======================================================================================
 
FTP over SSL (ftps) - Explicit SSL vs. Implicit SSL / Active mode vs Passive mode: 
 
               Shunichi Mikame, GCIH, GCIA, CCSE - (smikame@ipv4sec.com) - 09/11/2006
 
======================================================================================
 
I am writing this note for my fellow firewall admins in public ... who are troubleshooting ftps connection issue.
 
 
Note for ftp over ssl (ftps),
 
   Explicit SSL uses standard ftp port 21 (ftp-control port)
   Implicit SSL uses port 990 for (ftp-control port)
 

Using standard ftp-control port 21 is Explicit SSL. It still has active mode and passive mode same as standard ftp. Because not only the data channel but also the control channel (ftp-control port) is also encrypted, firewall device cannot inspect usual PORT command (for active ftp - it means FTP server initiates data session sourcing from port 20 to client's data port above 1023) or PASV command (for passive ftp - it means client initiates data session to random port specified by server) to detect the port to be used for the ftp data channel. If the ftps server and ftps client are supporting CCC command (Clear Command Channel), it will make a control channel revert back to plaintext (it means that CCC decreases security) and firewall device can inspect unencrypted PASV/PORT commands and will open the expected data port (port negotiated by server-client) automatically and dynamically. If CCC command is not supported by ftps server/client (normally all the ftps software support CCC .. except some), but security approver rejects use of CCC (because of security risk and concern with plaintext), then yes opening fixed data port range is required on firewall. All the ftps server software have option for server admin to specify the custom/fixed ‘minimum’ and ‘maximum’ date port range (can assigned the data port range they wish to use -  static data-port range). Also, each ftps server software product has its own default ftps-data port range coded in the ftps config file that the default port range may be unique to that product. Normally, this ftps data port range info should be provided from your vendor who is hosting ftps server/service to your firewall admin for your firewall rule setup (static data port range opening) when ftp over ssl is used.

 

 

My understanding about traffic flow of 'ftp over ssl' (ftps) is below.

 

Explicit SSL operates such that a connection to the server is made on the normal service port (TCP-21 for ftp-control channel, TCP-20 for ftp-data in active ftp mode). Communication initially starts in plain text until the client issues an authentication command, which then leads to certificate verification and a secure SSL connection being negotiated. In active mode, ftps client initiates 'control session' to port 21 of server (outbound from client), but server initiates data session back (sourcing from tcp port 20) to client (inbound to client). In passive mode, client initiates both control (tcp-21) and data sessions (port range specified by server/client negotiation) to the server (both are outbound from client).

 

Implicit SSL allows the server to specify a different port dedicated to SSL communication (TCP-990 for ftp-control channel, TCP-989 for ftp-data in active ftp mode). Any connections made to this port require immediate negotiation of certificates and SSL, avoiding any communication in plain text whatsoever. In active mode, ftps client initiates 'control session' to port 990 of server (outbound from client), but server initiates 'data session' back (sourcing from tcp port 989) to client (inbound to client). In passive mode, client initiates both control (tcp-990) and data sessions (port range specified by server/client negotiation) to the server (both are outbound from client).

 

 

Below are traffic flow examples with my understanding:

 

Explicit SSL with active FTP

<client initiates control session but server initiates data session to client>

 

      ftp-ssl-control: (outbound from client)

      FTPS client src port (greater than 1024) ==> FTPS server dst port 21

 

      ftp-ssl-data: (inbound from server)

      FTPS server src port (port 20) ==> FTPS client dst port (range specified by server/client negotiation)

 

 

Explicit SSL with passive FTP

<client initiates both control and data sessions>

 

      ftp-ssl-control: (outbound from client)

      FTPS client src port (greater than 1024) ==> FTPS server dst port 21 (request)

 

      ftp-ssl-data: (outbound from client)

      FTPS client src port (range specified by server/client negotiation) ==> FTPS server dst port (range specified by

      server/client negotiation).

 

 

Implicit SSL with active FTP

<client initiates control session but server initiates data session to client>

 

      ftp-ssl-control: (outbound from client)

      FTPS client src port (greater than 1024) ==> FTPS server dst port 990.

 

      ftp-ssl-data: (inbound from server)

      FTPS server src port (port 989) ==> FTPS client dst port (range specified by server/client negotiation)

 

 

Implicit SSL with passive FTP

<client initiates both control and data sessions>

 

      ftp-ssl-control: (outbound from client)

      FTPS client src port (greater than 1024) ==> FTPS server dst port 990.

 

      ftp-ssl-data: (outbound from client)

   FTPS client src port (range specified by server/client negotiation) ==> FTPS server dst port (range specified by server/client

   negotiation).

 

 

End of document (http://www.ipv4security.com/packet_flow/ftp_over_ssl.txt):

======================================================================================