Ports, Protocols, Services, and Traffic types.
Ports
Remote Access
| Port | Protocol | Use |
|---|---|---|
| 22 | SSH (Secure Shell) / SFTP | Provides encrypted remote command-line access and secure file transfers. SFTP runs over SSH to encrypt data in transit. |
| 23 | Telnet | Remote terminal access (console access) in plaintext (no encryption). Rarely used now due to security risks. |
| 3389 | RDP (Remote Desktop Protocol) | Allows graphical remote desktop access, mostly for Windows systems but clients exist for other OSes. |
Web Services
| Port | Protocol | Use |
|---|---|---|
| 80 | HTTP (Hypertext Transfer Protocol) | Standard web traffic, sent in plaintext. |
| 443 | HTTPS (HTTP Secure) | Encrypted web traffic using TLS/SSL, standard for secure websites. |
File Transfer
| Port | Protocol | Use |
|---|---|---|
| 20 | FTP (Data Channel) | Used by FTP to transfer the actual files. Active mode data. |
| 21 | FTP (Control Channel) | Used by FTP to send commands and manage sessions. Authenticates with a username and password; allows listing, adding, deleting, and other file maintenance operations. |
| 22 | SFTP (Secure File Transfer Protocol) | File transfer over SSH, encrypted end-to-end. |
| 69 | TFTP (Trivial File Transfer Protocol) | Simple, fast file transfer protocol without authentication or directory listing — commonly used for device configurations. (UDP) |
Email Services
| Port | Protocol | Use |
|---|---|---|
| 25 | SMTP (Simple Mail Transfer Protocol) | Transfers email between mail servers; also used by clients but without encryption by default. |
| 110 | POP3 (Post Office Protocol v3) | Downloads email from server to client; typically deletes messages from the server after retrieval. |
| 143 | IMAP (Internet Message Access Protocol) | Retrieves and manages email directly on the server, keeping messages synced. |
| 587 | SMTP with TLS | Sends email securely from clients to mail servers. |
| 993 | IMAP over SSL | IMAP with encryption to protect messages in transit. |
| 995 | POP3 over TLS/SSL | POP3 with encryption for secure retrieval. |
Network & Management
| Port | Protocol | Use |
|---|---|---|
| 53 | DNS (Domain Name System) | Resolves hostnames to IP addresses; uses UDP for queries and TCP for large transfers. |
| 67 | DHCP Server | Assigns IP addresses and network settings to clients. |
| 68 | DHCP Client | Receives IP configuration from the server. |
| 123 | NTP (Network Time Protocol) | Synchronizes system clocks over the network. (UDP) |
| 161 | SNMP (Simple Network Management Protocol) | Queries devices for status and configuration data (e.g., network traffic statistics).v1: No encryption. v2: Supports bulk transfers, still unencrypted.v3: Adds authentication, message integrity, and encryption. |
| 162 | SNMP Trap | Receives unsolicited alerts (traps) from network devices. |
| 389 | LDAP (Lightweight Directory Access Protocol) | Accesses and manages directory information, such as user accounts. (TCP) |
| 445 | SMB (Server Message Block) | Shares files, printers, and authentication services on Windows networks. |
| 514 | Syslog | Collects and forwards log messages to a central server. |
| 636 | LDAPS (LDAP Secure) | LDAP over TLS/SSL for encrypted directory access. |
| 2049 | NFS | Network File System - This is the "language" spoken primarily by Linux/Unix systems. |
Databases
| Port | Protocol | Use |
|---|---|---|
| 1433 | Microsoft SQL Server | Default port for Microsoft SQL database services. |
| 1521 | SQLnet (Oracle Database) | Default listener port for Oracle databases. |
| 3306 | MySQL | Default port for MySQL and MariaDB databases. |
VoIP
| Port | Protocol | Use |
|---|---|---|
| 5060 | SIP (Session Initiation Protocol) | Initiates, modifies, and ends VoIP calls; plaintext communication. |
| 5061 | SIP over TLS | SIP with encryption for secure VoIP signaling. |
Services
ICMP (Internet Control Message Protocol)
Used for testing and diagnostics, not for user data. Port: None (IP protocol number 1)
TCP (Transmission Control Protocol)
Connection-oriented and reliable — ensures packets arrive in order and retransmits lost ones. Used for web, email, file transfers, and remote login (e.g., HTTP, HTTPS, SSH, FTP, SMTP).
TCP = reliability and sequencing.
UDP (User Datagram Protocol)
Connectionless and faster — sends data without confirming delivery.
Used in streaming, VoIP, gaming, and DNS lookups.
Speed over reliability.
GRE (Generic Routing Encapsulation)
Encapsulates different network protocols (like IPv4/IPv6) inside virtual tunnels.
Commonly used with VPNs or site-to-site links.
Creates tunnels between routers.
IPsec (Internet Protocol Security)
A suite of protocols that authenticates and encrypts IP packets for secure communication — often used in VPNs.
IPsec includes three main parts:
-
AH (Authentication Header): Verifies data integrity and origin, but does not encrypt.
-
ESP (Encapsulating Security Payload): Provides encryption, integrity, and authentication.
-
IKE (Internet Key Exchange): Negotiates security keys between endpoints.
The "Secure Diplomatic Pouch" Analogy Imagine you are an embassy in a foreign country and need to send a secret document back to your home government. IPSec is the protocol for creating a secure diplomatic pouch. IKE/ISAKMP (The Key Exchange) - The "Ambassador's Hands
-
Port: UDP 500
-
Analogy: Before any secure pouches can be sent, the ambassadors from both countries must meet in a secure room to agree on the rules of engagement.
-
Phase 1: They agree on a secret handshake (Diffie-Hellman) to create a shared secret that no eavesdropper can figure out. This establishes a secure management channel (ISAKMP SA).
-
Phase 2: Using that secure channel, they now negotiate the specifics: "We will use a 5-digit cipher lock on our pouches, and we'll use a blue wax seal for authentication." This sets up the rules for the actual data pouches (IPSec SA).
-
In short: IKE/ISAKMP is the process of setting up the secure connection before any real data is sent.
IPSec Modes: Transport vs. Tunnel - "What are we securing?" This defines the scope of the secure pouch.
Transport Mode - The "Sealed Envelope"
-
What it does: Only the actual message (the document) is placed inside a sealed, secure envelope. The original mailing address on the outside is still visible.
-
Technical: Encrypts only the payload (e.g., a TCP or UDP segment). The original IP header is left intact.
-
Use Case: End-to-End Security. Ideal for secure communication directly between two computers, like a remote desktop connection to a server.
Tunnel Mode - The "Secure Courier Pouch"
-
What it does: The entire original package—both the document and its original mailing address—is locked inside a secure diplomatic pouch. A new shipping address is placed on the outside of the pouch.
-
Technical: Encrypts the entire original IP packet (header + payload) and adds a new IP header on top.
-
Use Case: Site-to-Site or Client-to-Network VPN. This is the most common mode. It's used when your firewall creates a secure tunnel to another firewall, protecting the identity and traffic of all the devices behind it.
AH vs. ESP - "What kind of security are we using?" These are the two types of security you can put inside your diplomatic pouch rules.
AH (Authentication Header) - The "Tamper-Evident Seal & Notary Stamp"
-
IP Protocol 51
-
Analogy: This seal proves the document is authentic and hasn't been altered. If the seal is broken, you know it's been tampered with. However, anyone can still read the document through the envelope. It provides authentication and integrity, but no encryption.
-
Technical: It hashes the entire packet (header + data) to ensure nothing has changed in transit. Because it hashes the IP header, it can cause problems with NAT.
ESP (Encapsulation Security Payload) - The "Indestructible, Opaque Safe"
-
IP Protocol 50
-
Analogy: The document is locked in a solid, opaque safe. No one can read it (encryption). The safe also has a tamper-evident seal on it (authentication & integrity).
-
Technical: It primarily provides encryption. It can also provide authentication and integrity (and in modern implementations, it almost always does). It is more flexible than AH because it doesn't protect the outer IP header, so it works fine with NAT.
Traffic Types
Unicast
One-to-one communication — one sender, one receiver. Example: Web browsing or email.
Multicast
One-to-many communication — data sent to a group of devices that “subscribe” to a multicast address. Example: Live video streams or IPTV.
Anycast
One-to-nearest communication — data sent to multiple devices, but only the nearest (by routing metric) responds. Example: DNS root servers use Anycast so clients connect to the closest server.
Broadcast
One-to-all communication — data sent to every device in a local network. Example: ARP requests and DHCP Discover messages.