in most off-the-shelf FTP clients, the
users still must choose from a bewildering array of choices with names like FTPS Implicit and
FTPS CCC, among others.

This article will explain what these choices mean and how to successfully determine which
options are right for your connection.

Understanding Ports

First, a little background on TCP/IP (the underlying protocol of the Internet) is necessary. Most
people are aware that an IP address is a numeric way of identifying a computer on the Internet.
When a user connects to an FTP server with a URL of, say, ftp.myhost.com, that address is
translated behind the scenes into an IP address which uniquely identifies that server.

While the IP address is necessary for getting your computer talking to a server on the Internet,
it is not sufficient. We also need a way to tell that server which program on that server you
want to access. For example, the same server computer could be running a web server, an FTP
server, an email server, etc.

Ports are a simple numeric method for identifying these different programs (aka services). So,
to connect to an FTP server on the Internet, your FTP client software will use both an IP address
(to identify the server) and a port number (to signify it wants to connect via FTP).

Implicit FTPS

One early attempt to establish a standard method for securing FTP with SSL required that the
client connect on a special port to tell the FTP server that the client wishes to use SSL to secure
the FTP connection. While plain old FTP uses port 21 to establish a connection, FTPS implicit
uses port 990 instead.

This method is considered deprecated, but is still widely in use and is still supported by most
commercial secure FTP clients and servers.

Explicit FTPS

The aforementioned RFC 2228 which defines the FTPS standard uses a different method for
determining whether or not to use SSL/TLS to secure an FTP connection. Rather than use a
special port to establish a connection, explicit FTPS (also known as FTPES) uses port 21, the
same port as plain, unsecure FTP.

It uses negotation to determine how and if the connection should be secured. Behind the
scenes, the client software tells the server software what method it wants to use to secure the
connection based on the configuration choices you make in the client software.

Explicit FTPS is generally the preferred method of securing an FTP connection and is widely
supported by commercial FTP clients and servers.

More Choices

When configuring most FTP clients, users are presented with more than just two choices for
FTPS (implicit and explicit). That is because Explicit FTPS breaks down into three different
options that identify which parts of the FTP connection will be secured.

An FTP session basically consists of two streams of data:

1. The control channel (all the FTP commands, user names, passwords, and responses from
the server)
2. The data channel (the actual files you are attempting to upload and download)

This leaves three main options for which parts of the session will be encrypted:

1. Control + Data – everything is encrypted

3. Control only (sometimes called CDC or clear data channel) – the files you upload and
download are not secured, but FTP commands and responses as well as usernames and
passwords are encrypted

These three options are available for Explicit FTPS only. Implicit FTPS only has one “flavor” –
both control and data channels are encrypted.
It is also worth noting that because Explicit FTPS is the official standard, many FTP clients simply
call it FTPS. A common list of choices might look like this:

 FTPS Implicit
 FTPS Control + Data

 FTPS Control Only

 FTPS Data Only

How Do I Choose?

When you have a requirement to transmit data to or from an FTPS server, you are limited to
the options supported by that server. This, of course, leads to the question: How do I know
what a particular server supports?

In many cases, the server administrator will provide all the information you need to connect to
the server, such as your user name, password, and which configuration options are
supported. If you are not provided with instructions on which FTPS options to choose, in most
cases the best way forward is simply to try each one until you find one that works.

By far, the most common choice is FTPS (Explicit) with control and data channels encrypted.

Which Option is Best?

Both Implicit and Explicit FTPS offer comparable levels of encryption (assuming that with
Explicit FTPS you choose the option to encrypt both the data and control channels).

From a practical standpoint, Explicit FTPS offers some advantages that make it a superior
choice. For example:

 It is the standard, supported version of FTPS and is more likely to be widely supported
well into the future
 It uses the same ports as plain FTP, so requires no additional firewall configuration
(assuming your firewall is already configured for plain FTP).

Potential Pitfalls

Most users connect to the Internet from behind a NAT firewall. This poses problems for FTPS
connections.

The FTP protocol requires the client and server to pass IP address information back and forth.
When you are connecting to the Internet from behind a NAT firewall, the FTP client needs to be
able to send the FTP server the IP address of the NAT firewall and not of the computer actually
running the FTP client.
Because plain FTP sends all information in clear text, most NAT firewalls automatically detect
this and replace the IP address reported by the client with its own IP address. With FTPS, this
technique is not possible if all the control channel information sent from the FTP client is
encrypted.

If you are using FTPS Explicit, one option is to use the CCC mode described above. This mode
sends the commands which include the IP address in clear text so the NAT firewall can perform
address translation. However, not all FTP servers support this mode. Many FTPS clients offer an
option for “My IP Address” (or some similar name) to tell the client which IP address to send to
the server.

A similar problem happens when the FTP server is running on a computer that is behind a NAT
firewall. By default, most FTP clients connect to an FTP server using something called “passive
mode.” This mode requires the FTP server to send its IP address back to the FTP client. Just like
in the previous case, the NAT firewall needs to replace the IP address of the FTP server with its
own IP address, which it can’t do because the data coming from the FTP server is encrypted.
Many FTPS clients offer options to work around this limitation. For example, when setting up
the connection you may need to select an option for “Restrict IP Address” (or some similar
name) which tells the client to ignore the incorrect IP address sent by the FTP server and use
the IP address used to connect to the FTP server in the first place

FTP
Plain, unencrypted FTP that defaults over port 21. Most web browsers support basic FTP.
FTPS
Implicit SSL/TLS encrypted FTP that works just like HTTPS. Security is enabled with SSL as soon
as the connection starts. The default FTPS port is 990. This protocol was the first version of
encrypted FTP available, and while considered deprecated, is still widely used. None of the
major web browsers support FTPS.
FTPES
Explicit FTP over SSL/TLS. This starts out as plain FTP over port 21, but through special FTP
commands is upgraded to TLS/SSL encryption. This upgrade usually occurs before the user
credentials are sent over the connection. FTPES is a somewhat newer form of encrypted FTP
(although still over a decade old), and is considered the preferred way to establish encrypted
connections because it can be more firewall friendly. None of the major web browsers support
FTPES.

FTPS:
Unlike the SFTP protocol, FTPS is extension to the FTP that enables encrypted FTP sessions
upon request by the usage of the AUTH TLS and AUTH SSL commands. In this way you can
transfer your files using SSL or TLS connections. Like HTTPS, the FTPS also requires a key
certificate. SSL and TLS are also widely used over the Internet, but not supported by all FTP
servers. You can choose between using implicit FTPS connection that always encrypts the
transferred data or explicit FTPS that allows you to start both encrypted and unencrypted
sessions.