IT Security 101: Common Network Ports and Protocols
Introduction
Being able to recognize commonly used ports and their intended purpose is a valuable skill for any defender. This information is necessary when configuring systems, and when analyzing logs and traffic for anomalous activity. This knowledge may also be tested in certification exams, such as CompTIA’s range of Network+, Security+ and CySA+, among others.
There are 65,535 ports in total. Ports 0-1023 are called the well-known ports. They are standardized ports used by common services not specific to any vendor. Ports 1024-49151 are called the registered ports and are typically designated by developers for specific applications and services to avoid conflict with the well-known ports. Ports 49152-65535 are dynamic or private ports, used by clients when communicating with servers. They are generally not specific to any service or application, and tend to change with each connection.
Ports are further divided into two categories, based on the types of services and applications that use them: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). TCP is used for reliable, connection-oriented communication that requires guaranteed deliver. UDP is used for faster, connectionless communication that requires low-latency.
Memorizing all of the ports with their use would take some serious mental talent. However, as mentioned above, there are a few that should be memorized.
Common Ports and Protocols to Know
Here is a table of ports and their uses that should be easily recognized by IT admins and defenders.
Secure Protocols
Sensitive data should never be transmitted over unsecured protocols. For protocols that send traffic in plain-text, it is important to know how to secure them.
Some plain-text protocols come with a secure alternative. Here is a table showing the plain-text protocol with its secure alternative, as well as the encryption protocol used. Note, all secure protocols utilize TCP.
Port
Port
Protocol
Protocol
Protocol
Helpful tip: If the secure protocol ends in “S”, it is secured with SSL/TLS. If it begins with “S”, it is secured with SSH. This is really only helpful for SCP and SFTP versus the others, as other protocols that use SSH do not include “S” at the end or beginning.
Virtual Private Network (VPN) Protocols
The following is a list of common secure communication protocols used for Virtual Private Networks (VPN).
Internet Protocol Security (IPSec) - This uses UDP/500 for Internet Key Exchange (IKE) during VPN setup and UDP/4500 for NAT traversal (NAT-T). It uses protocols like ESP and AH for authentication and encryption when over UDP, but may also use TCP in certain situations. For deployments that utilize Layer 2 Tunneling Protocol (L2TP) with IPSec, UDP/1701 is also used for L2TP control messages.
OpenVPN - This uses UDP/1194 by default, but can be configured to use TCP/443 or others if necessary. Note, use of TCP can allow it to bypass firewalls that block this service or block UDP in general.
Point-to-Point Tunneling Protocol (PPTP) - This uses TCP/1723 for tunnel management and control connections. It utilizes GRE for data encapsulation.
WireGuard - This uses UDP/51820 by default and does not support TCP natively.
SSL/TLS - It is common for VPN clients to utilize TCP/443 for VPN connections to remote gateways for remote access.
Additional Considerations
The following ports and protocols are less commonly seen as “important to know”, but they should be understood.
X11 - This provides remote GUI access. It typically utilizes ports starting with 6000, and incrementing with each display. For a secure alternative, it uses TCP/22 (SSH) solely.
Rsync - This provides efficient file transfer and synchronization by transmitting only changes in data. It Typically uses the native Rsync daemon or a specified port. For a secure alternative it uses TCP/22 (SSH).
Git - This provides source code version control for software development. Its web-based repositories use TCP/80 with an alternative of TCP/443 (SSL/TLS). Natively, it uses TCP/9418 with an alternative of TCP/22 (SSH).
DNSoH vs. DNSoT - These both provide secure methods of transmitting DNS, with slight differences. DNS over HTTPS (DNSoH) utilizes TCP/443 (SSL/TLS) and protects queries by securing it with SSL/TLS, and making it indistinguishable from normal HTTPS traffic. DNS over TLS (DNSoT) specifically utilizes TLS, which allows the traffic to be distinguished as DNS traffic. DNSoH works natively, but admins will have difficulty identifying the traffic without DPI and SSL decryption. Whereas DNSoT is easy to identify, but is not native and requires special configuration.
SNMPv1/v2/v3 - This provides remote management of device configurations through queries and commands. UDP/161 is used for control and data traffic. UDP/162 is used for sending “traps” to the SNMP manager, which are alert notifications. Versions 1 and 2 are pain-text. Version 3 adds security, yet it still utilizes UDP/161 and UDP/162. Its security is provided through the User-based Security Model (USM), which has built-in encryption utilizing AES and DES.
Conclusion
Securing systems, and analyzing logs and traffic, are common activities for defenders. It is important to understand the different ports and protocols that are commonly used to not only successfully configure a system, but to be able to know when something is out of the ordinary, be it malicious or simply a misconfiguration. Hopefully, the lists above will be useful as study tools as well as “on the fly” references.
Daily Cuppa
Today’s cup of tea is Organic Earl Grey provided by Equal Exchange. Organic, fair trade, and bursting with bergamot. It is a wonderfully flavorful, yet simple and smooth, black tea to start the day.
If you found this article useful, or enjoy the site in general, feel free to buy the author a cup of tea.
The author is also available for hire.