Chp 4 Protocols and Services
FTP, FTPS, SFTP, TFTP
File Transfer Protocol (FTP), and its more secure versions FTPS and SFTP, transfers files from one system to another. FTP is insecure in that the username and password are transmitted in cleartext. The original cleartext version uses TCP port 20 for data and TCP port 21 as the control channel. Using FTP when security is a consideration is not recommended. FTPS is FTP that adds support for the Transport Layer Security (TLS) and the Secure Sockets Layer (SSL) cryptographic protocols. FTPS uses TCP ports 989 and 990. FTPS is not the same as and should not be confused with another secure version of FTP, SSH File Transfer Protocol (SFTP). This is an extension of the Secure Shell (SSH) protocol. There have been a number of different versions, with version 6 being the latest. Because it uses SSH for the file transfer, it uses TCP port 22. Trivial FTP (TFTP) does not use authentication and runs over UDP port 69.
HTTP, HTTPS, S-HTTP
Hypertext Transfer Protocol (HTTP) and its secure versions, HTTPS and S-HTTP. This protocol is used to view and transfer web pages or web content between a web server and a web client. With each new address that is entered into the web browser, whether from initial user entry or by clicking a link on the page displayed, a new connection is established because HTTP is a stateless protocol. The original version (HTTP) has no encryption, so when security is a concern, one of the two secure versions should be used. HTTP uses TCP port 80. Hypertext Transfer Protocol Secure (HTTPS) layers HTTP on top of the SSL/TLS protocol, thus adding the security capabilities of SSL/TLS to standard HTTP communications. SSL/TLS keeps the session open using a secure channel. HTTPS websites will always include the https:// designation at the beginning. It is often used for secure websites because it requires no software or configuration changes on the web client to function securely. When HTTPS is used, port 80 is not used. Rather, it uses port 443. Unlike HTTPS, which encrypts the entire communication, S-HTTP encrypts only the served page data and submitted data such as POST fields, leaving the initiation of the protocol unchanged. Secure-HTTP and HTTP processing can operate on the same TCP port, port 80. This version is rarely used.
Simple Mail Transfer Protocol (SMTP)
POP and IMAP are client email protocols used for retrieving email, but when email servers are talking to each other, they use a protocol called Simple Mail Transfer Protocol (SMTP), a standard Application layer protocol. This is also the protocol used by clients to send email. SMTP uses port 25, and when it is run over SSL, it uses port 465. Enhanced SMTP (ESMTP) allows larger field sizes and extension of existing SMTP commands
SSL/TLS
Secure Sockets layer / Transport Layer Security - An encryption layer of HTTP that uses public key cryptography to establish a secure connection.
Multilayer Protocols
The best example is TCP/IP, the networking protocol used on the Internet and on the vast majority of LANs. Multilayer protocols provide the following benefits: A wide range of protocols can be used at higher layers. Encryption can be incorporated at various layers. Flexibility and resiliency in complex network structures is supported. There are a few drawbacks of multilayer protocols: Covert channels are allowed. Filters can be bypassed. Logically imposed network segment boundaries can be overstepped. Distributed Network Protocol version 3 (DNP3) is a multilayer protocol that is used between components in process automation systems in electric and water companies. It was developed for communications between various types of data acquisition and control equipment. It plays a crucial role in supervisory control and data acquisition (SCADA) systems
Label Distribution Protocol (LDP)
allows routers capable of MPLS to exchange label mapping information. UDP TCP port 646.
ARP/RARP
designed to resolve the destination IP address placed in the header by IP to a Layer 2 or MAC address Reverse ARP resolves MAC addresses to IP addresses.
Network File System (NFS)
is a client/server file-sharing protocol used in UNIX/Linux. It operates over TCP port 2049.
Lightweight Directory Access Protocol (LDAP)
is a directory query protocol that is based on the X.500 series of computer networking standards. Microsoft's Active Directory Services NetIQ's eDirectory Network Information Service (NIS). uses TCP/UDP port 389.
Common Internet File System (CIFS)/Server Message Block (SMB)
is a file-sharing protocol. It uses TCP port 44
DHCP/BOOTP
is a service that can be used to automate the process of assigning an IP configuration to the devices in the network. A DHCP server uses the bootstrap protocol (BOOTP) to perform its functions. Uses UDP ports 67 and 68. Port 67 sends data to the server, and port 68 sends data to the client.
Network address translation (NAT)
is a service that maps private IP addresses to public IP addresses.
Port address translation (PAT)
is a specific version of NAT that uses a single public IP address to represent multiple private IP addresses.
Network Basic Input/Output System (NetBIOS)
is an API, an be enabled to permit sharing resources runs on TCP ports 137, 138, and 139.
Post Office Protocol (POP)
is an Application layer email retrieval protocol. It allows for downloading messages only and does not allow the additional functionality provided by IMAP4. uses port 110, 995.
Internet Group Management Protocol (IGMP)
provides multicasting capabilities to devices. Multicasting allows devices to transmit data to multiple recipients. Is used by many gaming platforms.
DNS (Domain Name System)
relieves all humans from having to know the IP address of every computer with which they want to communicate. Ultimately, an IP address must be known to connect to another computer. DNS resolves a computer name (or in the case of the Web, a domain name) to an IP address. Uses UDP TCP port 53
Internet Message Access Protocol (IMAP)
is an Application layer protocol for email retrieval. It is a client email protocol used to access email from a server. Unlike POP3, another email client that can only download messages from the server, It allows one to download a copy and leave a copy on the server. Uses port 143, 993.
Simple Network Management Protocol (SNMP)
is an Application layer protocol that is used to retrieve information from network devices and to send configuration changes to those devices. SNMP uses TCP port 162 and UDP ports 161 and 162. Is susceptible to brute-force attacks on the community strings and password used. The defaults of community string names, which are widely known, are often left in place. The latest version, SNMPv3, is the most secure.
Internet Control Message Protocol (ICMP)
is used by devices to transmit error messages regarding problems with transmissions. It also is the protocol used when the ping and traceroute commands are used to troubleshoot network connectivity problems. A protocol that can be leveraged to mount several network attacks based on its operation, and for this reason many networks choose to block it.