You can’t use an application unless you know the port number. In this video, you’ll learn about the common port numbers and how they are used to access network-based applications.
As a network administrator, you will work often with TCP and UDP port numbers, and it’s important to know what some of the most common ports are that you will see communicating over your network. The telecommunication network protocol, or what we commonly call Telnet, communicates over TCP port 23. If you need to get a console screen from a remote device, this allows you to connect to that device remotely, and you’re able to view information on the single terminal screen.
Sometimes you’ll hear this referred to as the console access to that device. But telnet has one significant problem. It sends this information across the network without any type of encryption. It is sent in the clear from one side of the network to the other.
And because we’re usually logging in with a username and a password, if somebody was able to gather these packets across the network, they’d be able to see all of this information that we’re transmitting. Because of these security concerns, you don’t commonly see telnet being used for these terminal communications.
Instead, you would use a much more secure protocol such as SSH, or Secure Shell. This communicates over TCP port 22. And although this looks identical to the telnet console we were looking at previously, all of this information was sent across the network in encrypted form. If you need to connect to a switch, a router, or firewall, or any other server on the network using this terminal communication. Then you need to use SSH over TCP port 22.
If you were to type in professormesser.com into your browser, it somehow manages to find the Professor Messer web server. And the way it’s able to do that is by performing a name resolution using DNS, or the Domain Name System. This DNS communication is commonly used to convert the name that you’re typing in to the IP address of the service. For example, the web server www.professormesser.com might have this IP address associated with it.
And you’ll notice that most of these communications using DNS are communicating over the UDP protocol using port 53. If these DNS communications have very large transfers of data inside of it, you may find that DNS is using the TCP protocol instead, but still using port 53.
These DNS servers are obviously critical resources because we commonly use the names of these devices instead of using these IP addresses. And that’s why in your network, you probably have multiple DNS servers all working simultaneously.
If you’ve ever sent email from one email address to the other, then somewhere along the line, you’ve probably used SMTP, or the Simple Mail Transfer Protocol. This is server-to-server communication and it’s one of the most common ways to send email messages over the internet.
If you’re communicating in the clear– or what we call plaintext– using SMTP, then you’re probably using TCP port 25. Most people will be using an encrypted form of SMTP that uses TLS. And that commonly uses TCP port 587. If you’ve ever configured one of your mobile devices to send outgoing email, then you’re probably configuring the SMTP settings on that device. For inbound email, you’re probably using one of two different email protocols, either IMAP or POP3.
IMAP and POP3 three are very common ways to be able to receive emails on a device. POP3 stands for Post Office Protocol version 3, and sending this information in the clear uses TCP port 110, which is why you’ll commonly see TCP port 995 to be able to send this POP3 data over the encrypted TLS protocol.
This is basic mail transfer from one device to the other. It doesn’t provide a lot of flexibility or options for managing that mail process, which is why most of us are probably using IMAP4, which is the Internet Message Access Protocol version 4. The port numbers used for IMAP for are TCP 143 for plaintext and TCP 993 for IMAP over the encrypted TLS protocol.
Unlike the post office protocol, IMAP gives us more options for managing our mail. For example, we can delete email on one device and it deletes the email across all of the devices that we’re using because it’s using this IMAP protocol to provide that mail functionality.
There are many different ways to transfer a file from one device to another across the network. One of the more secure ways to do this is by using SFTP. That stands for Secure File Transfer Protocol. And it commonly uses TCP port 22. SFTP includes features such as resuming interrupted transfers, we can look at directory listings, or retrieve files from a remote device. All of the communication used by SFTP is using the SSH protocol because that is the same port number that we use for SSH, but it has a file transfer mechanism that encrypts all of the communication for the transfer of that data.
There are also other protocols you may see for file transfers. One of these is the FTP protocol, or File Transfer Protocol. FTP uses two different port numbers to be able to accomplish this file transfer. One is TCP port 20– it’s what we call active mode data. That’s where we’re actually transferring the file. And the control process that tells the system which file to send usually communicates over TCP port 21.
FTP has authentication functionality. It can add files, list file directories, and perform other file management functions as well. There is a less functional form of file transfer called TFTP, or Trivial File Transfer Protocol. It commonly communicates over the UDP protocol using port 69.
As the name implies, this is a very simplified method of transferring a file from one place to the other. There’s no specialized authentication function. There’s not a lot of file management capabilities inside of FTP, but it does allow us to easily transfer files between systems. And if the information you’re transferring is not mission critical or doesn’t require any special authentication, then you may want to use FTP.
If you’ve ever connected to a network for the first time and you were assigned an IP address automatically, you were probably using DHCP, or the Dynamic Host Configuration Protocol. This allows you to automatically configure devices with an IP address, a subnet mask, a default gateway, DNS settings, and other IP configuration options.
DHCP commonly uses UDP port 67 and UDP port 68 to provide this automatic configuration function. Obviously, you’ll need a DHCP server on your network. And if you’re at home, this functionality is usually incorporated into your existing wireless or wired router.
Your DHCP server commonly has a group of IP addresses that could be handed out to devices. This is called a pool of IP addresses. And there is a lease time associated with that pool. So you’ll commonly assign that IP address to a device, and you’ll tell that device that it is able to use that IP address for 24 hours. After 24 hours, that device would have had to have renewed that IP address or would have to release that IP address and allow someone else to use it.
Some network administrators may also reserve IP addresses inside the DHCP server by associating the Media Access Control address, or a MAC address, of a device to a specific IP address so that every time a particular server is started, it will always receive the same IP address.
If you’re communicating to a web server, then you’re communicating using the hypertext transfer protocol. They’re usually two different port numbers that might be used by a web server. One of those port numbers is TCP port 80. That’s used by the hypertext transfer protocol, which sends information between the client and the server over a nonencrypted communications channel.
Most web servers today will use HTTPS, that’s Hypertext Transfer Protocol Secure, communicating over TCP port 443. This encrypted communication historically used SSL, or Secure Sockets Layer, although newer web servers will use a newer version of SSL called TLS, or Transport Layer Security.
Network administrators are often responsible for managing switches, routers, firewalls, servers, and other devices on the network. And to be able to check in and gather statistics from those devices, we can use a specialized protocol called SNMP. This is the Simple Network Management Protocol, and it commonly gathers those statistics using UDP over port 161.
The SNMP service that you’re using to query these devices can use different versions of SNMP. The original version is version 1, where there are very structured tables and all of the communication is sent in the clear over the network. There was an update to version 1 called version 2 that allowed for bulk transfers of information, but it still sent that information across the network without any type of encryption.
The most common type that you’ll see used on most production networks is version 3. There’s encryption, there’s message integrity, and there’s authentication options so that when you’re sending this information to a device, you can be assured that you’re really communicating to that device and the information that you’re receiving back is being sent securely over the network.
Not only can we query these devices using UDP port 161, we can tell this device that if anything bad happens, to send an alert message to us. In SNMP, that is called an SNMP trap. And it sends that trap using the UDP protocol over port 162.
One of the challenges for the network or security professional is being able to see what these devices may be doing on the network. And one of the most common ways to accomplish this is by examining the logs from every device. But instead of us manually going to every individual device to be able to see those logs, we instead will have all of these devices send their logs into one central repository.
We’re able to do that using a standard protocol called syslog. It uses UDP port 514 to be able to send this syslog data regardless of what device it may be sending from. Usually all of this log information has a single repository, or collection, and it’s usually resides in something called a Security Information and Event Manager, or SIEM.
As you can imagine, if you’re pulling in all of this log information from every switch, and router, and firewall, and Linux server, and Windows Server, and other device, you’re going to need a very large storage repository. So very commonly, these SIEMs will have very large amounts of storage space so that you can keep an extended amount of logs in the database of that SIEM.
If you’ve ever worked in a help desk, then you’ve probably used some type of remote access software to see the desktop of a remote computer. The Windows operating system uses Remote Desktop Protocol, or RDP, to provide that shared desktop view, and it commonly communicates using TCP port 3389.
If you’re running a Windows computer, then there’s probably a remote desktop service that you can enable so that other people can view your desktop. This would allow people to view the entire desktop or perhaps a single application that may be running on your system. And they’re able to view this from many different types of operating systems. If someone’s using Mac OS, iOS, Android, or other operating systems, they can still view the desktop of a Windows device using this RDP, or Remote Desktop Protocol.
Earlier in this video, we talked about using log file consolidation and being able to see all of these logs from one consolidated SIEM. But it’s important if you’re looking at a consolidated set of logs that you’re able to start correlating some of the information that you’re viewing. And an important part of providing this correlation is ensuring that every device has exactly the same date and time configured.
We’re able to do that using NTP, or the Network Time Protocol. Every device on your network probably has an NTP configuration option, and NTP commonly uses UDP port 123. Not only is this important for your log files, it’s useful for providing authentication, especially for encrypted communication. And if you’re trying to determine what might have occurred– perhaps during an outage– it’s important that all of the log files are completely synchronized.
This synchronization of date and time is something that occurs automatically. It’s something that you don’t even see occur on your desktop. It all happens behind the scenes across the network. The network or system administrators may configure how often the device goes out to make these changes, and most devices will do this at least once a day. This is a very accurate way to set the clocks on these devices. And you’ll find if you’re setting it to a local NTP server that your accuracy is well under one millisecond between all of these devices.
If you’ve ever used a voice over IP phone or used voice over IP software, then you’ve probably used the Session Initiation Protocol, or SIP. We refer to sip as a signaling protocol. It is able to set up the phone call, to tear down the phone call when the call is over, and to set parameters while the phone call is in use. We commonly use TCP port 5060 and TCP port 5061 for the session initiation protocol.
We refer to SIP as a signaling protocol because it’s in charge of these voice communications. When you place a call, you have a phone ring on the other side and everyone hangs up when they’re done with the call. There has to be some management process behind the scenes for each one of these things to work. And it is the session initiation protocol that provides that signaling. Of course, these VoIP communications are commonly associated with voice communication, but they can also be used for video conferencing, instant messaging, and other applications as well.
If you’ve ever transferred a file from one Windows computer to the other, or you’ve sent a job to a printer to be printed, then you’ve probably used SMB or Server Message Block. You might also hear this referred to as CIFS, or the Common Internet File System. Most Windows computers today use SMB over TCP port 445 where it is a direct communication from one device to the other. Previous versions of Windows would use NetBIOS to be able to accomplish this, but most modern computers are communicating directly over IP.
Another common service on our production networks is having a centralized database where you can store information about users, their passwords, and other important information. To be able to access this information, we would use LDAP, or the Lightweight Directory Access Protocol, which commonly communicates using TCP over port 389.
There’s also a secure form of LDAP called LDAPS for LDAP Secure. It’s not a standard form of LDAP, but it is one that’s relatively common. And it uses LDAP running over SSL, which uses TCP port 636.
Another common service on our networks is access to a database. And there are specialized protocols used depending on the database that you’re using. For example, if you’re using Microsoft SQL server– that’s the Microsoft Structured Query Language– then you’re communicating using TCP over port 1433.
If you’re using Oracle’s SQLnet– you may see this also referred to as Oracle Net or Oracle Net8– then you’re using TCP with port number 1521. And if you use the open source database of MySQL, which has now been acquired by Oracle, but is still an open source database, then you’re probably using TCP port 3306.