My company is currently implementing trivial file transfer protocol (TFTP) on OS level of AS400 instead of file transfer protocol (FTP). What is the major security difference between those two protocols? What are the security advantages and disadvantages of implementing TFTP? I heard that TFTP is a less secure protocol (no user ID or password needed) than FTP? What measures should be taken to strengthen the security over data file transfer?
My initial thought was the security difference was about the same as between a bank-vault door and a screen door. However, there are problems with FTP too, so that is not quite right. It's more like a screen door with a lock vs. a screen door without one. The basic differences between FTP and TFTP are:
- FTP provides minimal security through user logins
- TFTP does not use logins
- FTP provides a reliable service through its use of TCP
- TFTP does not since it uses UDP
- FTP uses two connections
- TFTP uses one connection (stop and wait)
- FTP provides many commands
- TFTP provides only five commands
Since FTP is generally sent over a plain-text channel, it is subject to network sniffing to collect usernames, passwords and data. There are more secure versions such as SFTP or SCP.
As for what you need, that depends on what you are trying to achieve. Are you looking for a general-purpose, file-transfer program for users to upload and download files? Or are you looking for something that a program can use over a dedicated channel to talk to another cooperating program on the other end? There are places that TFTP would be okay. My suggestion is to have a security consultant look into your specific situation and provide guidance.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Link: Securing the Internet/E-Commerce
Tip: Close the FTP open door
Tip: Protecting your web server against anonymous access