1.5 Explain common ports and protocols, their application, and encrypted alternatives.

Question 1

Intro to IP: A Series of Moving Vans

Answer 1

• Efficiently move large amounts of data
  – Use a shipping truck
• The network topology is the road
  – Ethernet, DSL, coax cable
• The truck is the Internet Protocol (IP)
  – We’ve designed the roads for this truck
• The boxes hold your data
  – Boxes of TCP and UDP
• Inside the boxes are more things
  – Application information

Question 2

TCP and UDP

Answer 2

• Transported inside of IP
  – Encapsulated by the IP protocol
• Two ways to move data from place to place
  – Different features for different applications
• OSI Layer 4
  – The transport layer
• Multiplexing
  – Use many different applications
  at the same time
  TCP and UDP

Question 3

TCP - Transmission Control Protocol

Answer 3

• Connection-oriented
  – A formal connection setup and close
• “Reliable” delivery
  – Recovery from errors
  – Can manage out-of-order messages
  or retransmissions
• Flow control
  – The receiver can manage how much data is sent

Question 4

UDP - User Datagram Protocol

Answer 4

• Connectionless
  – No formal open or close to the connection
• “Unreliable” delivery
  – No error recovery
  – No reordering of data or retransmissions
• No flow control

Question 5

Lots of Ports

Answer 5

IPv4 sockets
– Server IP address, protocol,
server application port number
– Client IP address, protocol, client port number
* Non-ephemeral ports –permanent port numbers
– Ports 0 through 1,023
– Usually on a server or service
* Ephemeral ports – temporary port numbers
– Ports 1,024 through 65,535
– Determined in real-time by the clients

Question 6

Port Numbers

Answer 6

• TCP and UDP ports can be any number
  between 0 and 65,535
• Most servers (services) use non-ephemeral
  (not-temporary) port numbers
  – This isn’t always the case - it’s just a number.
• Port numbers are for communication, not security
• Service port numbers need to be “well known”
• TCP port numbers aren’t the same as UDP port numbers

Question 7

ICMP

Answer 7

• Internet Control Message Protocol
  – “Text messaging” for your network devices
• Another protocol carried by IP - Not used for data transfer
• Devices can request and reply to administrative requests
  – Hey, are you there? / Yes, I’m right here.
• Devices can send messages when things don’t go well
  – That network you’re trying to reach
  is not reachable from here
  – Your time-to-live expired, just letting you know

Question 8

Telnet

Answer 8

• Telnet – Telecommunication Network - tcp/23
• Login to devices remotely
• Console access
• In-the-clear communication
• Not the best choice for production systems

Question 9

SSH - Secure Shel

Answer 9

• Encrypted communication link - tcp/22
• Looks and acts the same as Telnet

Question 10

DNS - Domain Name System

Answer 10

• Converts names to IP addresses - udp/53
  – www.professormesser.com = 162.159.246.164
  – Large transfers may use tcp/53
• These are very critical resources
  – Usually multiple DNS servers are in production

Question 11

SMTP - Simple Mail Transfer Protocol

Answer 11

• SMTP - Simple Mail Transfer Protocol
  – Server to server email transfer - tcp/25
• Also used to send mail from a device to a mail server
  – Commonly configured on mobile devices
  and email clients
• Other protocols are used for clients to receive email
  – IMAP, POP3

Question 12

POP/IMAP

Answer 12

• Receive emails from an email server
  – Authenticate and transfer
• POP3 - Post office Protocol version 3 - tcp/110
  – Basic mail transfer functionality
• IMAP4 - Internet Message Access Protocol v4 - tcp/143
  – Manage email inbox from multiple clients

Question 13

SFTP - Secure FTP

Answer 13

• Uses the SSH File Transfer Protocol - tcp/22
• Provides file system functionality
  – Resuming interrupted transfers, directory listings,
  remote file removal

Question 14

File transfer application protocols

Answer 14

• FTP – File Transfer Protocol
  – tcp/20 (active mode data), tcp/21 (control)
  – Transfers files between systems
  – Authenticates with a username and password
  – Full-featured functionality (list, add, delete, etc.)
• TFTP – Trivial File Transfer Protocol
  – udp/69
  – Very simple file transfer application
• Read files and write files
  – No authentication - Not used on production systems

Question 15

DHCP - Dynamic Host Configuration Protocol

Answer 15

• Automated configuration of IP address,
  subnet mask and other options
  – udp/67, udp/68 - Requires a DHCP server
• Dynamic / pooled
  – IP addresses are assigned in real-time from a pool
  – Each system is given a lease
  – Must renew at set intervals
• Reserved
  – Addresses are assigned by MAC address
  – Quickly manage addresses from one location

Question 16

HTTP and HTTPS

Answer 16

HTTP 80 HTTPS 443
* Hypertext Transfer Protocol
– Communication in the browser
– And by other applications
* In the clear or encrypted
– Supported by nearly all web servers and clients

Question 17

SNMP - Simple Network Management Protocol

Answer 17

• Gather statistics from network devices
  – udp/161
• v1 – The original
  – Structured tables, in-the-clear
• v2 – A good step ahead
  – Data type enhancements, bulk transfers
  – Still in-the-clear
• v3 – The new standard
  – Message integrity, authentication, encryption

Question 18

Syslog

Answer 18

• Standard for message logging
  – Diverse systems, consolidated log
  – udp/514
• Usually a central log collector
  – Integrated into the SIEM
• You’re going to need a lot of disk space
  – Data storage from many devices over
  an extended timeframe

Question 19

RDP - Remote Desktop Protocol

Answer 19

• Share a desktop from a remote location over tcp/3389
• Remote Desktop Services on many Windows versions
• Can connect to an entire desktop or just an application
• Clients for Windows, MacOS, Linux, iPhone, and others

Question 20

NTP - Network Time Protocol

Answer 20

• Switches, routers, firewalls, servers, workstations
  – Every device has its own clock - udp/123
• Synchronizing the clocks becomes critical
  – Log files, authentication information, outage details
• Automatic updates
  – No flashing 12:00 lights
• Flexible - You control how clocks are updated
• Very accurate
  – Accuracy is better than 1 millisecond

Question 21

SIP - Session Initiation Protocol

Answer 21

• Voice over IP (VoIP) signaling
  – tcp/5060 and tcp/5061
• Setup and manage VoIP sessions
  – Call, ring, hang up
• Extend voice communication
  – Video conferencing, instant messaging,
  file transfer, etc

Question 22

SMB - Server Message Block

Answer 22

• Protocol used by Microsoft Windows
  – File sharing, printer sharing
  – Also called CIFS (Common Internet File System)
• Direct over tcp/445 (NetBIOS-less)
• Direct SMB communication over TCP

Question 23

LDAP/LDAPS

Answer 23

• LDAP (Lightweight Directory Access Protocol) - tcp/389
  – Store and retrieve information in a network directory
• LDAPS (LDAP Secure) - tcp/636
  – A non-standard implementation of LDAP over SSL
  – Still in use today

Question 24

Databases

Answer 24

• Microsoft SQL Server
  – MS-SQL (Microsoft Structured Query Language)
  – tcp/1433
• Oracle SQL *Net
  – Also called Oracle Net or Net8 - tcp/1521
• MySQL free and open-source database
  Ultimately acquired by Oracle - tcp/3306

Question 25

ICMP

Answer 25

• Internet Control Message Protocol
  – “Text messaging” for your network devices
• Another protocol carried by IP
  – Not used for data transfer
• Devices can request and reply
  to administrative requests
  – Hey, are you there? / Yes, I’m right here.
• Devices can send messages when things don’t go well
  – That network you’re trying to reach
  is not reachable from here
  – Your time-to-live expired, just letting you know

Question 26

GRE

Answer 26

• Generic Routing Encapsulation
  – The “tunnel” between two endpoints
• Encapsulate traffic inside of IP
  – Two endpoints appear to be directly
  connected to each other
  – No built-in encryption

Question 27

AH (Authentication Header)

Answer 27

• Data integrity
• Origin authentication
• Replay attack protection
• Keyed-hash mechanism
• No confidentiality/encryption

Question 28

VPNs

Answer 28

• Virtual Private Networks
  – Encrypted (private) data traversing a public network
• Concentrator
  – Encryption/decryption access device
  – Often integrated into a firewall
• Many deployment options
  – Specialized cryptographic hardware
  – Software-based options available
• Used with client software
  – Sometimes built into the OS

Question 29

IPSec (Internet Protocol Security)

Answer 29

Security for OSI Layer 3
– Authentication and encryption for every packet
* Confidentiality and integrity/anti-replay
– Encryption and packet signing
* Very standardized
– Common to use multi-vendor implementations
* Two core IPSec protocols
– Authentication Header (AH)
– Encapsulation Security Payload (ESP)

Question 30

IPsec Transport mode and Tunnel mode: AH and ESP

Answer 30

• Combine the data integrity of AH
  with the confidentiality of ESP