Ports are logical numbers used by TCP/IP to identify what service or application should handle data received by a system. Do you know the differences between server ports and client ports? You should if you plan to take the Security+ exam. This post should help.
Here’s a sample Security+ practice test question:
Q. You recently learned that a network router has TCP ports 22 and 80 open, but the organization’s security policy mandates that these should not be accessible. What should you do?
A. Disable the FTP and HTTP services on the router.
B. Disable the DNS and HTTPS services on the router.
C. Disable the SSH and HTTP services on the router.
D. Disable the Telnet and Kerberos services on the router.
Can you answer the question? More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Combining the IP Address and the Port
At any moment, a computer could be receiving dozens of packets. Each of these packets includes a destination IP address and a destination port. TCP/IP uses the IP address to get the packet to the computer. The computer then uses the port number to get the packet to the correct service, protocol, or application that can process it.
For example, if the packet has a destination port of 80 (the well-known port for HTTP), the system passes the packet to the process handling HTTP. It wouldn’t do much good to pass an SMTP email packet to the HTTP service or send an HTTP request packet to the SMTP service.
IP Address Used to Locate Hosts
Imagine that the IP address of GetCertifiedGetAhead.com is 72.52.206.134, and the address assigned to your computer from your ISP is 70.150.56.80. TCP/IP uses these IP addresses to get the packets from your computer to the web server and the web server’s answer back to your computer.
There’s a lot more that occurs under the hood with TCP/IP (such as DNS, NAT, and ARP), but the main point is that the server’s IP address is used to get the requesting packet from your computer to the server. The server gets the response packets back to your computer using your IP address (or the IP address of your NAT server).
Server Ports
Different protocols are enabled and running on a server. These protocols have well-known or registered port numbers, such as port 22 for SSH, 23 for Telnet, 80 for HTTP, 443 for HTTPS, and so on. When the system receives traffic with a destination of port 80, the system knows to send it to the service handling HTTP.
Any web browser knows that the well-known port for HTTP is 80. Even though you don’t see port 80 in the URL, it is implied as http://GetCertifiedGetAhead.com:80. If you omit the port number, HTTP uses the well-known port number of 80 by default.
Popular web servers on the Internet include Apache and Internet Information Services (IIS). Apache is free and runs on Unix or Linux systems. Apache can also run on other platforms, such as Microsoft systems. IIS is included in Microsoft Server products, such as Windows Server 2008 and Windows Server 2012. All of these web servers use port 80 for HTTP. When the server receives a packet with a destination port of 80, the server sends the packet to the web server application (Apache or IIS) that processes it and sends back a response.
Client Ports
TCP/IP works with the client operating system to maintain a table of client-side ports. This table associates port numbers with different applications that are expecting return traffic. Client-side ports start at port 49,152 and increment up to 65,535. If the system uses all the ports between 49,152 and 65,535 before being rebooted, it’ll start over at 49,152.
When you use your web browser to request a page from a site, your system will record an unused client port number such as 49,152 in an internal table to handle the return traffic. When the web server returns the web page, it includes the client port as a destination port. When the client receives web page packets with a destination port of 49,152, it sends these packets to the web browser application. The browser processes the packets and displays the page.
Q. You recently learned that a network router has TCP ports 22 and 80 open, but the organization’s security policy mandates that these should not be accessible. What should you do?
A. Disable the FTP and HTTP services on the router.
B. Disable the DNS and HTTPS services on the router.
C. Disable the SSH and HTTP services on the router.
D. Disable the Telnet and Kerberos services on the router.
Answer is C. You should disable the Secure Shell (SSH) and Hypertext Transfer Protocol (HTTP) services because they use TCP ports 22 and 80 by default.
File Transfer Protocol (FTP) uses ports 20 and 21. Domain Name System (DNS) uses port 53.
Telnet uses port 23.
Kerberos uses port 88.
You may also like this post on Security+ Ports. It includes tables matching many protocols with their well-known ports and also identifies if it is using TCP or UDP.
The Identifying Ports in Logs post combines information related to the TCP three-way handshake. It helps you understand the direction of the traffic (to or from the server) by identifying the elements (syn, syn/ack, ack) in the handshake within a log entry.