File management is fundamental in certain business scenarios that can be perfectly resembled by the folder-and-file model ubiquitously shared across Windows, Mac OS X and Linux. FTP and SFTP can sound grandpa, but really remain the great solutions for an initial iteration of the tech side of a business. Thus, which one should you start with?
FTP
FTP stands for File Transfer Protocol, a method for exchanging files over a network. It has been around since 1971 and standardized since 1980, much earlier than the other most popular network protocol, HTTP (proposed in 1989).
FTP features a stable stateful control connection paired with a secondary data connection for the actual transfer of files. It supports both login and anonymous access. All the information is communicated in clear text, but it can be encrypted over SSL/TLS for data security (like HTTP vs HTTPS).
SFTP
SFTP is the abbreviation of SSH File Transfer Protocol. It works over SSH secure tunnel where the server has already authenticated the client and all communications are encrypted.
Although SFTP has similar name and commands as FTP, its protocol is completely different from FTP’s. It was first developed in 1997 and has not been standardized until 2001.
Pros and Cons
Many FTP clients, such as FileZilla and WinSCP, support these two protocols simultaneously. Their similarities can sometimes cause certain confusion, masking the underlying difference in infrastructure and assumptions.
Speaking of network, FTP requires far more network ports than SFTP: the ports 20 and 21 are reserved for FTP and 989 and 990 for FTP over SSL/TLS (FTPS). In passive mode, FTP can use a random port in a given range (for example, 30000-31000) to establish the connection. Therefore, the firewall configuration for FTP is more complicated, because on the contrary, SFTP only takes port 22, which is also the common SSH port that is a built-in with many firewall settings.
As for server system services, FTP requires a dedicated server (like Apache2 or nginx serving HTTP) while SFTP is usually provided by the SSH daemon, which is a must-have for Unix/Linux system administration. SFTP needs no other software package to be installed and FTP is on the contrary.
From the perspective of Internet security, the attack surface of SFTP is apparently lower than FTP, because SFTP can live with a strict firewall and fewer software packages. It is mostly because the ubiquity of SSH providing remote access, as well as the attention on it regarding security.
Speaking of functionalities, however, SFTP may not be as flexible as an FTP setup, because SFTP is tightly connected to the system level: for example, SFTP shares the same credentials of the system (thus not allowing anonymous access), and directly reflects the file system on the server. Its functionalities are strictly based on the successful establishment of an SSH tunnel. Still, it is possible to restrict the user’s access to a certain folder only (using chroot).
An FTP server, on the other hand, can be custom-configured, even custom-defined, like a custom HTTP web server. The clear text protocol provides the possibility of virtual file systems. Open to further development, it can be extended to function more like an API than a regular file management method.
Furthermore, the user authentication of FTP can be decoupled from the system, allowing a reuse of existing LDAP setup or even the authentication of a web application. SFTP has to rely on the user/group model of the operating system.
Conclusion
Which to choose, FTP or SFTP? The decision should be based on your current business needs and plans in the near future. The general guidelines are:
- If anonymous access is necessary, go for FTP.
- If file management is expected to link with other parts of your web system, go for FTP.
- If firewall is a restrictive factor or security is top concern while functionalities are not first priority, consider SFTP.
- For the ease of setup, use SFTP.
Studio theYANG 