FTPS Port Number(s)

teancum144teancum144 Member Posts: 229 ■■■□□□□□□□
I ran across a question that is worded similarly to the following:

Which of the following ports are used for FTPS by default?
a. 21
b. 22
c. 123
d. 161
e. 443
f. 8080

The answer is “e”, but I struggle with this answer because I can’t find any authoritative source to support it. Here’s what I know:

FTPS in implicit mode: An increasingly obsolete mode that requires an established SSL session prior to any exchange of data. Uses port 989 for the data channel and port 990 for the control channel.

FTPS in explicit mode (aka FTPES): Uses port 20 for the data channel and port 21 for the control channel. Both unencrypted FTP and encrypted FTPS are supported. The client and server negotiate the level of protection used. Control channel encryption is requested by sending either the AUTH TLS command or the AUTH SSL command. Data channel encryption is requested with the PROT command.

With FTPES, I realize that the use of SSL or TLS may imply port 443, but I’ve also found other sources that imply SSL/TLS encryption for FTPES occurs on ports 20 and 21.

Thoughts?
If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. :D

Comments

  • TrashmanTrashman Member Posts: 140
    Tricky one.
    I just checked in my Security+ book and it states:
    "FTP Secure is an extension of FTP and uses SSL or TLS to encrypt FTP traffic. Some implementations of FTPS use ports 989 and 990."

    You might be able to find the answer in RFC 4217 - Securing FTP with TLS

    I don't think the question is digging so deep as in implicit / explicit modes.
    Based on the options above I'd go for port 443 too as the correct answer since it's related to SSL (which is an option for FTPS) and I'd treat port 21 as normal FTP and port 22 as SSH.
    Bachelor of Science in Information Systems
    2015 COLOR=#008000]X[/COLOR | 2016 COLOR=#ff8c00]In progress[/COLOR | 2017 | 2018
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    The answer this test source is giving you is wrong. The only correct answer is a. Port 443 is only standard for HTTP over SSL/TLS, not FTP over SSL/TLS.

    FTPS (explicit) doesn't utilize a special port. The TLS session is setup with the AUTH command (as described in page 4 of RFC 4217) over the traditional command port, 21. Depending on server and client configuration, the connection will be setup either with encrypted credentials, encrypted data, neither, both, or not at all, all using port 21 for commands and 20 (unless otherwise configured) for data.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • Michael2Michael2 Member Posts: 305
    Is this from the CompTIA Practice Exams? That book has wierd questions like this. The only place I saw wierder questions was the test itself.
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    I don't think this is a weird question (outside of the marked answer being incorrect), but, I don't recall it being on Sec+. Granted, it probably should be, because secure Internet-accessible file transfer is a real-world need you're not unlikely to run into.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • Michael2Michael2 Member Posts: 305
    I never heard of FTPS. I've heard of S-FTP.
  • DarrilDarril Member Posts: 1,588
    CompTIA lists FTPS in two objectives: Objective 1.4 Implement and use common protocols and Objective 1.5 Identify commonly used default network ports.

    Here are some things that test takers should know about FTPS:
    • It represents File Transfer Protocol Secure (FTPS) and is an extension of FTP
    • It is one of the protocols that can be used to encrypt data prior to transmission (along with other protocols that include the letter "S" such as SFTP, SSH, SSL, TLS, and SCP)
    • FTPS uses SSL or TLS to encrypt FTP (unlike SFTP which uses SSH)
    • IANA lists the well known ports for FTPS as 989 and 990 though all implementations don't use these ports.
    Hope this helps.
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    Darril wrote: »
    [*]IANA lists the well known ports for FTPS as 989 and 990 though all implementations don't use these ports.
    This may be so, and IETF agrees with the ports being well-known, but it's not just a matter of some implementations not using 989 and 990. It is generally not supported as it is not specified in the FTP over SSL/TLS standards (RFC 4217 and RFC 2228 ). I would expect (perhaps incorrectly) that CompTIA would test based on the IETF standard, which means explicit FTPS using port 21. If you happen to know CompTIA is testing on implicit FTPS instead of explicit, given your involvement in this particular test, I personally encourage you to use any influence you have to change it. The test should not be expecting people to know implicit FTPS ports, in my opinion. If it does, the official objectives should include identifying and differentiating between implicit and explicit (overkill, IMO, but better than testing on a deprecated non-standard instead of the current standard).

    In real-world scenarios, I strongly recommend against implementing implicit FTPS based on my experience. Unless one can control the network, server, and client, implicit FTPS increases the frequency of compatibility problems for no real benefit.

    Edit: On a side note, I will admit FTPS can be a pain no matter what. Many FTP clients, including the one built-into Windows, don't properly support implicit or explicit FTPS.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • DarrilDarril Member Posts: 1,588
    ptilsen wrote: »
    If you happen to know CompTIA is testing on implicit FTPS instead of explicit, given your involvement in this particular test, I personally encourage you to use any influence you have to change it.

    Good suggestion but my influence over CompTIA hovers at around zero percent. They specifically do not want trainers or authors involved in the test development process.

    The best thing I can do is try to educate CompTIA test takers about CompTIAs perspectives as I learn them.

    As another example, most people that understand wireless security know that disabling SSID broadcast is not an effective security method. It removes the SSID from the beacon but the SSID is still transmitted over the air. Attackers with a wireless sniffer can easily determine the SSID but since a casual user cannot see it, it provides a false sense of security. That said, I've often mentioned in various writings that if a test question asks you to identify a wireless security method and the only possible answer is "Disable SSID broadcast", that's the answer the test taker should choose.
  • teancum144teancum144 Member Posts: 229 ■■■□□□□□□□
    Curiously, I ran across a practice questions from a different source that had a question worded very similarly to the one above. It also said the correct answer is port 443. Two different sources with the same (incorrect?) answer. Confusing indeed!
    If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. :D
  • datgirldatgirl Member Posts: 62 ■■□□□□□□□□
    Thanks for this one, definitely one to bone up on.
  • icezellionicezellion Member Posts: 5 ■□□□□□□□□□
    I came across this as well, 21 is the most logical answer but for some it's 443 (unless it's an error in the practice questions?).
  • eliphas0eliphas0 Member Posts: 11 ■□□□□□□□□□
    I know I'm late to the party. But I just ran across this thread while studying and specifically looking up FTPS Implicit / Explicit.
    I can't say with any certainty but I believe they wanted Port 21 for the Answer. Being that Explicit FTPS starts the connection via Port 21 then negotiates SSL.
    Where as Implicit FTPS requires encryption and starts the connection via 990 and uses 989 for the data.
    This is the source for my assumption.
    https://blogs.msdn.microsoft.com/robert_mcmurray/2008/11/10/ftp-clients-part-2-explicit-ftps-versus-implicit-ftps/

    Sorry to bump a dead thread but it was bugging me.
  • nisti2nisti2 Member Posts: 502 ■■■■□□□□□□
    Exactly!!
    SFTP use FTP over SSL
    ptilsen wrote: »
    The answer this test source is giving you is wrong. The only correct answer is a. Port 443 is only standard for HTTP over SSL/TLS, not FTP over SSL/TLS.

    FTPS (explicit) doesn't utilize a special port. The TLS session is setup with the AUTH command (as described in page 4 of RFC 4217) over the traditional command port, 21. Depending on server and client configuration, the connection will be setup either with encrypted credentials, encrypted data, neither, both, or not at all, all using port 21 for commands and 20 (unless otherwise configured) for data.
    2020 Year goals:
    Already passed: Oracle Cloud, AZ-900
    Taking AZ-104 in December.

    "Certs... is all about IT certs!"
Sign In or Register to comment.