Your browser does not allow storing cookies. We recommend enabling them.


Secure File Transfer - FTP Replacement

The Tectia client/server solution provides several methods for getting rid of the risks of plaintext File Transfer Protocol (FTP). Tectia Server, Client and ConnectSecure all include a secure alternative, Secure File Transfer Protocol (SFTP) that can be used to replace existing FTP clients and servers. If replacing all FTP clients and servers in an environment is unfeasible, Tectia ConnectSecure and Tectia Server for IBM z/OS offer also transparent FTP tunneling to encrypt the FTP connection, and FTP-SFTP conversion to convert unsecured FTP traffic to use the secure SFTP protocol, instead.

The Tectia client/server solution offers three methods for FTP replacement as illustrated in Figure 2.2:

Options for replacing unsecured FTP file transfers

Figure 2.2. Options for replacing unsecured FTP file transfers

An unsecured FTP connection is shown in red. If this is used, user IDs, passwords, and the actual transferred data are sent in plaintext, which makes them vulnerable to eavesdropping and unauthorized modifications.

Tectia products use the following methods to make file transfers secure:

  1. Native SFTP

    The secure file transfer protocol (SFTP) transfers the files and the related control data in encrypted format. SFTP can be activated by using the sftpg3 and scpg3 tools, or the Tectia Secure File Transfer GUI (on Windows) instead of the unsecured ftp tools.

    Tectia Client or ConnectSecure provides the SFTP functionality and connects to any Secure Shell SFTP server. Both the original FTP client and FTP server can be eliminated.

  2. FTP-SFTP conversion

    Connections from the original FTP client are transparently captured by Tectia Server for IBM z/OS, converted to SFTP, and directed to a Secure Shell SFTP server. No changes to the original FTP client application are needed, and it can remain being used as before. The original FTP server, however, is eliminated.

    This feature is available with Tectia ConnectSecure and Tectia Server for IBM z/OS (client tools) on all supported platforms and requires a Secure Shell server as the counterpart.

  3. Transparent FTP tunneling

    Transparent FTP tunneling creates a secure tunnel between an FTP client and an FTP server. All material is sent in encrypted format and so secured from eavesdropping. This feature is available with Tectia ConnectSecure and Tectia Server for IBM z/OS (client tools).

The Tectia client/server solution supports also non-transparent FTP tunneling on both Tectia Client and ConnectSecure. Non-transparent FTP tunneling can be implemented as SOCKS tunnels defined in the Tectia connection profiles, or as automatic tunnels defined in the Connection Broker configuration.

The following table lists the benefits offered by each of the FTP replacement methods.

Table 2.1. Differences between FTP and secure file transfer methods

Feature FTPSFTPFTP-SFTP ConversionTransparent FTP Tunneling
Automated scripts can be usedxxxx
FTP application used unmodifiedx xx
Original FTP client running x x x
Original FTP server running x x
Configured on Tectia x x x
Fallback to FTP is possible N/A x x
SFTP GUI available on Windows N/A x N/A N/A




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now