FTPS Port Number(s)
teancum144
Member Posts: 229 ■■■□□□□□□□
in Security+
I ran across a question that is worded similarly to the following:
Which of the following ports are used for FTPS by default?
a. 21
b. 22
c. 123
d. 161
e. 443
f. 8080
The answer is “e”, but I struggle with this answer because I can’t find any authoritative source to support it. Here’s what I know:
FTPS in implicit mode: An increasingly obsolete mode that requires an established SSL session prior to any exchange of data. Uses port 989 for the data channel and port 990 for the control channel.
FTPS in explicit mode (aka FTPES): Uses port 20 for the data channel and port 21 for the control channel. Both unencrypted FTP and encrypted FTPS are supported. The client and server negotiate the level of protection used. Control channel encryption is requested by sending either the AUTH TLS command or the AUTH SSL command. Data channel encryption is requested with the PROT command.
With FTPES, I realize that the use of SSL or TLS may imply port 443, but I’ve also found other sources that imply SSL/TLS encryption for FTPES occurs on ports 20 and 21.
Thoughts?
Which of the following ports are used for FTPS by default?
a. 21
b. 22
c. 123
d. 161
e. 443
f. 8080
The answer is “e”, but I struggle with this answer because I can’t find any authoritative source to support it. Here’s what I know:
FTPS in implicit mode: An increasingly obsolete mode that requires an established SSL session prior to any exchange of data. Uses port 989 for the data channel and port 990 for the control channel.
FTPS in explicit mode (aka FTPES): Uses port 20 for the data channel and port 21 for the control channel. Both unencrypted FTP and encrypted FTPS are supported. The client and server negotiate the level of protection used. Control channel encryption is requested by sending either the AUTH TLS command or the AUTH SSL command. Data channel encryption is requested with the PROT command.
With FTPES, I realize that the use of SSL or TLS may imply port 443, but I’ve also found other sources that imply SSL/TLS encryption for FTPES occurs on ports 20 and 21.
Thoughts?
If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post.
Comments
-
Trashman Member Posts: 140Tricky one.
I just checked in my Security+ book and it states:
"FTP Secure is an extension of FTP and uses SSL or TLS to encrypt FTP traffic. Some implementations of FTPS use ports 989 and 990."
You might be able to find the answer in RFC 4217 - Securing FTP with TLS
I don't think the question is digging so deep as in implicit / explicit modes.
Based on the options above I'd go for port 443 too as the correct answer since it's related to SSL (which is an option for FTPS) and I'd treat port 21 as normal FTP and port 22 as SSH.Bachelor of Science in Information Systems
2015 COLOR=#008000]X[/COLOR | 2016 COLOR=#ff8c00]In progress[/COLOR | 2017 | 2018 -
ptilsen Member Posts: 2,835 ■■■■■■■■■■The answer this test source is giving you is wrong. The only correct answer is a. Port 443 is only standard for HTTP over SSL/TLS, not FTP over SSL/TLS.
FTPS (explicit) doesn't utilize a special port. The TLS session is setup with the AUTH command (as described in page 4 of RFC 4217) over the traditional command port, 21. Depending on server and client configuration, the connection will be setup either with encrypted credentials, encrypted data, neither, both, or not at all, all using port 21 for commands and 20 (unless otherwise configured) for data. -
Michael2 Member Posts: 305 ■■■□□□□□□□Is this from the CompTIA Practice Exams? That book has wierd questions like this. The only place I saw wierder questions was the test itself.
-
ptilsen Member Posts: 2,835 ■■■■■■■■■■I don't think this is a weird question (outside of the marked answer being incorrect), but, I don't recall it being on Sec+. Granted, it probably should be, because secure Internet-accessible file transfer is a real-world need you're not unlikely to run into.
-
Darril Member Posts: 1,588CompTIA lists FTPS in two objectives: Objective 1.4 Implement and use common protocols and Objective 1.5 Identify commonly used default network ports.
Here are some things that test takers should know about FTPS:- It represents File Transfer Protocol Secure (FTPS) and is an extension of FTP
- It is one of the protocols that can be used to encrypt data prior to transmission (along with other protocols that include the letter "S" such as SFTP, SSH, SSL, TLS, and SCP)
- FTPS uses SSL or TLS to encrypt FTP (unlike SFTP which uses SSH)
- IANA lists the well known ports for FTPS as 989 and 990 though all implementations don't use these ports.
-
ptilsen Member Posts: 2,835 ■■■■■■■■■■[*]IANA lists the well known ports for FTPS as 989 and 990 though all implementations don't use these ports.
In real-world scenarios, I strongly recommend against implementing implicit FTPS based on my experience. Unless one can control the network, server, and client, implicit FTPS increases the frequency of compatibility problems for no real benefit.
Edit: On a side note, I will admit FTPS can be a pain no matter what. Many FTP clients, including the one built-into Windows, don't properly support implicit or explicit FTPS. -
Darril Member Posts: 1,588If you happen to know CompTIA is testing on implicit FTPS instead of explicit, given your involvement in this particular test, I personally encourage you to use any influence you have to change it.
Good suggestion but my influence over CompTIA hovers at around zero percent. They specifically do not want trainers or authors involved in the test development process.
The best thing I can do is try to educate CompTIA test takers about CompTIAs perspectives as I learn them.
As another example, most people that understand wireless security know that disabling SSID broadcast is not an effective security method. It removes the SSID from the beacon but the SSID is still transmitted over the air. Attackers with a wireless sniffer can easily determine the SSID but since a casual user cannot see it, it provides a false sense of security. That said, I've often mentioned in various writings that if a test question asks you to identify a wireless security method and the only possible answer is "Disable SSID broadcast", that's the answer the test taker should choose. -
teancum144 Member Posts: 229 ■■■□□□□□□□Curiously, I ran across a practice questions from a different source that had a question worded very similarly to the one above. It also said the correct answer is port 443. Two different sources with the same (incorrect?) answer. Confusing indeed!If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post.
-
icezellion Member Posts: 5 ■□□□□□□□□□I came across this as well, 21 is the most logical answer but for some it's 443 (unless it's an error in the practice questions?).
-
eliphas0 Member Posts: 11 ■□□□□□□□□□I know I'm late to the party. But I just ran across this thread while studying and specifically looking up FTPS Implicit / Explicit.
I can't say with any certainty but I believe they wanted Port 21 for the Answer. Being that Explicit FTPS starts the connection via Port 21 then negotiates SSL.
Where as Implicit FTPS requires encryption and starts the connection via 990 and uses 989 for the data.
This is the source for my assumption.
https://blogs.msdn.microsoft.com/robert_mcmurray/2008/11/10/ftp-clients-part-2-explicit-ftps-versus-implicit-ftps/
Sorry to bump a dead thread but it was bugging me. -
nisti2 Member Posts: 503 ■■■■□□□□□□Exactly!!
SFTP use FTP over SSLThe answer this test source is giving you is wrong. The only correct answer is a. Port 443 is only standard for HTTP over SSL/TLS, not FTP over SSL/TLS.
FTPS (explicit) doesn't utilize a special port. The TLS session is setup with the AUTH command (as described in page 4 of RFC 4217) over the traditional command port, 21. Depending on server and client configuration, the connection will be setup either with encrypted credentials, encrypted data, neither, both, or not at all, all using port 21 for commands and 20 (unless otherwise configured) for data.2020 Year goals:
Already passed: Oracle Cloud, AZ-900
Taking AZ-104 in December.
"Certs... is all about IT certs!"