Perhaps I misread the question, but I think you’re talking about a couple of different things as if they were the same.
You want to block all FTP access from inside your enterprise network, simply block TCP ports 20 and 21 outbound on your Internet-facing firewall. As always, your default policy on Internet firewalls should be to deny any from any, with exceptions coming higher in the ruleset.
Now…. If you want users from outside your corporate network to access internal FTP sites but have the sessions secured, then you want to set up either an SSH server in order to use SFTP (FTP-like functionality over SSH) or FTPS, which is FTP over TLS (or SSL, if necessary). The former can be done for free with readily-available software – or for cost, if you want more features or support – while the latter can be coded, but is most often purchased. Sterling Software is a noted vendor for FTPS.
Yes, you can secure communications with IPsec, but why go through that hassle? Especially when pushed with GPOs fromm a Windows box, then you’ve locked out all other platforms.
Like I said, maybe I missed the point up above….