+ Reply to Thread
Results 1 to 14 of 14
  1. Senior Member teancum144's Avatar
    Join Date
    Jun 2012
    Location
    Pacific Northwest, USA
    Posts
    227

    Certifications
    CISSP, CISA, CPA (inactive), Network+, Security+
    #1

    Default FTPS Port Number(s)

    I ran across a question that is worded similarly to the following:

    Which of the following ports are used for FTPS by default?
    a. 21
    b. 22
    c. 123
    d. 161
    e. 443
    f. 8080

    The answer is “e”, but I struggle with this answer because I can’t find any authoritative source to support it. Here’s what I know:

    FTPS in implicit mode: An increasingly obsolete mode that requires an established SSL session prior to any exchange of data. Uses port 989 for the data channel and port 990 for the control channel.

    FTPS in explicit mode (aka FTPES): Uses port 20 for the data channel and port 21 for the control channel. Both unencrypted FTP and encrypted FTPS are supported. The client and server negotiate the level of protection used. Control channel encryption is requested by sending either the AUTH TLS command or the AUTH SSL command. Data channel encryption is requested with the PROT command.

    With FTPES, I realize that the use of SSL or TLS may imply port 443, but I’ve also found other sources that imply SSL/TLS encryption for FTPES occurs on ports 20 and 21.

    Thoughts?
    Last edited by teancum144; 04-10-2013 at 06:09 PM.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member Trashman's Avatar
    Join Date
    Feb 2013
    Posts
    136

    Certifications
    A+, Net+, Sec+, CCENT, CCNA, CEH, JNCIA
    #2
    Tricky one.
    I just checked in my Security+ book and it states:
    "FTP Secure is an extension of FTP and uses SSL or TLS to encrypt FTP traffic. Some implementations of FTPS use ports 989 and 990."

    You might be able to find the answer in RFC 4217 - Securing FTP with TLS

    I don't think the question is digging so deep as in implicit / explicit modes.
    Based on the options above I'd go for port 443 too as the correct answer since it's related to SSL (which is an option for FTPS) and I'd treat port 21 as normal FTP and port 22 as SSH.
    Reply With Quote Quote  

  4. Junior Starcraft Engineer
    Join Date
    Mar 2007
    Location
    Twin Cities, Minnesota
    Posts
    2,777

    Certifications
    A+, Net+, Security+, MCSA 2003, MCTS Win 7, AD, Net Infrastructure
    #3
    The answer this test source is giving you is wrong. The only correct answer is a. Port 443 is only standard for HTTP over SSL/TLS, not FTP over SSL/TLS.

    FTPS (explicit) doesn't utilize a special port. The TLS session is setup with the AUTH command (as described in page 4 of RFC 4217) over the traditional command port, 21. Depending on server and client configuration, the connection will be setup either with encrypted credentials, encrypted data, neither, both, or not at all, all using port 21 for commands and 20 (unless otherwise configured) for data.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jan 2011
    Posts
    296

    Certifications
    Sec+, A+
    #4
    Is this from the CompTIA Practice Exams? That book has wierd questions like this. The only place I saw wierder questions was the test itself.
    Reply With Quote Quote  

  6. Junior Starcraft Engineer
    Join Date
    Mar 2007
    Location
    Twin Cities, Minnesota
    Posts
    2,777

    Certifications
    A+, Net+, Security+, MCSA 2003, MCTS Win 7, AD, Net Infrastructure
    #5
    I don't think this is a weird question (outside of the marked answer being incorrect), but, I don't recall it being on Sec+. Granted, it probably should be, because secure Internet-accessible file transfer is a real-world need you're not unlikely to run into.
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Jan 2011
    Posts
    296

    Certifications
    Sec+, A+
    #6
    I never heard of FTPS. I've heard of S-FTP.
    Reply With Quote Quote  

  8. Registered Member Darril's Avatar
    Join Date
    May 2009
    Location
    Virginia Beach, VA
    Posts
    1,569

    Certifications
    MCT, A+, Net+, Security+, CASP, SSCP, CISSP, MCSE, MCITP...
    #7
    CompTIA lists FTPS in two objectives: Objective 1.4 Implement and use common protocols and Objective 1.5 Identify commonly used default network ports.

    Here are some things that test takers should know about FTPS:
    • It represents File Transfer Protocol Secure (FTPS) and is an extension of FTP
    • It is one of the protocols that can be used to encrypt data prior to transmission (along with other protocols that include the letter "S" such as SFTP, SSH, SSL, TLS, and SCP)
    • FTPS uses SSL or TLS to encrypt FTP (unlike SFTP which uses SSH)
    • IANA lists the well known ports for FTPS as 989 and 990 though all implementations don't use these ports.
    Hope this helps.
    Reply With Quote Quote  

  9. Junior Starcraft Engineer
    Join Date
    Mar 2007
    Location
    Twin Cities, Minnesota
    Posts
    2,777

    Certifications
    A+, Net+, Security+, MCSA 2003, MCTS Win 7, AD, Net Infrastructure
    #8
    Quote Originally Posted by Darril View Post
    [*]IANA lists the well known ports for FTPS as 989 and 990 though all implementations don't use these ports.
    This may be so, and IETF agrees with the ports being well-known, but it's not just a matter of some implementations not using 989 and 990. It is generally not supported as it is not specified in the FTP over SSL/TLS standards (RFC 4217 and RFC 2228 ). I would expect (perhaps incorrectly) that CompTIA would test based on the IETF standard, which means explicit FTPS using port 21. If you happen to know CompTIA is testing on implicit FTPS instead of explicit, given your involvement in this particular test, I personally encourage you to use any influence you have to change it. The test should not be expecting people to know implicit FTPS ports, in my opinion. If it does, the official objectives should include identifying and differentiating between implicit and explicit (overkill, IMO, but better than testing on a deprecated non-standard instead of the current standard).

    In real-world scenarios, I strongly recommend against implementing implicit FTPS based on my experience. Unless one can control the network, server, and client, implicit FTPS increases the frequency of compatibility problems for no real benefit.

    Edit: On a side note, I will admit FTPS can be a pain no matter what. Many FTP clients, including the one built-into Windows, don't properly support implicit or explicit FTPS.
    Last edited by ptilsen; 04-16-2013 at 10:38 PM.
    Reply With Quote Quote  

  10. Registered Member Darril's Avatar
    Join Date
    May 2009
    Location
    Virginia Beach, VA
    Posts
    1,569

    Certifications
    MCT, A+, Net+, Security+, CASP, SSCP, CISSP, MCSE, MCITP...
    #9
    Quote Originally Posted by ptilsen View Post
    If you happen to know CompTIA is testing on implicit FTPS instead of explicit, given your involvement in this particular test, I personally encourage you to use any influence you have to change it.
    Good suggestion but my influence over CompTIA hovers at around zero percent. They specifically do not want trainers or authors involved in the test development process.

    The best thing I can do is try to educate CompTIA test takers about CompTIAs perspectives as I learn them.

    As another example, most people that understand wireless security know that disabling SSID broadcast is not an effective security method. It removes the SSID from the beacon but the SSID is still transmitted over the air. Attackers with a wireless sniffer can easily determine the SSID but since a casual user cannot see it, it provides a false sense of security. That said, I've often mentioned in various writings that if a test question asks you to identify a wireless security method and the only possible answer is "Disable SSID broadcast", that's the answer the test taker should choose.
    Reply With Quote Quote  

  11. Senior Member teancum144's Avatar
    Join Date
    Jun 2012
    Location
    Pacific Northwest, USA
    Posts
    227

    Certifications
    CISSP, CISA, CPA (inactive), Network+, Security+
    #10
    Curiously, I ran across a practice questions from a different source that had a question worded very similarly to the one above. It also said the correct answer is port 443. Two different sources with the same (incorrect?) answer. Confusing indeed!
    Reply With Quote Quote  

  12. Member
    Join Date
    Apr 2013
    Posts
    62
    #11
    Thanks for this one, definitely one to bone up on.
    Reply With Quote Quote  

  13. Junior Member Registered Member
    Join Date
    May 2013
    Posts
    5
    #12
    I came across this as well, 21 is the most logical answer but for some it's 443 (unless it's an error in the practice questions?).
    Reply With Quote Quote  

  14. Junior Member
    Join Date
    May 2009
    Posts
    11

    Certifications
    A+, Network+, MCTS: Vista Configuring, MCITIP: Enterprise Support Tech, Security+, MTA: Server Fundamentals
    #13
    I know I'm late to the party. But I just ran across this thread while studying and specifically looking up FTPS Implicit / Explicit.
    I can't say with any certainty but I believe they wanted Port 21 for the Answer. Being that Explicit FTPS starts the connection via Port 21 then negotiates SSL.
    Where as Implicit FTPS requires encryption and starts the connection via 990 and uses 989 for the data.
    This is the source for my assumption.
    https://blogs.msdn.microsoft.com/rob...implicit-ftps/

    Sorry to bump a dead thread but it was bugging me.
    Reply With Quote Quote  

  15. Senior Member
    Join Date
    Feb 2014
    Posts
    264

    Certifications
    MS in Security Information, Sec+,A+, Server+, Network+, Certified Network Defense Profesional (CNDP), Certified Cybercrime Forensic Investigator
    #14
    Exactly!!
    SFTP use FTP over SSL

    Quote Originally Posted by ptilsen View Post
    The answer this test source is giving you is wrong. The only correct answer is a. Port 443 is only standard for HTTP over SSL/TLS, not FTP over SSL/TLS.

    FTPS (explicit) doesn't utilize a special port. The TLS session is setup with the AUTH command (as described in page 4 of RFC 4217) over the traditional command port, 21. Depending on server and client configuration, the connection will be setup either with encrypted credentials, encrypted data, neither, both, or not at all, all using port 21 for commands and 20 (unless otherwise configured) for data.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks