Common Network Ports – CompTIA Security+ SY0-401: 1.4

| July 31, 2014 | 0 Comments


We rely on the TCP and UDP protocols to keep all of our network traffic going to the right place at the right time. In this video, you’ll learn the differences between the two protocols and some of the most popular port numbers in use today.

<< Previous Video: NetBIOSNext: Protocols and the OSI Model >>


On IP networks, there are two primary protocols that are used to get data from one side of the network to the other. One of these is called TCP, or Transmission Control Protocol. This is what we call a connection-oriented protocol.

That means that there is a very formal connection made between devices. A communication is sent, or packets are sent over that communication. And then there is an official teardown process so that everybody knows what has happened. It’s very similar to picking up a phone– calling a number– you’re connecting to someone, and then you hang up the phone.

This is something that also requires acknowledgments. When you send data, you’re expecting to get an acknowledgement back from the other side. This is a picture of this happening, where my laptop is sending data to a server and the server sends me back a little message that says, I’m just acknowledging that I have received the data that you’ve sent.

This means that the delivery of this information is very reliable. We know if the other side received that message, and if we don’t get that acknowledgement back, we can simply send that data again to get it to the other side. This means that there’s a lot of control that the end stations have when sending and receiving information. Sometimes when you’re sending information across a network, it may end up on the other side out of order. And with TCP communication, those packets can be put into the correct order again so that end station understands the information that we are sending.

You can think of TCP as working with a moving truck. On one end of the communication, you’re loading up the truck with a lot of different boxes and you’re creating a packing list of everything that happens to be in that truck. You send the packing list in the truck to the other side.

And when you’re unloading the truck, you still go down the packing list, and you make sure that all of the boxes that are coming off the truck happen to be there. If any box happens to be missing, you can call back to the other side and tell them, I’m missing one of these boxes. Box number 10 didn’t make it to the other side. Could you simply send box 10.

There’s no reason to resend the entire truck of boxes. I only need that single box to be sent. And TCP sends that single box to the other side. And all of the boxes are then put together in its original form.

The other common transport protocol that you’ll see on our networks is UDP. That stands for User Datagram Protocol.

UDP is connectionless. There’s no formal handshake process. There’s no numbering of the traffic as it goes across the network. And there are no acknowledgements. When you send the UDP data, you have no idea whether that traffic made it to the other side or not.

We call this an unreliable protocol because of that. In fact, it’s not really more reliable or less reliable than TCP happens to be. It’s your information that you receive about the transmission that makes it unreliable, because we have no idea if it got to the other side or not.

There’s no reordering of packets. There’s no retransmissions. Once you send the UDP data, it goes through the network and you hope that it made it to the other side.

This is definitely not like a loading and unloading of a truck, because if it was, you wouldn’t really care about the cargo. You’re throwing it all on the truck, and you’re just sending the truck off. You give it an address and you never hear whether the information in that truck ever made it to the other side.

You would think that UDP would be a very bad protocol to use on our networks. But, in fact, it’s got some very specialized uses where it excels. A good example of this is voice-over IP.

Voice-over IP– very time sensitive. As I’m talking and you’re listening to this traffic, there’s no time to rewind and ask for a retransmission of part of the data that I’ve sent. When you lose a piece of voice communication, you’ve just lost it, and we simply continue on. UDP is a perfect protocol for using something like voice-over IP.

When these TCP or UDP transport protocols communicate across a network, they not only need to know the IP address of where they happen to be going, but they also need to know where inside of that computer they should be going. And the location inside of that computer is something called a port number. This is different than physical ports that happened to be on an ethernet switch. These are virtual ports that are inside of a computer.

Usually a server has both an IP address and a server port number that’s being used by an application. For instance, web servers often use port 80 as the number that signifies where all the web traffic will go. On a client machine, when you’re sending the traffic, you’re also sending it from an IP address, and you’re sending it from a source port number as well. So there’s actually two separate IP addresses and two separate– and most often very different port numbers– that are being used on both sides of the conversation.

With port numbers, you may often hear the term “ephemeral” and “non-ephemeral.” Non-ephemeral ports are permanent port numbers. They are not temporary. They are locked in.

Those are usually port numbers associated with a service. For example, the web service I just provided was port number 80. And that port number on that server will always be port 80. That is a non-ephemeral port number.

On your client device, you’re simply using random port numbers to connect to that port 80. These are often called ephemeral ports because they are simply temporary port numbers that you’re using just to establish a communication. Once that communication is over, that port number is discarded. And if you need to again communicate to that device, you pick a new port number.

This is really something that happens in real time on the client device. And it’s nothing that you, as an end user, need to worry about. It’s handled automatically by your network stack.

These port numbers– whether they’re TCP port numbers or UDP port numbers, and whether they are ephemeral or non-ephemeral– are using a number between zero and 65,535. Most of the time, those services that you’re using are using these non-ephemeral port numbers. But that doesn’t necessarily have to be the case.

I chose port 80 on a web server because generally all the web servers on the internet are using port 80. But if you’d like to use a different port number, you certainly could. You would just have to make sure that all of the people using that server knew what the port number happened to be. You can imagine across the internet that could be a difficult thing to manage, which is why we use those non-ephemeral port numbers, because we always expect a web server to be running on TCP port 80.

Also keep in mind that changing the port number doesn’t make things more secure, or even less secure. This is simply a way to communicate to a device and know exactly what we’re communicating with. Changing port numbers around won’t hide a service or provide it with any additional security.

You may hear these service port numbers, or non-ephemeral port numbers, referred to as “well-known” port numbers. There’s a very large list of well-known port numbers on the internet so that your browser naturally knows to go to port 80 TCP on a server. It knows that if it needs to communicate to the service, it’s always going to be waiting on that well-known port number.

Also keep in mind that TCP port numbers are different than UDP port numbers. TCP has a range of port numbers between zero and 65,535. UDP also has a range of port numbers between zero and 65,535. But a TCP port 80 is completely different than a UDP port 80. Those TCP and UDP protocols live in completely different worlds.

Here’s how these port numbers might be used on the internet. On this picture I have my computer on one side, and on the other side is a server that’s providing web services. But it’s also providing other services as well. And I know that because there are three well-known port numbers that happen to be configured and enabled on this device through the software running on the server.

The server happens to be running some DNS software, and that DNS software is waiting for people to make a DNS request on UDP port 53. This is also a web server, so it does have in the clear, unencrypted web traffic communicating back and forth to the server over the well-known port of TCP port 80. And this web server is also providing encrypted web services. And there is a completely different well-known TCP port number for encrypted web communication over TCP port 443.

If I want to communicate to this server over the in the clear, unencrypted web service running on TCP port 80, my computer will pick a random port number as the source port number for my 192.168.0.5. It picks a random TCP port 1331 to communicate to TCP port 80. The TCP, of course, has to be the same on both sides. But, as you can see here, the port numbers can be very different between the client and the server. And that’s the communication that’s set up that allows me then to communicate via web services to that web server and receive web pages back in my browser.

One of the things that you’ll need to know for your Security+ exam are what some of these well-known port numbers happen to be. This tends to be something that is more rote memorization. But what you’ll find is once you start working with firewalls, intrusion prevention processes, and setting up these port numbers in your applications, they almost become second nature.

Let’s list out some of the TCP ports that you’ll need to know for the exam. TCP port 20 and 21 are used for the file transfer protocol. Port 21 is the control protocol used with FTP. And the actual data transfer occurs over TCP port 20.

The encrypted terminal program Secure Shell, or SSH, runs over TCP port 22. This is also used for SCP, which stands for Secure Copy– a very simple copy program that uses SSH to be able to transfer data. SSH is also used for SFTP, which is a much more involved secure file transfer protocol– again over TCP port 22. This has much more capabilities than the very simple Secure Copy protocol.

SMTP is the way that we transfer our mail. It uses a protocol called Simple Mail Transfer Protocol. That runs over TCP port 25.

We saw earlier that our server was running DNS, or Domain Name Services, on that particular server, and it was using UDP port 53. But as you can see here, I’ve listed out TCP port 53. There is a set of protocols within DNS that provide zone transfers, which transfers a relatively large amount of traffic compared to the simple zone and name lookups that are done on the UDP side. So you will see DNS using both TCP port 53 for zone transfers and UDP port 53 to be able to do the name services lookups.

We also saw in our previous example HTTP being used. That’s in the clear, Hypertext Transfer Protocol that’s used for web servers, and that is commonly used on the well-known port of TCP port 80.

If you have a mobile device or you’re using a mail client in your operating system, it may be retrieving mail using a protocol called POP3. It stands for Post Office Protocol version three, and it uses TCP port 110.

If you have NetBIOS running on your network, this is the Network Basic Input/Output System– very common to see in Windows environments. It may be using TCP port 139 to send session information across the network.

Another mail protocol that’s used by clients is IMAP. This stands for Internet Message Access Protocol, and it uses TCP port 143. And if you’re communicating to a web server over an encrypted link, then you’re probably using HTTPS, which stands for Hypertext Transfer Protocol Secure, and it uses TCP port 443.

And a very common TCP protocol used by administrators is RDP. That stands for Remote Desktop Protocol. That’s a protocol that allows you to view the contents of a desktop that’s on a remote device. And that uses TCP port 3389 to communicate across the network.

The only UDP protocol that you need to memorize for your Security+– this is from your Security+ exam objectives– is UDP port 53. We talked earlier about DNS and how it uses TCP port 53 for zone transfers. If you simply need to perform a domain lookup, that’s a very simple communication, and it uses UDP port 53 to accomplish that.

Hopefully that’s given you an introduction of how these port numbers are used on your network. And as you start working more with firewalls, intrusion prevention devices, and many other security tools, you’ll need to know exactly what port numbers need to be used to be able to secure your network.

Tags: , , , , ,

Category: CompTIA Security+ SY0-401

X