Sec+ Ch. 3
Network operating systems commonly use a directory service to streamline management and implement security. A common use case is to provide secure access to the network. As an example, many organizations use Microsoft Active Directory Domain Services (AD DS). AD DS provides the means for administrators to create user objects for each authorized user and computer objects for each authorized computer. Administrators then use various methods within the directory service to enforce identification, authentication, and authorization methods. Chapter 2, "Understanding Identity and Access Management," covers three relevant topics that help support this use case: (3)
-Kerberos. Kerberos is the authentication protocol used in Windows domains and some Unix environments. It uses a Key Distribution Center (KDC) to issue timestamped tickets. Kerberos uses UDP port 88. • LDAP. Lightweight Directory Access Protocol(LDAP) is the protocol used to communicate with directories such as AD DS. LDAP provides a clear syntax for object identification and management. LDAP uses TCP port 389. LDAP Secure (LDAPS) encrypts data with TLS using TCP port 636. • Group Policy. Administrators use Group Policy Objects (GPOs) to configure settings. They can then apply these GPOs to users and computers within the domain.
Protocol number of ICMP
1
SMTP unofficially used port __(#) with SSL and port __(#) with TLS. However, it is now recommended that SMTP use STARTTLS to initialize a secure connection.
465; 587
PPTP protocol number
47
Client-side ports start at port __(#) and increment up to __(#).
49,152; 65,535
Protocol number of IPSec ESP packet
50
Protocol number of IPSec AH packet
51
Protocol number of TCP
6
Popular web servers on the Internet include (2)
Apache and Internet Information Services (IIS). Apache is free and runs on Unix or Linux systems. Apache can also run on other platforms, such as Microsoft systems. IIS is included in Microsoft Server products.
IPsec includes two main components: __ identified by protocol ID number __(#) and __ identified by protocol ID number __(#).
Authentication Header (AH) ; 51; Encapsulating Security Payload (ESP); 50
BIND stands for
Berkeley Internet Name Domain (BIND);
Most DNS servers on the Internet run __ software and run on __ servers.
Berkeley Internet Name Domain (BIND); Unix or Linux
One of the primary methods of preventing DNS cache poisoning is with (describe)
Domain Name System Security Extensions (DNSSEC). DNSSEC is a suite of extensions to DNS that provides validation for DNS responses. It adds a digital signature to each record that provides data integrity. If a DNS server receives a DNSSEC-enabled response with digitally signed records, the DNS server knows that the response is valid.
Secure IMAP port
IMAP4 with SSL or TLS can use TCP port 993, but STARTTLS is recommended using the same TCP port 143.
Internet Protocol security (IPsec) is used to encrypt
IP traffic.
One of the drawbacks to NAT is that it is not compatible with
IPsec. You can use IPsec to create VPN tunnels and use it with L2TP to encrypt VPN traffic. Although there are ways of getting around NAT's incompatibility with IPsec, if your design includes IPsec going through NAT, you'll need to look at it closely.
Some common use cases related to email are send and receive email, send and receive secure email, and manage email folders. For the web, common use cases for internal employees are to provide access to the Internet and provide secure access to the Internet. Many organizations host web servers and common use cases for these web servers are to provide access to web servers by external clients. Many of these protocols support the use of STARTTLS. (explain)
Instead of using one port to transmit data in cleartext and a second port to transmit data in ciphertext, the STARTTLS command allows the protocol to use the same port for both.
The __ maintains a list of official port assignments that you can view at http://www.iana.org/assignments/port-numbers.
Internet Assigned Numbers Authority (IANA)
Internet Assigned Numbers Authority (IANA) assigned the last block of IPv4 addresses in February 2011. To prepare, the __ created IPv6,
Internet Engineering Task Force (IETF)
IPsec. Internet Protocol security (IPsec) is used to encrypt IP traffic. It is native to IPv6 but also works with IPv4. IPsec encapsulates and encrypts IP packet payloads and uses Tunnel mode to protect virtual private network (VPN) traffic. IPsec includes two main components: Authentication Header (AH) identified by protocol ID number 51 and Encapsulating Security Payload (ESP) identified by protocol ID number 50. It uses the __ over UDP port 500 to create a security association for the VPN.
Internet Key Exchange (IKE)
Most DNS servers on the Internet run Berkeley Internet Name Domain (BIND) software and run on Unix or Linux servers. Internal networks can use BIND, but in Microsoft networks, DNS servers commonly use the __ software.
Microsoft DNS
Administrators often implement SSH (discussed in the "File Transfer Use Case" section) to meet a use case of supporting remote access. As an example, many Linux administrators use __ when connecting to remote systems for administration, and secure the __ transmissions with SSH.
Netcat
FTP passive mode also known as
PASV
SNTP stands for
Simple NTP (SNTP)
The __ protocol can also be used for time synchronization. However, NTP uses complex algorithms and queries multiple time servers to identify the most accurate __ does not use these algorithms, so it might not be as accurate as the result from NTP.
Simple NTP (SNTP)
Describe Subscription Services Use Case
Subscription services refer to a subscription-based business model. For example, instead of selling software applications to users, many vendors have moved to a subscription model where users pay over time. As an example, years ago, it was common for people to purchase Microsoft Office for access to applications such as Microsoft Word, Microsoft Excel, Microsoft Outlook, and others. Today, organizations often pay monthly or annually for access to Office 365. This gives them the most current version of Microsoft Office products, along with additional features such as cloud storage. The protocols used for subscription services use cases vary widely depending on the actual service. However, it's common for these to use HTTPS connections for security. Database servers maintain databases of customers, along with the products they're renting. The connections between web servers and database servers should be secure and might use HTTPS or TLS. When the subscription is nearing an end, systems send automated emails to customers using SMTP.
Does DNS use tcp or udp for zone transfers?
TCP
LDAPS port
TCP 636
FTPS. File Transfer Protocol Secure (FTPS) is an extension of FTP and uses TLS to encrypt FTP traffic. Some implementations of FTPS use ports __. However, __
TCP 989 and 990; TLS can also encrypt the traffic over the ports used by FTP (20 and 21).
Secure Copy (SCP) is based on SSH and is used to copy encrypted files over a network. SSH can also encrypt __, a type of access control list used on Linux systems to filter traffic.
TCP Wrappers
The start of authority (SOA) record includes information about the DNS zone and some of its settings. For example, it includes the
TTL (Time to Live) settings for DNS records. DNS clients use the TTL setting to determine how long to cache DNS results. TTL times are in seconds and lower times cause clients to renew the records more often.
Some versions of both commands (nslookup and dig) support the @ symbol to
identify a specific DNS server you want to query. This is useful if you want to pull all the records from a DNS zone. When doing this, you would use the any switch (indicating all records) or the axfr switch (short for all transfer). However, most DNS servers are configured to block these queries.
Linux systems support iptables and many additions to iptables, such as (2)
ipv6tables, arptables, and so on.
The reverse proxy server can be used for a single web server or a web farm of multiple servers. When used with a web farm, it can act as a
load balancer. You would place the load balancer in the DMZ to accept the requests and it then forwards the requests to different servers in the web farm using a load-balancing algorithm.
A __ is a server that examines all incoming and outgoing email and attempts to reduce risks associated with email.
mail gateway
A __ is a device that converts data from the format used on one network to the format used on another network.
media gateway
A router connects multiple __ together into a single network and routes traffic between the __.
network segments
The first version of SNMP had vulnerabilities, such as
passing passwords across the network in cleartext. SNMPv2 and SNMPv3 are much more secure and they provide strong authentication mechanisms. SNMPv3 uses UDP port 161. It sends traps (error messages and notifications) on UDP port 162.
An airgap is a metaphor for __, indicating that there is a gap of air between an isolated system and other systems.
physical isolation
It's common to place an aggregation switch in the same location as you'd place
routers
The network perimeter provides a boundary between
the intranet and the Internet.
Instead of private IP addresses, IPv6 uses __ addresses.
unique local
A __ is a firewall specifically designed to protect a web application, which is commonly hosted on a web server. In other words, it's placed between a server hosting a web application and a client. It can be a stand-alone appliance, or software added to another device.
web application firewall (WAF)
WAF stands for
web application firewall (WAF)
Linux systems support iptables and many additions to iptables, such as ipv6tables, arptables, and so on. Generically, administrators commonly refer to these as
xtables.
Occasionally, DNS servers share information with each other in a process known as a
zone transfer. In most cases, a zone transfer only includes a small number of updated records.
Protocol number of UDP
17
Describe MAC flood attack
A MAC flood attack attempts to overload a switch with different MAC addresses associated with each physical port. You typically have only one device connected to any physical port. During normal operation, the switch's internal table stores the MAC address associated with this device and maps it to the port. In a MAC flood attack, an attacker sends a large amount of traffic with spoofed MAC addresses to the same port. At some point in a MAC flood attack, the switch runs out of memory to store all the MAC addresses and enters a fail-open state. Instead of working as a switch, it begins operating as a simple hub. Traffic sent to any port of the switch is now sent to all other switch ports. At this point, the attacker can connect a protocol analyzer to any port and collect all the traffic sent through the switch. Many switches include a flood guard to protect against MAC flood attacks. When enabled, the switch will limit the amount of memory used to store MAC addresses for each port. For example, the switch might limit the number of entries for any port to 132 entries. This is much more than you need for normal operation. If the switch detects an attempt to store more than 132 entries, it raises an alert. .
Describe application proxy
An application proxy is used for specific applications. It accepts requests, forwards the requests to the appropriate server, and then sends the response to the original requestor. A forward proxy used for HTTP is a basic application proxy. However, most application proxies are multipurpose proxy servers supporting multiple protocols such as HTTP and HTTPS. As a more advanced example, imagine you buy a book from Amazon and Amazon ships it via United Parcel Service (UPS). Later, you check your account to see the status of the shipment. The Amazon web site sends a query to a UPS application proxy for the status. The UPS application proxy provides the status in a response. Internet applications exchange data this way using application programming interfaces (APIs). For example, UPS specifies the format of the request in an API. If the application proxy receives a properly formatted and valid request, it provides an answer.
Compare Application-Based Versus Network-Based Firewalls
An application-based firewall is typically software running on a system. For example, host- based firewalls are commonly application-based. A network-based firewall is usually a dedicated system with additional software installed to monitor, filter, and log traffic. For example, Cisco makes a variety of different network-based firewalls. Many of them are dedicated servers with proprietary firewall software installed.
__ firewalls block all traffic coming from private IP addresses.
Border
Stateless firewalls use rules implemented as ACLs to identify allowed and blocked traffic. This is similar to how a router uses rules. Firewalls use an implicit deny strategy to block all traffic that is not explicitly allowed. Although rules within ACLs look a little different depending on what hardware you're using, they generally take the following format:
Permission Protocol Source Destination Port • Permission. You'll typically see this as PERMIT or ALLOW allowing the traffic. Most systems use DENY to block the traffic. • Protocol. Typically, you'll see TCP or UDP here, especially when blocking specific TCP or UDP ports. If you want to block both TCP and UDP traffic using the same port, you can use IP instead. Using ICMP here blocks ICMP traffic, effectively blocking ping and some other diagnostics that use ICMP. • Source. Traffic comes from a source IP address. You identify an IP address to allow or block traffic from a single computer, or from a range of IP addresses, such as from a single subnet. Wildcards such as any or all include all IP addresses. • Destination. Traffic is addressed to a destination IP address. You identify an IP address to allow or block traffic to a single computer, or to a range of IP addresses, such as to an entire subnet. Wildcards such as any or all include all IP addresses. • Port or protocol. Typically, you'll see the well-known port such as port 80 for HTTP. However, some devices support codes such as www for HTTP traffic. Some systems support the use of keywords such as eq for equal, lt for less than, and gt for greater than. For example, instead of just using port 80, it might indicate eq 80.
The Secure Sockets Layer (SSL) protocol was the primary method used to secure HTTP traffic as Hypertext Transfer Protocol Secure (HTTPS). SSL can also encrypt other types of traffic, such as __ and __. However, it has been compromised and is not recommended for use.
SMTP; Lightweight Directory Access Protocol (LDAP)
The Transport Layer Security (TLS) protocol is the designated replacement for SSL and should be used instead of SSL. Additionally, many protocols that support TLS use __. __ looks like an acronym, but it isn't. Instead, it is a command used to upgrade an unencrypted connection to an encrypted connection on the same port.
STARTTLS
__ is based on SSH and is used to copy encrypted files over a network.
Secure Copy (SCP)
Secure POP3 port
Secure POP3 encrypts the transmission with SSL or TLS and can use TCP port 995. However, STARTTLS is now recommended to create a secure connection on port 110.
SRTP stands for
Secure Real-time Transport Protocol (SRTP)
The __ provides encryption, message authentication, and integrity for RTP.
Secure Real-time Transport Protocol (SRTP)
A common network security practice is to use different components to provide network separation. The CompTIA objectives list these as segregation, segmentation, and isolation. (describe)
Segregation provides basic separation, segmentation refers to putting traffic on different segments, and isolation indicates the systems are completely separate. Chapter 1 covers virtualization concepts in depth and virtualization can be used to provide isolation. For example, some antivirus experts use virtual machines to analyze malware.
A(n) __ connects multiple switches together in a network.
aggregation switch
In contrast, a nontransparent proxy server can modify or filter requests. Organizations often use nontransparent proxy servers to restrict what users can access with the use of URL filters. A URL filter examines the requested URL and chooses to allow the request or deny the request. Many third-party companies sell subscription lists for URL filtering. (describe)
These sites scour the Internet for web sites and categorize the sites based on what companies typically want to block. Categories may include anonymizers, pornography, gambling, web-based email, and warez sites. Anonymizers are sites that give the illusion of privacy on the Internet. Employees sometimes try to use anonymizers to bypass proxy servers, but a proxy server usually detects, blocks, and logs these attempts. Web-based email bypasses the security controls on internal email servers, so many organizations block them. Warez sites often host pirated software, movies, MP3 files, and hacking tools. The subscription list can be loaded into the proxy server, and whenever a user attempts to access a site on the URL filter block list, the proxy blocks the request. Often, the proxy server presents users with a warning page when they try to access a restricted page. Many organizations use this page to remind users of a corporate acceptable usage policy, and some provide reminders that the proxy server is monitoring their online activity.
Many mail gateways also support encryption. (describe)
They can encrypt all outgoing email to ensure confidentiality for the data-in-transit, or only encrypt certain data based on policies. For example, if an organization is working on a project with another organization, administrators can configure the gateway to encrypt all traffic sent to the other organization. The method of encryption varies from vendor to vendor. For example, some vendors use certificate-based encryption. Others use password-based encryption. Chapter 10 discusses encryption in more depth.
SNMP port(s)
UDP 161, 162
IPsec. Internet Protocol security (IPsec) is used to encrypt IP traffic. It is native to IPv6 but also works with IPv4. IPsec encapsulates and encrypts IP packet payloads and uses Tunnel mode to protect virtual private network (VPN) traffic. IPsec includes two main components: Authentication Header (AH) identified by protocol ID number 51 and Encapsulating Security Payload (ESP) identified by protocol ID number 50. It uses the Internet Key Exchange (IKE) over port __ to create a security association for the VPN.
UDP 500
Kerberos port
UDP 88
Many switches include a flood guard to protect against MAC flood attacks. (describe)
When enabled, the switch will limit the amount of memory used to store MAC addresses for each port. For example, the switch might limit the number of entries for any port to 132 entries. This is much more than you need for normal operation. If the switch detects an attempt to store more than 132 entries, it raises an alert. The flood guard typically sends a Simple Network Management Protocol (SNMP) trap or error message in response to the alert. Additionally, it can either disable the port or restrict updates for the port. By disabling the port, it effectively blocks all traffic through the port until an administrator intervenes. If it restricts updates, the switch will use currently logged entries for the port, but ignore attempts to update it. All other ports will continue to operate normally. Another flood guard supported by some switches is a setting for the maximum number of MACs supported by a port. Most ports will typically have this set to 1 to support only a single MAC address. However, consider a virtual machine (VM) running within a physical host. If the VM is set to bridged, it can access the network using the physical host's NIC, but with the MAC address of the VM. In this scenario, the Maximum MAC setting should be set to 2.
There are many instances when systems need to be using the same time (or at least a time that is reasonably close). A common use case is to ensure systems have the accurate time. As an example, Kerberos requires all systems to be synchronized and be within five minutes of each other. Within a Microsoft domain, one domain controller periodically uses the __ to locate a reliable Internet server running the Network Time Protocol (NTP).
Windows Time service
A media gateway is
a device that converts data from the format used on one network to the format used on another network. As an example, a VoIP gateway converts telephony traffic between traditional phone lines and an IP-based network. This allows users to make and receive phone calls using VoIP equipment and the gateway can translate the traffic and transmit the calls over a traditional phone line.
A web application firewall (WAF) is
a firewall specifically designed to protect a web application, which is commonly hosted on a web server. In other words, it's placed between a server hosting a web application and a client. It can be a stand-alone appliance, or software added to another device. As an example, an organization may host an e-commerce web site to generate revenue. The web server will be placed within a demilitarized zone (DMZ) (discussed later in this chapter), but due to the data that the web server handles, it needs more protection. A successful attack may be able to take the web server down, and allow an attacker to access or manipulate data. Note that you wouldn't use a WAF in place of a network-based firewall. Instead, it provides an added layer of protection for the web application in addition to a network-based firewall.
A common security issue with UTMs is
a misconfigured content filter. For example, if the spam filter is misconfigured, it can block valid mail or allow too much spam into the network. Administrators adjust the sensitivity of the spam filter to meet the needs of the organization. For example, one organization might find it unacceptable to block emails from customers or potential customers. Administrators would adjust the sensitivity allowing more spam into the network to meet this need.
A mail gateway is
a server that examines all incoming and outgoing email and attempts to reduce risks associated with email. Many vendors sell appliances that perform all the desired services of a mail gateway. Administrators locate it between the email server and the Internet and configure it for their purposes. All mail goes to the gateway before it goes to the email server. Additionally, many vendors include a mail gateway within a UTM appliance. The mail gateway is just another security feature within the UTM appliance.
Many switches have a console port that
administrators can use to monitor all traffic. Unlike the normal ports that only see traffic specifically addressed to the port, the monitoring port will see all traffic in or out of the switch. This includes any unicast traffic the switch is internally switching between two regular ports. The monitoring port is useful for legitimate troubleshooting, but if the switch isn't protected with physical security, it can also be useful to an attacker.
In contrast, a nontransparent proxy server can modify or filter requests. Organizations often use nontransparent proxy servers to restrict what users can access with the use of URL filters. A URL filter examines the requested URL and chooses to allow the request or deny the request. Many third-party companies sell subscription lists for URL filtering. These sites scour the Internet for web sites and categorize the sites based on what companies typically want to block. Categories may include (5)
anonymizers, pornography, gambling, web-based email, and warez sites. Anonymizers are sites that give the illusion of privacy on the Internet. Employees sometimes try to use anonymizers to bypass proxy servers, but a proxy server usually detects, blocks, and logs these attempts. Web-based email bypasses the security controls on internal email servers, so many organizations block them. Warez sites often host pirated software, movies, MP3 files, and hacking tools. The subscription list can be loaded into the proxy server, and whenever a user attempts to access a site on the URL filter block list, the proxy blocks the request. Often, the proxy server presents users with a warning page when they try to access a restricted page. Many organizations use this page to remind users of a corporate acceptable usage policy, and some provide reminders that the proxy server is monitoring their online activity.
Attackers often use spoofing to impersonate or masquerade as someone or something else. In the context of routers, an attacker will spoof the source IP address by replacing the actual source IP address with a different one. This is often done to hide the actual source of the packet. You can implement __ on a router by modifying the access list to allow or block IP addresses. As an example, private IP addresses (listed earlier in this chapter) should only be used in private networks. Any traffic coming from the Internet using a private IP address as the source IP address is obviously an attempt to spoof the source IP address. The following three rules would be implemented on a router (though the syntax may be different on various routers for __): • deny ip 10.0.0.0 0.255.255.255 any • deny ip 172.16.0.0 0.15.255.255 any • deny ip 192.168.0.0 0.0.255.255 any
antispoofing
An application proxy is used for specific applications. It accepts requests, forwards the requests to the appropriate server, and then sends the response to the original requestor. A forward proxy used for HTTP is a basic application proxy. However, most application proxies are multipurpose proxy servers supporting multiple protocols such as HTTP and HTTPS. As a more advanced example, imagine you buy a book from Amazon and Amazon ships it via United Parcel Service (UPS). Later, you check your account to see the status of the shipment. The Amazon web site sends a query to a UPS application proxy for the status. The UPS application proxy provides the status in a response. Internet applications exchange data this way using
application programming interfaces (APIs). For example, UPS specifies the format of the request in an API. If the application proxy receives a properly formatted and valid request, it provides an answer.
Two command-line tools used to query DNS are nslookup and dig. Both support the __ switch, allowing them to download all zone data from a DNS server, unless the DNS server blocks the attempt.
axfr
The proxy server increases the performance of Internet requests by
caching each result received from the Internet. Any data that is in the proxy server's cache doesn't need to be retrieved from the Internet again to fulfill another client's request.
An aggregation switch...
connects multiple switches together in a network. Aggregate simply means that you are creating something larger from smaller elements.
Mail gateways often include __ capabilities.
data loss prevention (DLP) (They examine outgoing email looking for confidential or sensitive information and block them. As an example, imagine an organization is working on a secret project with a codeword of "DOH." All documents associated with this project have the keyword within them. The mail gateway includes this keyword in its searches and when it detects the keyword within an email or an attachment, it blocks the email. Administrators have the choice of configuring the gateway to notify security personnel, the user who sent the email, or both when it blocks an email.)
Firewalls use a __(3) statement at the end of the ACL to enforce an implicit deny strategy.
deny any any, deny any, or a drop all
RDP port
either UDP or TCP 3389, TCP is more common
The Secure Real-time Transport Protocol (SRTP) provides __(3) for RTP.
encryption, message authentication, and integrity
Instead of private IP addresses, IPv6 uses unique local addresses. They are only allocated within private networks and not assigned to systems on the Internet. Unique local addresses start with the prefix of
fc00
Kerberos requires all systems to be synchronized and be within __(amount of time) of each other.
five minutes
Many switches include a __ to protect against MAC flood attacks.
flood guard
Router ACLs provide basic packet filtering. They filter packets based on IP addresses, ports, and some protocols, such as ICMP or IPsec, based on the protocol identifiers: (3)
• IP addresses and networks. You can add a rule in the ACL to block access from any single computer based on the IP address. If you want to block traffic from one subnet to another, you can use a rule to block traffic using the subnet IDs. For example, the Sales department may be in the 192.168.1.0/24 network and the Accounting department may be in the 192.168.5.0/24 network. You can ensure traffic from these two departments stays separate with an ACL on a router. • Ports. You can filter traffic based on logical ports. For example, if you want to block HTTP traffic, you can create a rule to block traffic on port 80. Note that you can choose to block incoming traffic, outgoing traffic, or both. In other words, it's possible to allow outgoing HTTP traffic while blocking incoming HTTP traffic. • Protocol numbers. Many protocols are identified by their protocol numbers. For example, ICMP uses a protocol number of 1 and many DoS attacks use ICMP. You can block all ICMP traffic (and the attacks that use it) by blocking traffic using this protocol number. Many automated intrusion prevention systems (IPSs) dynamically block ICMP traffic in response to attacks. Similarly, you can restrict traffic to only packets encrypted with IPsec ESP using a rule that allows traffic using protocol number 50, but blocks all other traffic. PPTP uses protocol number 47 and can be allowed by allowing traffic using protocol ID 47.
UTM security appliances include multiple capabilities, including: (4)
• URL filtering. URL filters within a UTM security appliance perform the same job as a proxy server. They block access to sites based on the URL. It's common to subscribe to a service and select categories to block access to groups of sites. Administrators can also configure URL filters manually to allow or block access to specific web sites. As an example, if an administrator realizes that users are routinely connecting connecting to a peer-to- peer (P2P) file sharing site, the administrator can add the URL to the filter, and block access to that site. • Malware inspection. Malware often comes into a network via spam, or malicious web pages. The malware inspection component of a UTM appliance screens incoming data for known malware and blocks it. Organizations often scan for malware at email servers and at individual systems as part of a layered security or defense-in-depth solution. • Content inspection. Content inspection includes a combination of different content filters. It monitors incoming data streams and attempts to block any malicious content. It can include a spam filter to inspect incoming email and reject spam. It can also block specific types of transmissions, such as streaming audio and video, and specific types of files such as Zip files. • DDoS mitigator. A DDoS mitigator attempts to detect DDoS attacks and block them. This is similar to how intrusion prevention systems (IPSs) block attacks. Chapter 4 covers IPSs in more depth.
The Internet Assigned Numbers Authority (IANA) maintains a list of official port assignments that you can view at http://www.iana.org/assignments/port-numbers. IANA divided the ports into three ranges, as follows: .
• Well-known ports: 0-1023. IANA assigns port numbers to commonly used protocols in the well-known ports range. • Registered ports: 1024-49,151. IANA registers these ports for companies as a convenience to the IT community. A single company may register a port for a proprietary use, or multiple companies may use the same port for a specific standard. As an example, Microsoft SQL Server uses port 1433 for database servers, Layer 2 Tunneling Protocol (L2TP) uses port 1701, and Point-to-Point Tunneling Protocol (PPTP) uses port 1723. • Dynamic and private ports: 49,152-65,535. These ports are available for use by any application. Applications commonly use these ports to temporarily map an application to a port. These temporary port mappings are often called ephemeral ports, indicating that they are short lived.
