We're setting up a web server at our workspace. In conjunction, we're planning to install an FTP server, however I'm stuck at what protocol to employ -- FTP, SFTP or FTPS. I googled around, trying to see what protocol offers what, coming across articles like this, but I can't make up my mind. Only simple, once-in-a-while file transfer is desired; however, security is a concern since the file server is intended to be accessible from the internet.
What protocol is the most apt for my use, and why?
So the two sane options these days are:
WebDAV, nice on the server side, nice for Linux and Mac OS clients, however the inbuilt Windows client has issues.
SCP/SFTP, very easy as you're likely to have ssh anyway, GUI clients easily available (FileZilla for example)
Although FTP is still around I'd really avoid setting anything new up based on it.
I think the short answer is to use an FTP server that supports all three protocols. You probably want to avoid allowing FTP since you mentioned security as a primary concern but both the SSH2 File Transfer Protocol (SFTP) and FTP over TLS/SSL (FTPS) are considered secure file transfer protocols.
SFTP is definitely the favorite these days because of its robust security model and easier setup than traditional FTP and FTPS. SFTP is also considerably more firewall friendly than FTP because it only requires one port to establish a connection and carry out file operations.
FTP and FTPS require multiple ports (one port to issue commands and a separate port for each and every directory listing or file transfer) to accomplish the same thing that SFTP can do with one port. The requirement to setup forwarding for large numbers of ports can be a problem in many environments and can make troubleshooting problems very difficult. However, FTP and FTPS have been around a lot longer than SFTP and there are still lots of devices and clients that only support FTPS.
In terms of security, both the SFTP and FTPS protocols are considered secure. The requirement to open up multiple ports with FTPS can be viewed as a security concern but there is nothing inherently more secure about the SFTP protocol over the FTPS protocol.
The only real advantage I would give FTPS over SFTP would be performance. SFTP runs over a considerably more robust and generic protocol than FTPS and that robustness imparts a significant performance impact. There is simply a lot more overhead involved in SFTP because it is running over the SSH2 protocol and because SFTP implements its own handshaking mechanism. If you want the highest transfer speeds possible you want FTPS.
To sum all of this up, try to support all 3. Most modern FTP servers already have support for FTP, FTPS, and SFTP.
Any-one interested in some numbers here are my results from running some benchmarks on my local network. SMB 2.1 performance is about 112 MB/s
Machine: Intel(R) Core(TM)2 Quad CPU Q8400 @ 2.66GHz/8GB ram/Gigabit Local Network
Definitely avoid installing an FTP daemon. As long as you have SSH, you have SFTP. No extra set up required. The only reason to use FTP is for the masses.
I run an FTP server that also supports FTPES (FTP over explicit SSL) and I really see no advantages of it, aside from the fact that it is already in place. I inherited it, and all the user accounts and permissions work. But for everything else, I just use SSH/SFTP.
I do agree with Ryan. SFTP if only a limited number of people will be using the server. If its going to be a server more open to the public, I would only make the FTPES available (Both channels FTP over explicit SSL) as the only choice. FTPES is secure in BOTH channels (if server is set up correctly) both in regards to sending the FTP username and password and data transfered. Don't EVEN think about just FTP. Nuff said.
But once again if its basically just you SFTP will be fine.