Grafvision - Fotolia


The security pros and cons of using a free FTP tool

A free FTP tool can help move enterprise files to a managed file transfer service, but there are security factors to consider. Expert Judith Myerson explains what they are.

Your company is running a managed file transfer service either as on-premises licensed software or a software as...

a service to get better security and control than can be offered by an FTP server. Global visibility and performance monitoring are possible from the managed file transfer's central point of administration, which is a huge benefit your enterprise security team. Your plan to use a free FTP tool to move files to a managed file transfer service seems like a good idea.

Before you go ahead and start moving files, let's take a look at the pros and cons of a free FTP tool, using the FileZilla Client as an example. You can install the client on any platform. To create a new site, you use the Site Manager option under the File menu. This is where you provide the host name, FTP protocol type, logon type and other data to connect to a server. The connection is passive by default.

To secure file transfers from a client, most companies choose between SFTP (Secure File Transfer Protocol) or FTPS (File Transfer Protocol over Transport Layer Security [TLS]/SSL). FileZilla Server doesn't support SFTP, so you can use FTPS to connect to the server.

Unlike the FileZilla Client, the server only works with Windows. You should use SFTP to connect to third-party SFTP servers that can run on a wider range of platforms. But keep in mind, one platform that is made available by a third party may not be offered as an option by another third party.

The benefits and drawbacks of SFTP

SFTP is firewall-friendly. Only the secure shell port set to the default of 22 needs to be opened through the firewall. All SFTP communications, including authentication and data transfers, go through this port.

On the other hand, FTPS is not very firewall-friendly. You need to open multiple ports to transfer files through the firewall.

You must first set the server to the initial port number default of 21 for authentication and passing any commands. Then, you must open another port every time a request for a file transfer or directory listing is made. From a drop-down menu, you then have to choose an encryption type that requires explicit FTP over TLS.

FileZilla's Network and Firewall Wizard can give you step-by-step instructions on establishing open connections (inbound and outbound) to FTPS servers through the firewall. The wizard makes sure the ports are properly configured. If you do not use the wizard, the server might choose a port that your firewall thinks is only used by Trojans or other malware.

But FTPS can be very difficult to patch through a tightly secured firewall. To allow for proper FTPS connections, you and remote users must open a range of ports in your firewalls. Choosing the wrong port can lead to a security risk for your network, and it's a waste of your security team's time to have to fix that problem.

One solution is to connect FileZilla Client or another free FTP tool to an SFTP server that your company's managed file transfer service provider runs. Securing file transfers to the server is handled from the central point of administration. SFTP sends and receives messages in binary. FTPS messages may be transmitted in plain text.

Further considerations

You need to find out whether your company's managed file transfer vendor has fixed its products affected by the Heartbleed vulnerability in OpenSSL. File Transfer Consulting's list of vendors shows the Heartbleed vulnerability affected many managed file transfer services, as well as secure file transfer, FTP server and FTP client technologies.

However, the FileZilla Client was immune to Heartbleed. The FileZilla Server was fixed by upgrading the server to contain an updated OpenSSL, but the server is not SFTP compatible.

You also need to find out if your company's vendor has met the U.S. government compliance requirements of Federal Information Processing Standard 140-2, which covers encryption transmissions (AES and Triple Data Encryption Standard) over SFTP and FTPS protocols. Managed file transfer certificates, database servers, transfer scheduling and other industry encryption standards are other considerations to keep in mind when you evaluate a vendor.

Not all managed file transfer administrators will allow the FileZilla Client or another free FTP client tool, like WinSCP, to connect with the managed file transfer service. Some managed file transfer vendors require their proprietary FTP clients be used to transfer files to the servers. Others may allow certain free FTP clients to connect to the servers. The administrator can prevent groups or users from sending, receiving or sharing certain files within and outside the enterprise. In addition, the administrator will not accept the FileZilla Client on any mobile devices that do not provide secure FTP protocols.

These are just a few things to consider when using a free FTP client in conjunction with a managed file transfer service.

Next Steps

Read more on incorporating user behavior analytics into security programs

Learn how to improve DevOps and security in three steps

Find out how IPv6 atomic fragments can be used for denial-of-service attacks

This was last published in April 2017

Dig Deeper on Network security