Although ports are second nature to router and firewall administrators, they might not be so familiar to you. If you’re planning to take the SY0-501 version of the Security+ exam, you should have a basic understanding of ports. This includes using source and destination ports.
For example, can you answer this question?
Q. Which type of device would have the following entries used to define its operation?
permit IP any any eq 80
permit IP any any eq 443
deny IP any any
A. Firewall
B. Layer 2 switch
C. Proxy server
D. Web server
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Ports are logical numbers used by TCP/IP to identify what service or application should handle data received by a system. Both TCP and UDP use ports with a total of 65,536 TCP ports (0 to 65,535) and 65,536 UDP ports (0 to 65,535). Administrators open ports on firewalls and routers to allow the associated protocol into or out of a network. For example, HTTP uses port 80, and an administrator allows HTTP traffic by opening port 80.
Additionally, administrators disable unnecessary ports and services as part of a basic security practice. These ports and services are associated with specific protocols and if they are disabled, it blocks any attacks on these ports, services, and protocols.
The Internet Assigned Numbers Authority (IANA) maintains a list of official port assignments that you can view at https://www.iana.org/assignments/port-numbers.
Although virtually all the ports are subject to attack, most port attacks are against the well- known ports. Port scanners often simply check to see if a well-known port is open. For example, SMTP uses the well-known port 25, so if port 25 is open, the system is likely running SMTP.
Network administrators who regularly work with routers and firewalls can easily tell you which protocol is associated with which well-known port, such as 20, 21, 22, 23, 25, 80, or 443. The reason is that they use these ports to allow or block traffic.
For example, an administrator can close port 25 to block all SMTP traffic into a network. The router then ignores traffic on port 25 instead of forwarding it. Similarly, an administrator can close port 1433 to block database traffic to a Microsoft SQL server. On the other hand, the administrator can open port 25 to allow SMTP traffic.
Using Source and Destination Ports
Imagine that you decide to visit the web site http://GetCertifiedGetAhead.com using your web browser so you type the URL into the browser, and the web page appears. Here are the details of what is happening. The figure provides an overview of how this will look and the following text explains the process.
Using source and destination ports
Your computer creates a packet with source and destination IP addresses and source and destination ports. It queries a DNS server for the IP address of GetCertifiedGetAhead.com and learns that the IP address is 72.52.206.134. Additionally, your computer will use its IP address as the source IP address. For this example, imagine your computer’s IP address is 70.150.56.80.
Because the web server is serving web pages using HTTP and the well-known port is used, the destination port is 80. Your computer will identify an unused port in the dynamic and private ports range (a port number between 49,152 and 65,535) and map that port to the web browser. For this example, imagine it assigns 49,152 to the web browser. It uses this as the source port.
At this point, the packet has both destination and source data as follows:
• Destination IP address: 72.52.206.134 (the web server)
• Destination port: 80
• Source IP address: 70.150.56.80 (your computer)
• Source port: 49,152
TCP/IP uses the IP address (72.52.206.134) to get the packet to the GetCertifiedGetAhead web server. When it reaches the web server, the server looks at the destination port (80) and determines that the packet needs to go to the web server program servicing HTTP. The web server creates the page and puts the data into one or more return packets. At this point, the source and destinations are swapped because the packet is coming from the server back to you:
• Destination IP address: 70.150.56.80 (your computer)
• Destination port: 49,152
• Source IP address: 72.52.206.134 (the web server)
• Source port: 80
Again, TCP/IP uses the IP address to get the packets to the destination, which is your computer at this point. Once the packets reach your system, it sees that port 49,152 is the destination port. Because your system mapped this port to your web browser, it sends the packets to the web browser, which displays the web page.
Importance of Ports in Security
Routers, and the routing component of firewalls, filter packets based on IP addresses, ports, and some protocols such as ICMP or IPsec. Because many protocols use well-known ports, you can control protocol traffic by allowing or blocking traffic based on the port.
In the previous example, the client firewall must allow outgoing traffic on port 80. Firewalls automatically determine the client ports used for return traffic, and if they allow the outgoing traffic, they allow the return traffic. In other words, because the firewall allows the packet going to the web server on the destination port 80, it also allows the web page returning on the dynamic source port of 49,152.
Note that the client firewall doesn’t need to allow incoming traffic on port 80 for this to work. The web client isn’t hosting a web server with HTTP, so the client firewall would block incoming traffic on port 80. However, the firewall that is filtering traffic to the web server needs to allow incoming traffic on port 80.
You can apply this same principle for any protocol and port. For example, if you want to allow SMTP traffic, you create a rule on the firewall to allow traffic on port 25. IT professionals modifying access control lists (ACLs) on routers and firewalls commonly refer to this as opening a port to allow traffic or closing a port to block traffic.
Q. Which type of device would have the following entries used to define its operation?
permit IP any any eq 80
permit IP any any eq 443
deny IP any any
A. Firewall
B. Layer 2 switch
C. Proxy server
D. Web server
Answer is A. These are rules in an access control list (ACL) for a firewall. The first two rules indicate that traffic from any IP address, to any IP address, using ports 80 or 443 is permitted or allowed.
The final rule is also known as an implicit deny rule and is placed last in the ACL. It ensures that all traffic that hasn’t been previously allowed is denied.
Layer 2 switches do not use ACLs.
A proxy server would not use an ACL, although it would use ports 80 and 443 for Hypertext Transfer Protocol (HTTP) and HTTP Secure (HTTPS), respectively.
A web server wouldn’t use an ACL, although it would also use ports 80 and 443.
See Chapter 3 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on basic networking concepts.