FTPS Port Number(s)

teancum144

I ran across a question that is worded similarly to the following:

Which of the following ports are used for FTPS by default?
a. 21
b. 22
c. 123
d. 161
e. 443
f. 8080

The answer is “e”, but I struggle with this answer because I can’t find any authoritative source to support it. Here’s what I know:

FTPS in implicit mode: An increasingly obsolete mode that requires an established SSL session prior to any exchange of data. Uses port 989 for the data channel and port 990 for the control channel.

FTPS in explicit mode (aka FTPES): Uses port 20 for the data channel and port 21 for the control channel. Both unencrypted FTP and encrypted FTPS are supported. The client and server negotiate the level of protection used. Control channel encryption is requested by sending either the AUTH TLS command or the AUTH SSL command. Data channel encryption is requested with the PROT command.

With FTPES, I realize that the use of SSL or TLS may imply port 443, but I’ve also found other sources that imply SSL/TLS encryption for FTPES occurs on ports 20 and 21.

Thoughts?

Trashman

Tricky one.
I just checked in my Security+ book and it states:
"FTP Secure is an extension of FTP and uses SSL or TLS to encrypt FTP traffic. Some implementations of FTPS use ports 989 and 990."

You might be able to find the answer in RFC 4217 - Securing FTP with TLS

I don't think the question is digging so deep as in implicit / explicit modes.
Based on the options above I'd go for port 443 too as the correct answer since it's related to SSL (which is an option for FTPS) and I'd treat port 21 as normal FTP and port 22 as SSH.

ptilsen

The answer this test source is giving you is wrong. The only correct answer is a. Port 443 is only standard for HTTP over SSL/TLS, not FTP over SSL/TLS.

FTPS (explicit) doesn't utilize a special port. The TLS session is setup with the AUTH command (as described in page 4 of RFC 4217) over the traditional command port, 21. Depending on server and client configuration, the connection will be setup either with encrypted credentials, encrypted data, neither, both, or not at all, all using port 21 for commands and 20 (unless otherwise configured) for data.

Michael2

Is this from the CompTIA Practice Exams? That book has wierd questions like this. The only place I saw wierder questions was the test itself.

ptilsen

I don't think this is a weird question (outside of the marked answer being incorrect), but, I don't recall it being on Sec+. Granted, it probably should be, because secure Internet-accessible file transfer is a real-world need you're not unlikely to run into.

Michael2

I never heard of FTPS. I've heard of S-FTP.

Darril

CompTIA lists FTPS in two objectives: Objective 1.4 Implement and use common protocols and Objective 1.5 Identify commonly used default network ports.

Here are some things that test takers should know about FTPS:

• It represents File Transfer Protocol Secure (FTPS) and is an extension of FTP
• It is one of the protocols that can be used to encrypt data prior to transmission (along with other protocols that include the letter "S" such as SFTP, SSH, SSL, TLS, and SCP)
• FTPS uses SSL or TLS to encrypt FTP (unlike SFTP which uses SSH)
• IANA lists the well known ports for FTPS as 989 and 990 though all implementations don't use these ports.

Hope this helps.

ptilsen

Darril wrote: »

[*]IANA lists the well known ports for FTPS as 989 and 990 though all implementations don't use these ports.

This may be so, and IETF agrees with the ports being well-known, but it's not just a matter of some implementations not using 989 and 990. It is generally not supported as it is not specified in the FTP over SSL/TLS standards (RFC 4217 and RFC 2228 ). I would expect (perhaps incorrectly) that CompTIA would test based on the IETF standard, which means explicit FTPS using port 21. If you happen to know CompTIA is testing on implicit FTPS instead of explicit, given your involvement in this particular test, I personally encourage you to use any influence you have to change it. The test should not be expecting people to know implicit FTPS ports, in my opinion. If it does, the official objectives should include identifying and differentiating between implicit and explicit (overkill, IMO, but better than testing on a deprecated non-standard instead of the current standard).

In real-world scenarios, I strongly recommend against implementing implicit FTPS based on my experience. Unless one can control the network, server, and client, implicit FTPS increases the frequency of compatibility problems for no real benefit.

Edit: On a side note, I will admit FTPS can be a pain no matter what. Many FTP clients, including the one built-into Windows, don't properly support implicit or explicit FTPS.

Darril

ptilsen wrote: »

If you happen to know CompTIA is testing on implicit FTPS instead of explicit, given your involvement in this particular test, I personally encourage you to use any influence you have to change it.

Good suggestion but my influence over CompTIA hovers at around zero percent. They specifically do not want trainers or authors involved in the test development process.

The best thing I can do is try to educate CompTIA test takers about CompTIAs perspectives as I learn them.

As another example, most people that understand wireless security know that disabling SSID broadcast is not an effective security method. It removes the SSID from the beacon but the SSID is still transmitted over the air. Attackers with a wireless sniffer can easily determine the SSID but since a casual user cannot see it, it provides a false sense of security. That said, I've often mentioned in various writings that if a test question asks you to identify a wireless security method and the only possible answer is "Disable SSID broadcast", that's the answer the test taker should choose.

teancum144

Curiously, I ran across a practice questions from a different source that had a question worded very similarly to the one above. It also said the correct answer is port 443. Two different sources with the same (incorrect?) answer. Confusing indeed!

datgirl

Thanks for this one, definitely one to bone up on.

icezellion

I came across this as well, 21 is the most logical answer but for some it's 443 (unless it's an error in the practice questions?).

eliphas0

I know I'm late to the party. But I just ran across this thread while studying and specifically looking up FTPS Implicit / Explicit.
I can't say with any certainty but I believe they wanted Port 21 for the Answer. Being that Explicit FTPS starts the connection via Port 21 then negotiates SSL.
Where as Implicit FTPS requires encryption and starts the connection via 990 and uses 989 for the data.
This is the source for my assumption.
https://blogs.msdn.microsoft.com/robert_mcmurray/2008/11/10/ftp-clients-part-2-explicit-ftps-versus-implicit-ftps/

Sorry to bump a dead thread but it was bugging me.

nisti2

Exactly!!
SFTP use FTP over SSL

ptilsen wrote: »

The answer this test source is giving you is wrong. The only correct answer is a. Port 443 is only standard for HTTP over SSL/TLS, not FTP over SSL/TLS.

FTPS (explicit) doesn't utilize a special port. The TLS session is setup with the AUTH command (as described in page 4 of RFC 4217) over the traditional command port, 21. Depending on server and client configuration, the connection will be setup either with encrypted credentials, encrypted data, neither, both, or not at all, all using port 21 for commands and 20 (unless otherwise configured) for data.