Sometimes we get complicated with these terms. Choose the transfer protocol you should use to upload your website. It is more confusing when almost everyone looks alike in the name, there are some differences between them, in particular, how data exchange occurs, security levels and the server or client firewall.
FTP
The FTP protocol (File Transfer Protocol) has been around for quite some time. It was first proposed in RFC 114, more than 40 years ago, and finally evolved to RFC 959, which is the standard that FTP clients and servers follow today.
DATA EXCHANGE
The FTP protocol exchanges data using two separate channels known as the command channel and the data channel.
The command channel normally runs on server port 21 and is responsible for accepting client connections and handling the exchange of simple commands between an FTP client and a server. The USER and PASS commands used to authenticate an FTP user are examples of commands that are exchanged in the command channel. The command channel remains open until the client sends the QUIT command to disconnect, or the server disconnects the client due to inactivity or another reason.
The data channel is run using temporary ports on demand on the server (passive mode) or on the client (active mode) and is responsible for exchanging data in the form of directory lists and file transfers. The LIST, STOR and RETR commands used to obtain a list of server directories, upload a file and download a file are examples of commands (sent via the command channel) that open a data channel. Unlike the command channel that remains open during the entire FTP session, the data channel is closed once the data transfer is complete. To handle concurrent file transfers or directory listings, a range of data channel ports must be used.
SECURITY
Using FTP, both the command and the data channels are not encrypted. Any data sent through these channels can be intercepted and read. A common vulnerability that exploits this particular vulnerability is the man-in-the-middle attack that uses ARP poisoning and a packet detector.
FIREWALL
Server : allows incoming connections on port 21. Define the range of passive ports (for example, 2000-2500) for file transfers and directory listings and allow incoming connections in the range of passive ports. See your server documentation for instructions on how to configure a passive port range.
Client : allows outgoing connections to port 21 and the range of passive ports defined by the server.
Many of the firewall problems encountered when using FTP are caused by a misunderstanding of the two FTP modes: the active mode and the passive mode. The settings you will have to make on your server-side firewall or your client-side firewall will depend largely on the mode you choose. To avoid these problems, we suggest you take time for a deeper discussion about active and passive FTP.
FTPS
When the FTP protocol was initially written, security was not a concern. Since then, many things have changed and sending data through any public network without encryption is considered very risky and, in some cases, is prohibited. Regulations such as PCI-DSS and HIPAA, for example, contain provisions that require data transmissions to be protected by encryption.
To address this problem, a set of security extensions to the original FTP protocol was proposed in RFC 2228 that protects FTP data while traveling through the network using SSL encryption.
DATA EXCHANGE
Same as FTP
SECURITY
Secure FTP variants include FTPS Implied SSL and FTPS Explicit SSL. Both use SSL encryption.
FTPS IMPLICIT SSL
In the implicit SSL mode, a required SSL session is established between the client and the server before exchanging the data. As the name suggests, the use of SSL is implicit and any connection attempt made by a client without using SSL is rejected by the server. FTPS implicit SSL services generally run on port 990. Although they are still used today, many consider FTPS implicit SSL to be obsolete in favor of FTPS explicit SSL.
FTPS EXPLICIT SSL
In explicit SSL mode, the client and server negotiate the level of protection used. This is very useful because the server can support unencrypted FTP sessions and encrypted FTPS sessions on a single port. In an explicit SSL session, the client first establishes an unencrypted connection to the FTP service. Before sending user credentials, the client requests that the server change the command channel to an SSL encrypted channel by sending the AUTH TLS or AUTH SSL command. After the successful configuration of the SSL channel, the client sends the user credentials to the FTP server. These credentials, along with any other command sent to the server during the FTP session, are automatically encrypted by the SSL channel. Similar to the way you can protect the command channel,
FIREWALL
Server : Allow incoming connections on port 21 and / or 990. Define the range of passive ports (for example, 2000-2500) for file transfers and directory listings and allow incoming connections in the range of passive ports. See your server documentation for instructions on how to configure a passive port range.
Client : allows outgoing connections to port 21 and the range of passive ports defined by the server.
SFTP
SFTP is often confused with FTPS and vice versa, although these protocols share nothing in common, except their ability to transfer files securely. SFTP is actually based on the SSH (Secure Shell) protocol, which is best known for its use to provide secure access to shell accounts on remote servers.
DATA EXCHANGE
Unlike FTP / S, SFTP does not use separate commands and data channels. Both data and commands are transferred in specially formatted packets through a single connection.
SECURITY
All data sent between the client and the server is encrypted using an agreed encryption encryption. SFTP sessions can also be further protected by using public and private keys, which offer an alternative form of authentication known as public key authentication. This can be used as an alternative or in conjunction with the traditional way of authenticating usernames and passwords.
FIREWALL
Server – Allow incoming connections on port 22.
Client : allows outgoing connections to port 22.