The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files from one host to another host over a TCP-based network, such as the Internet. FTP is built on a client-server architecture and uses separate control and data connections between the client and the server.

Types of FTP

FTP – The File Transfer Protocol (FTP) is a standard network protocol used to transfer computer files from one host to another host over a TCP-based network, such as the Internet.

FTP is built on a client-server architecture and uses separate control and data connections between the client and the server. FTP users may authenticate themselves using a clear-text sign-in protocol, normally in the form of a username and password, but can connect anonymously if the server is configured to allow it. For secure transmission that protects the username and password, and encrypts the content, FTP is often secured with SSL/TLS (FTPS). SSH File Transfer Protocol (SFTP) is sometimes also used instead, but is technologically different.

The first FTP client applications were command-line applications developed before operating systems had graphical user interfaces, and are still shipped with most Windows, Unix, and Linux operating systems. Many FTP clients and automation utilities have since been developed for desktops, servers, mobile devices, and hardware, and FTP has been incorporated into productivity applications, such as Web page editors.

Summary: Plain, unencrypted FTP that defaults over port 21. Most web browsers support basic FTP.

FTPS – (FTP Secure) is an extension to the commonly used File Transfer Protocol (FTP) that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols.

FTPS should not be confused with the SSH File Transfer Protocol (SFTP), an incompatible secure file transfer subsystem for the Secure Shell (SSH) protocol. It is also different from FTP over SSH, the practice of tunneling FTP through an SSH connection.

Summary: Implicit SSL/TLS encrypted FTP that works just like HTTPS. Security is enabled with SSL as soon as the connection starts. The default FTPS port is 990. This protocol was the first version of encrypted FTP available, and while considered deprecated, is still widely used. None of the major web browsers support FTPS.

FTPES – Explicit FTP over SSL/TLS this is same as FTPS. Some time people call FTPES and FTPS are exact same of working but difference is in working criteria.

Summary: Explicit FTP over SSL/TLS. This starts out as plain FTP over port 21, but through special FTP commands is upgraded to TLS/SSL encryption. This upgrade usually occurs before the user credentials are sent over the connection. FTPES is a somewhat newer form of encrypted FTP (although still over a decade old), and is considered the preferred way to establish encrypted connections because it can be more firewall friendly. None of the major web browsers support FTPES.

Controlling what types of FTP are Allowed.

We can control the types of FTP connections allowed at both the user level, and at the listener level.

Restricting FTP connections at the User level

For a user or group account, the Require Secure Control and Require Secure Data constraints are meant to enforcethat the connection is encrypted using either FTPS or FTPES. If Require Secure Control is checked, FTP over port 21 will be denied login if the user attempts to authenticate without upgrading the connection to use encryption. If the FTP connection is upgraded to use encryption (upgraded to FTPES), then the user will be allowed to send login credentials and attempt to login. Cerberus requires an FTP listener to allow FTP or FTPES connections.

FTPS connections are always encrypted, and connections that come through on an FTPS listener will always be allowed to attempt to login.

The user and group constraints Allow FTP and Allow FTPS are meant to control what protocol a user can login over. If Allow FTP is selected for a user, then both FTP and FTPES connections will be allowed to attempt to login over an FTP listener.This can be further restricted to only allowing FTPES connections by selecting the Require Secure Control and Require Secure Data constraints for the user.

You can create combinations of these options to allow exactly the type of protocol and security settings that you prefer.

For example: To allow any protocol, as long as it is secure, leave Allow FTP and Allow FTPS checked, and make sure Require Secure Control and Require Secure Data are checked.

This will allow connecting over implicit FTPS listeners on port 990, and explicit FTPES connections over FTP listeners on port 21 (as long as the connection gets upgraded to TLS/SSL encryption before the user attempts to login).

Restricting FTP connections at the Listener level

In addition to the fine-grain control administrators have at the user level, broader restrictions can be enforced at the listener level. FTP listeners also have the Require Secure Control and Require Secure Data settings. These settings are checked first, before a user even attempts to login. If the Require Secure Control and Require Secure Data options are specified for an FTP listener, then only secure FTPES connections will be allowed. These settings are enforced before the individual user settings are checked.

Reference 

1. RFC-959 J. Postel, J. Reynolds, lSI, “File Transfer Protocol (FTP),” Oct 1985. Available: http://www.ietforg/rfc/
2. RFC 4217: P. Ford-Hutchinson, IBM UK Ltd, “Securing FTP with TLS,” Oct 2005. Available: http://www.ietforg/rfc/
3. RFC 4251: T.Ylonen, T. and C. Lonvick, Ed. Cisco Systems, Inc, “The Secure Shell (SSH) Protocol Architecture,” Jan 2006. Available: http://www.ietforg/rfc/
4. Y Ma, H. T. Liu, B. Y Cai, “Design and implementation of a secure FTP system,” Applications and Software, Aug 2007, pp.175-176.
5. W C. He, Y Y Zhang, P H. Liu. “Research and design of a computer encryption communication system based on secure FTP,” Network Security Technology and Application, Jan 2007, pp.92-94.
6. B. Wang, Y Y. Zhang, “Analysis and amendment of one-time password authentication scheme,” Computer Engineering, July 2006, pp.149-150.
7. S. Ao,X Z Li,S. L. Tang, “Research and design of time- susceptive dynamic password identity authentication system,” Application Research of Computers, July 2007, pp.151-153.
8. J. F. Tian, H. Q.J iao, N. Li, and T. Liu, “Double secret keys and double random numbers authentication scheme,” Journal of Computer Research and Development, 2008, 45 (5) 779-785.
9. N. Wang, X D. Qiu, P Luo, “One-time password scheme based on hash function and public key encryption,” Application Research of Computers, Feb 2009, pp.717-718
10. Raphael C -W Phan, “Cryptanalysis of two password-based authentication schemes using smart cards [J] ,” Computers and Security, 2006, 25 (1) : 52-54