Networking

Recommend clients using FTP switch to SSL or SSH

FTP is certainly not the right transfer protocol for sensitive and confidential data. If you have consulting clients who still depend on FTP, Susan Harkins explains why you may want to encourage them to update to either SSL or SSH.

 Secure file transfer is a challenge we all face. Electronically exchanging confidential or sensitive data carries risks that the data won't reach the intended recipients or worse -- that an authorized person will intercept the data.

For years, FTP was the way to transfer files on a regular basis. After all, it is quick and easy. I mention FTP because, despite its lack of security, FTP is still the most common method of transferring files. FTP protocol includes little or no security, leaving data vulnerable to attack and authorized viewing during transmission and while stored on the server.

Unfortunately, many companies have no IT mandate on the subject and leave data transfer decisions up to individual users. This is a disaster in the making. If your clients are still using FTP, you might recommend an update to either Secure Sockets Layer (SSL) or Secure Shell (SSH).

  • SSL: Also known as FTPS, SSL provides secure encryption using standard FTP connections. SSL protects data from unauthorized viewing and editing during transmission.
  • SSH: Also known as SFTP, SSH encrypts the entire transfer process.

SSH seems to be the favorite because most operating systems support it. The following table compares features of the three transfer methods.

Feature  FTP  SSL  SSH 
Credential encryption  X  X  X
Transport encryption    X  X
File integrity check  X  X  X
Built-in compression      X
Connection ports  2  2  1

As you can see, SSH is the most robust, and the port issue alone is a great bonus. In addition, only SSH offers built-in compression for better performance.

Chances are, you know all about SSL and SSH, but it might be time to discuss better security for file transfer with those stubborn clients still clinging to unsecured FTP connections. It's time for those clients to change their attitude in regards to data transfer; they must treat data transfer as an essential process and standardize their file transfer solution.

The first step to standardization is to adopt a more secure method of transfer, perhaps SSL or SSH, for sensitive data. You can help clients decide which is the most practical and efficient. The next step is implementation and education. It'll be your job to make sure everyone has the appropriate access, licensing, and training.

Related TechRepublic resources

Get weekly consulting tips in your inbox TechRepublic's IT Consultant newsletter, delivered each Monday, offers tips on how to attract customers, build your business, and increase your technical skills in order to get the job done. Automatically sign up today!

About

Susan Sales Harkins is an IT consultant, specializing in desktop solutions. Previously, she was editor in chief for The Cobb Group, the world's largest publisher of technical journals.

3 comments
Doug Vitale
Doug Vitale

Popular FTP client applications like Filezilla and Putty support SSH for remote connections, which should be used instead of telnet and FTP. Using telnet is not recommended because logins, passwords and commands are transferred in clear text. An attacker could eavesdrop on telnet sessions and obtain the credentials of other users. The use of FTP is also not a recommended best practice. FTP servers can only handle usernames and passwords in plain text, which means that credentials, FTP commands and transferred files could be sniffed. SSH and SFTP can be used to replace telnet and FTP in a manner almost invisible to the average user. You should also remember to use SSH v2.0. Versions prior to 2.0 are not completely cryptographically safe, so they should be avoided. SSH version 1 is vulnerable to a well-known security exploit that allows an attacker to insert data into the communication stream. If you set up an SSH server, remember to set the timeout and maximum denied login attempts. I would suggest a 60 second timeout or less for idle connections and a maximum of 3 unsuccessful login attempts.

Sterling chip Camden
Sterling chip Camden

It seems that everyone must be told that FTP is not secure. Good post, Susan.

ssharkins
ssharkins

FTP is great for stuff that doesn't matter, but it always concerns me when I see people using it to exchange crticial information. it really goes back to standardization and that's where we, as consultants, can help -- if we can get clients to listen.

Editor's Picks