Ask the Expert

The difference between TFTP and FTP

My company is currently implementing trivial file transfer protocol (TFTP) on OS level of AS400 instead of file transfer protocol (FTP). What is the major security difference between those two protocols? What are the security advantages and disadvantages of implementing TFTP? I heard that TFTP is a less secure protocol (no user ID or password needed) than FTP? What measures should be taken to strengthen the security over data file transfer?

    Requires Free Membership to View

My initial thought was the security difference was about the same as between a bank-vault door and a screen door. However, there are problems with FTP too, so that is not quite right. It's more like a screen door with a lock vs. a screen door without one. The basic differences between FTP and TFTP are:

  • FTP provides minimal security through user logins
  • TFTP does not use logins
  • FTP provides a reliable service through its use of TCP
  • TFTP does not since it uses UDP
  • FTP uses two connections
  • TFTP uses one connection (stop and wait)
  • FTP provides many commands
  • TFTP provides only five commands

Since FTP is generally sent over a plain-text channel, it is subject to network sniffing to collect usernames, passwords and data. There are more secure versions such as SFTP or SCP.

As for what you need, that depends on what you are trying to achieve. Are you looking for a general-purpose, file-transfer program for users to upload and download files? Or are you looking for something that a program can use over a dedicated channel to talk to another cooperating program on the other end? There are places that TFTP would be okay. My suggestion is to have a security consultant look into your specific situation and provide guidance.


For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Link: Securing the Internet/E-Commerce
Tip: Close the FTP open door
Tip: Protecting your web server against anonymous access

This was first published in April 2003

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: