Port in computer networks is the endpoint of communication in the OS. The term also applies to hardware devices, but in software it refers to a logical construct that identifies a particular type of service or process. The port is always associated with the IP address of the host or the type of communication protocol. It completes the assignment of the session address. The port is identified for each protocol and address using a 16-bit number, also known as the port number. Often, specific port numbers are used to identify specific services. Of the several thousand listed, 1,024 known numbers are protected under a special agreement. They define specific types of services on the host. The protocols that mainly use ports are used to control processes. Examples include the TCP Transmission Control Protocol or the User Datagram Protocol from the Internet Protocol suite.
Value
TCP ports are not needed for direct point-to-point links where computers can only run one program at a time at each end. The need for them appeared after these machines were able to execute more than one program at the same time. They found themselves connected to modern packet-switched networks. In the client-server architecture model, ports, applications, and network clients connect to initiate service. They provide multiplexing services after the initial exchange of information is associated with a port number. It is freed by switching each instance of servicing requests to a dedicated line. Connection to a specific number is being made. This allows additional customers to be served without waiting.
Details
UDP and TCP are used to specify the destination port number and source in their segment headers. The port number is an unsigned 16-bit number. It can range from 0 to 65535. TCP ports, however, cannot use 0. For UDP, the source port is optional. A value equal to zero means its absence. This process binds input or output channels using transport protocol, port number and IP address over the Internet socket. This process is also known as linking. It makes it possible to receive and transmit information over the network. Network software operating system used to transmit outgoing data from all application ports to the network. It also redirects incoming network packets by matching the number and IP address. To a specific IP address and combination of ports using the same transport protocol, only one process can be bound. Application failures, also called conflicts, occur when multiple programs try to communicate with the same port numbers on the same IP address using the same protocol.
How they are applied
It is quite common for applications that implement common services to use a specially reserved and well-known UDP and TCP port list to receive client service requests. This process is also known as wiretapping. It involves receiving a request from a well-known port and establishing a dialogue between the client and the server one to the other using the same local port number. Other clients can continue to connect. This is possible because a TCP connection is identified as a chain of local and remote ports and addresses. Standard ports UDP and TCP can be defined by convention overseen by the IANA or the Internet Assigned Numbers Authority. As a rule, the core of network services is primarily World wide Web uses small port numbers, less than 1024. In many operating systems, applications require special privileges to bind to them. For this reason, they are often considered critical to the operation of IP networks. The end client of a connection on the other hand tends to use more of them, set aside for short-term use. For this reason, there are so-called ephemeral ports.
Structure
TCP ports are encoded in the packet header of the transport packet. They can be easily interpreted not only by the receiving and transmitting PCs, but also by other components of the network infrastructure. Firewalls in particular are typically configured to differentiate packets based on destination port numbers and their source. Redirection is a classic example of this. Attempts to serially connect to a range of ports on the same computer are also known as scanning them. Such procedures are usually associated either with malicious failure attempts, or with the fact that network administrators are specifically looking for possible vulnerabilities in order to prevent such attacks. Actions aimed at opening a TCP port are recorded and controlled by computers. This technique uses a number of redundant connections in order to ensure uninterrupted communication with the server.
Examples of using
The main example in which UDP and TCP ports are actively used is the Internet mail system. The server is used to work with e-mail. In general, he needs two services. The first service is used for transportation by email and from other servers. This is achieved using the Simple Mail Transfer Protocol (SMTP). The SMTP service application typically listens on TCP port 25 in order to process incoming requests. Another service is POP or IMAP. They are required for client applications in email on users' machines in order to receive email messages from the server. POP services listen for numbers from TCP port 110. All of the above services can run on the same host computer. The port number, when this happens, distinguishes the service requested by the remote device. If the server listening port number is defined correctly, this parameter for the client is determined from the dynamic range. Clients and server separately in some cases use specific TCP ports that are assigned by IANA. DHCP is a good example. Here, the client uses UDP 68 anyway, and the server uses UDP 67.
Usage in URLs
Sometimes port numbers are clearly visible on the internet or on other uniform signage information resourceslike a URL. HTTP defaults to TCP port 80 and HTTPS defaults to port 443. There are other variations as well. So, for example, the URL http://www.example.com:8080/path indicates that the web browser is hTTP server connects to 8080.
List of UDP and TCP ports
As noted earlier, the IANA, or InternetA ssigned Numbers Authority, is responsible for the global coordination of DNS-Root, IP addressing, and other Internet Protocol resources. These procedures include registering frequently used ports for well-known Internet services. All port numbers are divided into three ranges: well-known, registered, and private or dynamic. Well-known ports are those with numbers from 0 to 1023. They are also called system ports. The requirements for new values \u200b\u200bin this range are more stringent than for other registrations.
Examples of
Examples of ports on the list of known ports include:
- TCP 443 port - HTTPS;
- 21 - File Transfer Protocol;
- 22- Secure Shell;
- 25 - Simple Mail Transfer Protocol STMP;
- 53 - DNS domain name system;
- 119 - Network News Transfer Protocol or NNTP;
- 80 - HTTP Hypertext Transfer Protocol;
- 143 - Internet Message Access Protocol;
- 123 - NTP network time protocol;
- 161 is a simple SNMP network management protocol.
Registered ports are necessarily numbered from 1024 to 49151. The Internet Assigned Numbers Authority maintains an official listing of all known and registered ranges. Frequency or dynamic ports range from 29152 to 65535. One use case for this range is temporary ports.
History of creation
The concept of port numbers was developed by the early creators of the ARPANET. It was developed through an informal collaboration between software authors and system administrators. At that time, the term "port number" was not yet used. The remote host's number string was a 40-bit number. The first 32 bits resembled today's IPv4 address. The first 8 bits were the most significant. The less significant part of the number (these are bits 33 through 40) denoted an object called AEN. It was a prototype of the modern port number. The creation of a directory of socket numbers was first proposed on March 26, 1972. Network administrators were then encouraged to describe each permanent number in terms of network services and functions. This directory was subsequently published in RFC 433 in the winter of 1972. It included a list of hosts, their port numbers, and the corresponding function used by each node on the network. The official port numbers were first documented in May 1972. At the same time, a special administrative function was proposed for maintaining this register... The first list of TCP ports included 256 AEN values, divided into the following ranges:
- from 0 to 63 - standard functions of the entire network;
- from 64 to 127 - host-specific functions;
- from 128 to 239 - functions reserved for future use;
- from 240 to 255 - any experimental function.
In the early days of ARPANET, AEN also referred to the name of the socket that was used with the original connection protocol and the network control program component, or NCP. In this case, NCP was the precursor to modern Internet protocols that use TCP / IP ports.
UDP APPLICATIONS
UDP, among many other applications, also supports the Trivial File Transfer Protocol (TFTP), Simple Network Management Protocol (SNMP), and Routing Information Protocol (RIP).
TFTP (Simple File Transfer Protocol). It is mainly used to copy and install the operating system on a computer from a file server,
TFTP. TFTP is a smaller application than File Transfer Protocol (FTP). Typically, TFTP is used on networks for simple file transfer. TFTP includes its own error and sequential control mechanism and therefore does not need additional services at the transport layer.
SNMP (Simple Network Management Protocol) monitors and manages networks and devices attached to them, and collects information about network performance. SNMP sends protocol data block messages that enable network management software to monitor devices on a network.
RIP (Routing Information Protocol) is an internal routing protocol, which means it is used within an organization, but not on the Internet.
TCP APPLICATIONS
TCP, among many other applications, also supports FTP, Telnet, and Simple Mail Transfer Protocol (SMTP).
FTP (File Transfer Protocol) is a full-featured application that is used to copy files using a running client application on one computer linked to an FTP server application on another remote computer... With this application, files can be received and sent.
Telnet allows you to establish terminal sessions with a remote device, usually a UNIX host, router, or switch. This gives the network administrator the ability to control the network device as if it were in close proximity, using the computer's serial port for control. Telnet's usefulness is limited to systems that use character mode command syntax. Telnet does not support managing the user's graphical environment.
SMTP (Simple Mail Transfer Protocol) is a mail transfer protocol for the Internet. It supports the transfer of email messages between mail clients and mail servers.
WELL KNOWN PORTS
Well-known ports are assigned by the IANA and range from 1023 and below. They are assigned to applications that are essential for the Internet.
REGISTERED PORTS
The registered ports are cataloged by IANA and range from 1024 to 49151. These ports are used by licensed applications such as Lotus Mail.
DYNAMICALLY ASSIGNABLE PORTS
The dynamically assigned ports are numbered from 49152 to 65535. The numbers for these ports are dynamically assigned for the duration of a specific session.
Sources: Wikipedia, Microsoft, portscan.ru
How can I find out which ports are open on my computer?
- For Windows: Start → "cmd" → Run as administrator → "netstat -bn"
- Antivirus software such as Avast has the ability to see active ports in the Firewall: Tools -\u003e Firewall -\u003e Network Connections.
Also useful commands netstat:
To display both the Ethernet statistics and the statistics for all protocols, type the following command:
netstat -e -s
To display the statistics for only the TCP and UDP protocols, type the following command:
netstat -s -p tcp udp
To display active TCP connections and the process IDs every 5 seconds, type the following command:
nbtstat -o 5
To display active TCP connections and the process IDs using numerical form, type the following command:
nbtstat -n -o
The following status values \u200b\u200bare valid for TCP sockets:
| CLOSED | Closed. The socket is not in use. |
| LISTEN (LISTENING) | Waiting for incoming connections. |
| SYN_SENT | Actively trying to establish a connection. |
| SYN_RECEIVED | Initial connection synchronization is in progress. |
| ESTABLISHED | The connection has been established. |
| CLOSE_WAIT | The far end has disconnected; waiting for the socket to close. |
| FIN_WAIT_1 | The socket is closed; disconnecting the connection. |
| CLOSING | The socket is closed, then the remote side disconnected; Waiting for confirmation. |
| LAST_ACK | The remote side disconnected, then the socket is closed; Waiting for confirmation. |
| FIN_WAIT_2 | The socket is closed; waiting for the remote side to disconnect. |
| TIME_WAIT | The socket is closed, but waiting for packets still on the network for processing |
List of most used ports
| № | Port | Protocol | Description | |
|---|---|---|---|---|
| 1 | 20 | FTP Data | File Transfer Protocol - file transfer protocol. Data port. | |
| 2 | 21 | FTP Control | File Transfer Protocol - file transfer protocol. Port for teams. | |
| 3 | 22 | SSH | Secure SHell is a "secure shell". Protocol remote control operating system. | |
| 4 | 23 | telnet | TErminaL NETwork. A protocol for implementing a text interface over a network. | |
| 5 | 25 | SMTP | Simple Mail Transfer Protocol is a simple mail transfer protocol. | |
| 6 | 42 | WINS | Windows Internet Name Service. Service for mapping NetBIOS computer names to host IP addresses. | |
| 7 | 43 | Whois | "Who is". A protocol for obtaining registration data about the owners of domain names and IP addresses. | |
| 8 | 53 | DNS | Domain Name System - domain name system. | |
| 9 | 67 | DHCP | Dynamic Host Configuration Protocol - protocol dynamic tuning node. Getting dynamic IP. | |
| 10 | 69 | TFTP | Trivial File Transfer Protocol is a simple file transfer protocol. | |
| 11 | 80 | HTTP / Web | HyperText Transfer Protocol - Hypertext transfer protocol. | |
| 12 | 110 | POP3 | Post Office Protocol Version 3 - protocol for receiving email, version 3. | |
| 13 | 115 | SFTP | SSH File Transfer Protocol. Secure data transfer protocol. | |
| 14 | 123 | NTP | Network Time Protocol. Synchronization protocol of the computer's internal clock. | |
| 15 | 137 | NetBIOS | Network Basic Input / Output System. A protocol for providing network input / output operations. Name service. | |
| 16 | 138 | NetBIOS | Network Basic Input / Output System. A protocol for providing network I / O operations. Connection service. | |
| 17 | 139 | NetBIOS | Network Basic Input / Output System. A protocol for providing network input / output operations. Session service. | |
| 18 | 143 | IMAP | Internet Message Access Protocol. Application layer protocol for email access. | |
| 19 | 161 | SNMP | Simple Network Management Protocol is a simple network management protocol. Device management. | |
| 20 | 179 | BGP | Border Gateway Protocol, border gateway protocol. Dynamic routing protocol. | |
| 21 | 443 | HTTPS | HyperText Transfer Protocol Secure) is an HTTP protocol that supports encryption. | |
| 22 | 445 | SMB | Server Message Block. Remote access protocol for files, printers and network resources. | |
| 23 | 514 | Syslog | System Log. Protocol for sending and registering messages about ongoing system events. | |
| 24 | 515 | LPD | Line Printer Daemon. Remote printing protocol on the printer. | |
| 25 | 993 | IMAP SSL | IMAP protocol that supports SSL encryption. | |
| 26 | 995 | POP3 SSL | POP3 protocol supporting SSL encryption. | |
| 27 | 1080 | SOCKS | SOCKet Secure. A protocol for obtaining secure anonymous access. | |
| 28 | 1194 | OpenVPN | Open source implementation of Virtual Private Network (VPN) technology. | |
| 29 | 1433 | MSSQL | Microsoft SQL Server is a database management system. Base access port. | |
| 30 | 1702 | L2TP (IPsec) | Virtual private network support protocol. As well as a set of protocols for ensuring data protection. | |
| 31 | 1723 | PPTP | A tunnel protocol for secure connection with a point-to-point server. | |
| 32 | 3128 | Proxy | Currently, the port is often used by proxy servers. | |
| 33 | 3268 | LDAP | Lightweight Directory Access Protocol - lightweight directory access protocol (directory service). | |
| 34 | 3306 | MySQL | Access to MySQL databases data. | |
| 35 | 3389 | RDP | Remote Desktop Protocol - Remote Desktop Protocol for Windows. | |
| 36 | 5432 | PostgreSQL | Access to PostgreSQL databases. | |
| 37 | 5060 | SIP | A protocol for establishing a session and transferring multimedia content. | |
| 38 | 5900 | VNC | Virtual Network Computing is a system for remote access to a computer desktop. | |
| 39 | 5938 | TeamViewer | TeamViewer - support system remote control computer and data exchange. | |
| 40 | 8080 | HTTP / Web | Alternative port for the HTTP protocol. Sometimes used by proxy servers. | |
| 41 | 10000 | NDMP | Popular Port: Webmin, SIP Voice, VPN IPSec over TCP. | |
| 42 | 20000 | DNP |
| Figure 1: A Basic Nmap Scan Session |
- Port 135 is used by the RPC endpoint mapping feature of many Windows technologies — for example, COM / DCOM applications, DFS, event logs, file replication engines, message queuing, and Microsoft Outlook. This port should be blocked in the perimeter firewall, but it is difficult to close it while maintaining Windows functionality.
- Port 139 is used by the NetBIOS Session Service, which enables the Find Other Computers Browser, File Sharing Service, Net Logon, and Server Service. It is difficult to close, as is port 135.
- Port 445 is used by Windows for working together with files. To close this port, you must block File and Printer Sharing for Microsoft Networks. Closing this port does not prevent the computer from connecting to other remote resources; however, other computers will not be able to connect to this system.
- Ports 1025 and 1026 are opened dynamically and used by other system windows processes, in particular by various services.
- Port 3389 is used by Remote Desktop, which is not enabled by default, but is active on my test computer. To close the port, go to the Remote tab in the System Properties dialog and uncheck the Allow users to connect remotely to this computer check box.
Be sure to search for open UDP ports and close unnecessary ones. The scanning software shows open ports computers that are visible from the network. Similar results can be obtained using the tools located on the host system.
Host scan
In addition to using a network port scanner, open ports on the host system can be detected using the following command (run on the host system):
Netstat -an
This command works on both Windows and UNIX. Netstat lists the active ports on the computer. On Windows 2003 Windows XP, add the -o parameter to get the corresponding program identifier (PID). Figure 2 shows the Netstat output for the same computer that was previously scanned for ports. Note that several ports that were previously active are closed.
Firewall log audit
Another useful way to detect network applications that are sending or receiving data over the network is to collect and analyze more data in the firewall log. Deny entries listing information from the external interface of the firewall are unlikely to be useful because of the "noise traffic" (eg, worms, scanners, ping tests) clogging the Internet. However, if you log the allowed packets from the internal interface, you can see all the incoming and outgoing network traffic.
To see the raw traffic data on the network, you can install a network analyzer that connects to the network and records any detected network packets. The most widely used free network analyzer is Tcpdump for UNIX (the Windows version is called Windump), which is easily installed on your computer. After installing the software, configure it to accept all network packets to capture all traffic, and then connect it to a port monitor on the network switch and monitor all traffic passing through the network. The port monitor configuration will be discussed below. Tcpdump is an extremely flexible program that allows you to view network traffic using specialized filters and show only information about IP addresses and ports, or all packets. It is difficult to view network dumps on large networks without proper filters, but care must be taken not to lose important data.
Combining components
So far, we have looked at the various methods and tools that can be used to detect applications using the network. It's time to merge them together and show you how to identify open network ports. It's amazing how chatty the computers on the network are! First, it is recommended that you read the Microsoft document "Service overview and network port requirements for the Windows Server system "( http://support.microsoft.com/default.aspx?scid\u003dkb;en-us;832017), which lists the protocols (TCP and UDP) and port numbers used by applications and most major windows services Server. This document describes these services and the associated network ports they use. It is recommended to download and print this useful for administrators windows networks reference guide.
Network analyzer configuration
As noted earlier, one way to determine the ports used by applications is to use a network analyzer to monitor traffic between computers. To see all traffic, you need to connect a network analyzer to a hub or port monitor on the switch. Each port on a hub sees all the traffic of every computer connected to that hub, but hubs are an outdated technology and most companies are replacing them with switches that provide good performance, but inconvenient for analysis: each port of the switch accepts only traffic directed to one computer connected to this port. To analyze the entire network, you need to monitor the traffic that is directed to each port on the switch.
This requires configuring a port monitor (different vendors call it a span port or mirrored port) on the switch. Installing a port monitor on a Cisco Catalyst switch from Cisco Systems is easy. You need to register on the switch and activate the Enable mode, then go to the configure terminal mode and enter the interface number of the switch port to which all monitored traffic should be sent. Finally, you need to specify all monitored ports. For example, the following commands monitor three Fast Ethernet ports and forward a copy of the traffic to port 24.
Interface FastEthernet0 / 24 port monitor FastEthernet0 / 1 port monitor FastEthernet0 / 2 port monitor FastEthernet0 / 3 end
IN this example A network analyzer connected to port 24 will view all outgoing and incoming traffic from computers connected to the first three ports on the switch. To view the created configuration, enter the command
Write memory
Initial analysis
Let's consider an example of analyzing data passing through a network. If network analysis uses linux computer, you can get a comprehensive understanding of the type and frequency of packets on the network using a program such as IPTraf in Statistical mode. Traffic details can be found using Tcpdump.
TCP / IP is the foundation of the Internet, through which computers send and receive information from anywhere in the world, regardless of geographic location. Accessing a TCP / IP computer in another country is as easy as accessing a computer in the next room. The access procedure is identical in both cases, although it may take a few milliseconds longer to connect to a machine in another country. As a result, citizens of any country can easily shop at Amazon.com; however, due to logical proximity, the task becomes more complicated information protection: Any owner of a computer connected to the Internet anywhere in the world can try to establish an unauthorized connection with any other machine.
It is the responsibility of the IT professional to install firewalls and suspicious traffic detection systems. The packet analysis extracts information about the source and destination IP addresses and the network ports involved. The value of network ports is not inferior to IP addresses; these are the most important criteria for separating useful traffic from fake and harmful messages entering and leaving the network. Most of the Internet network traffic consists of TCP and UDP packets, which contain information about the network ports computers use to route traffic from one application to another. A prerequisite for a secure firewall and network is that the administrator has a thorough understanding of how these ports are used by computers and network devices.
Exploring ports
Knowing the basic principles of network ports will come in handy for any system administrator. With a basic understanding of TCP and UDP ports, an administrator can diagnose a failed network application or protect a computer that needs to access the Internet without calling a network engineer or firewall consultant.
The first part of this article (which is in two parts) describes the basic concepts needed to consider network ports. The location of network ports in the total network model and the role of network ports and NAT (Network Address Translation - translation network addresses) a firewall in the company's computers connecting to the Internet. Finally, the network points will be indicated where it is convenient to identify and filter network traffic by the corresponding network ports. Part 2 looks at some of the ports used by common applications and operating systems and introduces some tools for finding open ports on a network.
Brief overview of network protocols
TCP / IP is a set of network protocols through which computers communicate with each other. The TCP / IP suite is nothing more than fragments of program code installed in the operating system and providing access to these protocols. TCP / IP is a standard, so TCP / IP applications on a Windows machine must communicate successfully with a similar application on a UNIX machine. In the early days of networking, in 1983, engineers developed a seven-layer OSI interoperability model to describe how computers communicate, from cable to application. The OSI model consists of physical, data link, network, transport, session data and application layers. Internet and TCP / IP administrators are primarily concerned with the network, transport, and application layers, but there are other layers that need to be known for a successful diagnosis. Despite the considerable age of the OSI model, many specialists still use it. For example, when a network engineer talks about layer 1 or layer 2 switches, and a firewall vendor talks about layer 7 control, they are referring to the layers defined in the OSI model.
This article describes the network ports located at layer 4 - transport. In the TCP / IP set, these ports are used by the TCP and UDP protocols. But before we go to detailed description the same level, you need to briefly familiarize yourself with the seven OSI layers and the role they play in modern networks TCP / IP.
Layers 1 and 2: physical cables and MAC addresses
Layer 1, physical, represents the actual medium in which the signal travels - for example, copper cable, fiber optic cable, or radio signals (in the case of Wi-Fi). Layer 2, data link, describes the data format for transmission in a physical medium. At Layer 2, packets are organized into frames and basic flow control and error handling can be implemented. The IEEE 802.3 standard, better known as Ethernet, is the most common Layer 2 standard for modern LANs. A typical network switch is a Layer 2 device through which multiple computers physically connect and communicate with each other. Sometimes two computers cannot connect to each other even though the IP addresses appear to be correct: the problem may be due to errors in the Address Resolution Protocol (ARP) cache, indicating a level 2 problem. Also, some wireless access points (Access Point, AP) provide MAC address filtering to only allow wireless AP to connect network adapters with a specific MAC address.
Layers 3 and 4: IP addresses and network ports
Layer 3, networked, supports routing. In TCP / IP, routing is implemented in IP. A packet's IP address belongs to Layer 3. Network routers are Layer 3 devices that parse the IP addresses of packets and forward packets to another router or deliver packets to local computers. If a suspicious packet is found on the network, the first step is to check the IP address of the packet to establish where the packet originated.
Together with the network layer, Layer 4 (transport) is a good starting point for diagnosing network problems. On the Internet, Layer 4 contains the TCP and UDP protocols and network port information that associates a packet with a particular application. Network stack The computer uses a TCP or UDP network port communication with an application to route network traffic to that application. For example, TCP port 80 is associated with a Web server application. This port mapping to applications is known as a service.
TCP and UDP are different. Basically, TCP provides a reliable connection for exchanging data between two applications. Before starting to communicate, two applications must establish communication by completing a three-step TCP handshake process. UDP is more of a fire and forget approach. Reliability of communication for TCP applications is ensured by the protocol, and the UDP application has to independently verify the reliability of the connection.
The network port is a number between 1 and 65535, specified and known by both applications that are communicating between. For example, a client typically sends an unencrypted request to a server at a target address on TCP port 80. Typically, a computer sends a DNS query to a DNS server at a target address on UDP port 53. The client and server have a source and destination IP address, and also the source and destination network port, which may be different. Historically, all port numbers below 1024 have been called "well-known port numbers" and are registered with the Internet Assigned Numbers Authority (IANA). On some operating systems, only system processes can use ports in this range. In addition, organizations can register ports 1024 through 49151 with the IANA to bind the port to their application. This registration provides a structure that helps avoid conflicts between applications seeking to use a single port number. However, in general, nothing prevents an application from requesting a specific port if it is not occupied by another active program.
Historically, the server can listen on low-numbered ports, and the client can initiate a connection from a high-numbered port (above 1024). For example, a Web client might open a connection to a Web server on destination port 80, but associate an arbitrary source port, such as TCP port 1025. In response to the client, the Web server addresses a packet to the client with a source port of 80 and a destination port of 1025. The combination of IP address and port is called a socket and must be unique on the computer. For this reason, when setting up a Web server with two separate Web sites on the same computer, you must use multiple IP addresses, such as address1: 80 and address2: 80, or configure the Web server to listen on multiple network ports, such as address1: 80 and address1: 81. Some Web servers allow multiple Web sites to run on a single port by requesting the host header, but in reality this function is performed by a Web server application for more high level 7.
As networking functions became available in operating systems and applications, programmers began using ports above 1024, without registering all applications with IANA. By searching the Internet for any network port, you can usually quickly find information about the applications that use that port. Alternatively, you can search for Well Known Ports and find many sites listing the most common ports.
When blocking network applications on a computer or fixing flaws in a firewall, most of the work is done by classifying and filtering Layer 3 IP addresses and Layer 4 protocols and network ports. TCP and UDP ports.
Knowing and familiarizing yourself with network ports is not limited to assigning rules to the firewall. For example, in some system fixes microsoft security describes the procedure for closing NetBIOS ports. This measure helps to limit the spread of worms that penetrate through vulnerabilities in the operating system. By knowing how and where to close these ports, you can mitigate the threat to your network while preparing to deploy a critical patch.
And straight to level 7
It's rare to hear about Layer 5 (session) and Layer 6 (Presentation) these days, but Layer 7 (Application) is a hot topic among firewall vendors. The newest trend in the development of network firewalls is layer 7 control, which describes the methods used to analyze the operation of an application with network protocols. By analyzing the useful information of a network packet, a firewall can determine the legitimacy of traffic passing through it. For example, a Web request contains a GET statement inside a Layer 4 packet (TCP port 80). If your firewall implements Layer 7 features, you can validate the GET statement. Another example is that many peer-to-peer (P2P) file sharing programs can hijack port 80. As a result, an unauthorized person can configure the program to use the port of their choice - most likely a port that should remain open on a given firewall. If company employees need Internet access, port 80 must be opened, but to distinguish legitimate Web traffic from P2P traffic directed by someone to port 80, the firewall must provide Layer 7 control.
The role of the firewall
Having described the network layers, we can proceed to the description of the communication mechanism between network applications through firewalls, paying particular attention to the network ports used. In the following example, a client browser communicates with a Web server on the other side of a firewall, much like a company employee accesses a Web server on the Internet.
Most Internet firewalls operate at layers 3 and 4 to inspect and then allow or block inbound and outbound network traffic. In general, the administrator creates Access Control Lists (ACLs) that define the IP addresses and network ports of traffic to be blocked or allowed. For example, to access the Web, you launch a browser and point it to a Web site. The computer initiates an outgoing connection by sending a sequence of IP packets consisting of a header and payload. The header contains route information and other packet attributes. Firewall rules are often formulated with route information in mind and typically contain source and destination IP addresses (layer 3) and packet protocol (layer 4). When browsing the Web, the destination IP address belongs to the Web server, and the protocol and destination port (default) is TCP 80. The source IP address is the address of the computer from which the user is browsing the Web, and the source port is usually a dynamically assigned number. exceeding 1024. Helpful information does not depend on the header and is generated by the user application; in this case, it is a request to the Web server to provide a Web page.
The firewall analyzes outbound traffic and allows it according to the firewall rules. Many companies allow all outgoing traffic from their network. This approach simplifies configuration and deployment, but the lack of control over data leaving the network reduces security. For example, a Trojan horse can infect a computer on an enterprise network and send information from that computer to another computer on the Internet. It makes sense to create ACLs to block such outgoing information.
Unlike the outbound approach taken by many firewalls, most are configured to block inbound traffic. Typically, firewalls only allow inbound traffic in two cases. The first is traffic coming in response to an outgoing request sent earlier by the user. For example, if you specify the address of a Web page in a browser, the firewall lets HTML and other components of the Web page into the network. The second case is hosting an internal service on the Internet, such as mail server, Web or FTP site. Hosting such a service is commonly referred to as port translation or server publishing. The implementation of port translation differs from one firewall vendor to another, but the underlying principle is the same. The administrator defines the service, such as TCP port 80 for the Web server and an internal server to host the service. If packets enter the firewall through an external interface that corresponds to this service, then the port translation mechanism forwards them to a specific computer on the network, hidden behind the firewall. Port translation is used in conjunction with the NAT service described below.
NAT basics
NAT allows multiple computers in a company to share a small space of public IP addresses. A company's DHCP server can allocate an IP address from one of the blocks of private, Internet-non-routable IP addresses defined in Request for Comments (RFC) # 1918. Several companies can also share the same private IP address space. Examples of private IP subnets are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. Internet routers block any packets directed to one of the private addresses. NAT is a firewall feature that allows companies that use private IP addresses to communicate with other computers on the Internet. The firewall knows how to broadcast inbound and outbound traffic for private internal IP addresses so that every computer can access the Internet.
