1 00:00:00,000 --> 00:00:01,310 2 00:00:01,310 --> 00:00:02,810 I'd like you to imagine that we've 3 00:00:02,810 --> 00:00:06,020 discovered a malicious application that's 4 00:00:06,020 --> 00:00:07,130 running on our network. 5 00:00:07,130 --> 00:00:08,630 And so we talk to the security team, 6 00:00:08,630 --> 00:00:11,120 and we asked them to block it so it can't course 7 00:00:11,120 --> 00:00:12,930 through the veins of our network. 8 00:00:12,930 --> 00:00:15,295 Now, in order to do their job, and to stop that traffic, 9 00:00:15,295 --> 00:00:16,670 it's likely they're going to need 10 00:00:16,670 --> 00:00:19,730 to know a few things including, number one, what 11 00:00:19,730 --> 00:00:22,670 protocol or protocols is this application 12 00:00:22,670 --> 00:00:24,590 or this malicious software using? 13 00:00:24,590 --> 00:00:26,602 And secondly, what ports are involved? 14 00:00:26,602 --> 00:00:29,060 Because there's going to be a big part of them implementing 15 00:00:29,060 --> 00:00:31,370 controls to stop that type of traffic. 16 00:00:31,370 --> 00:00:33,290 And even for applications and services 17 00:00:33,290 --> 00:00:35,330 that are not malicious, it's handy for us 18 00:00:35,330 --> 00:00:37,970 to know some of the common protocols and ports that 19 00:00:37,970 --> 00:00:39,937 are used on our networks today. 20 00:00:39,937 --> 00:00:42,020 So here's a nice handy table I'd like to just chat 21 00:00:42,020 --> 00:00:43,280 with you about for a moment. 22 00:00:43,280 --> 00:00:46,001 On the left-hand side, we have the actual protocol itself. 23 00:00:46,001 --> 00:00:47,750 Then we have a little bit more information 24 00:00:47,750 --> 00:00:49,220 here in this column in the middle. 25 00:00:49,220 --> 00:00:50,595 And then over here, on the right, 26 00:00:50,595 --> 00:00:52,740 we have some of the common well-known ports. 27 00:00:52,740 --> 00:00:55,760 So if a user is going to the internet with a browser, it' 28 00:00:55,760 --> 00:00:59,240 very likely they're going to using HTTP or HTTPS. 29 00:00:59,240 --> 00:01:02,215 The big difference is one is plain text HTTP, 30 00:01:02,215 --> 00:01:05,540 and the other has security services enabled as part of it. 31 00:01:05,540 --> 00:01:10,320 And those protocols used TCP ports 80 and 443, respectively. 32 00:01:10,320 --> 00:01:13,580 If a network administrator wanted to remotely connect over 33 00:01:13,580 --> 00:01:16,460 to a router or a switch to do management on that, 34 00:01:16,460 --> 00:01:19,100 they could remotely log on and get a command line interface. 35 00:01:19,100 --> 00:01:20,891 They could type in characters, if you will, 36 00:01:20,891 --> 00:01:22,850 to that system by using Telnet. 37 00:01:22,850 --> 00:01:25,190 Telnet uses the well-known port at the transport layer 38 00:01:25,190 --> 00:01:26,960 of TCP port 23. 39 00:01:26,960 --> 00:01:29,420 However, because it's unencrypted, anybody who's 40 00:01:29,420 --> 00:01:32,810 eavesdropping or who steals those packets off the network, 41 00:01:32,810 --> 00:01:34,845 they'll be able to determine what's going on. 42 00:01:34,845 --> 00:01:36,470 So most the time, for security, instead 43 00:01:36,470 --> 00:01:39,080 of using Telnet, a more secure administrator 44 00:01:39,080 --> 00:01:41,840 would be using SSH, Secure Shell, which 45 00:01:41,840 --> 00:01:44,570 provides the same functionality of a remote connection 46 00:01:44,570 --> 00:01:46,760 to a system, but it adds encryption and security 47 00:01:46,760 --> 00:01:48,470 on top of it to make it more secure. 48 00:01:48,470 --> 00:01:52,790 And SSH uses the well-known port of TCP 22. 49 00:01:52,790 --> 00:01:57,410 When a computer is tyring to go to www.google.com, 50 00:01:57,410 --> 00:01:59,600 in the background, that's being translated, 51 00:01:59,600 --> 00:02:01,370 that name, into an IP address. 52 00:02:01,370 --> 00:02:03,560 And that's an example of doing a DNS query 53 00:02:03,560 --> 00:02:05,930 that our computer does behind the scenes for us 54 00:02:05,930 --> 00:02:07,400 thousands of times a day. 55 00:02:07,400 --> 00:02:08,949 And for that, at the transport layer, 56 00:02:08,949 --> 00:02:11,300 it uses UDP as the transport protocol, 57 00:02:11,300 --> 00:02:13,850 and port number 53 is the well-known port 58 00:02:13,850 --> 00:02:15,440 for the DNS server. 59 00:02:15,440 --> 00:02:17,840 In the world of TCP/IP, each host 60 00:02:17,840 --> 00:02:19,670 is going to have an address. 61 00:02:19,670 --> 00:02:22,610 We can assign IP addresses to clients 62 00:02:22,610 --> 00:02:26,390 using a dynamic protocol called DHCP, the Dynamic Host 63 00:02:26,390 --> 00:02:27,770 Configuration Protocol. 64 00:02:27,770 --> 00:02:31,490 And that uses UDP port 67 and 68, 65 00:02:31,490 --> 00:02:34,040 depending on if the packet from the client to the server 66 00:02:34,040 --> 00:02:36,140 or response is coming from a DHCP server 67 00:02:36,140 --> 00:02:38,330 going back to a DHCP client. 68 00:02:38,330 --> 00:02:40,370 If we want to move files around, there's 69 00:02:40,370 --> 00:02:42,560 lots of ways of doing it including these three 70 00:02:42,560 --> 00:02:43,910 options right here-- 71 00:02:43,910 --> 00:02:47,420 FTP, File Transfer Protocol TFTP, Trivial File Transfer 72 00:02:47,420 --> 00:02:50,220 Protocol, and SFTP, which, depending 73 00:02:50,220 --> 00:02:51,890 on which protocol you're actually using 74 00:02:51,890 --> 00:02:54,950 could be SSH file transfer protocol or secure file 75 00:02:54,950 --> 00:02:55,814 transfer protocol. 76 00:02:55,814 --> 00:02:57,480 And over here, in the right-hand column, 77 00:02:57,480 --> 00:03:00,500 we have the common well-known ports associated 78 00:03:00,500 --> 00:03:02,180 with those three protocols. 79 00:03:02,180 --> 00:03:03,910 Another very common network service 80 00:03:03,910 --> 00:03:07,470 is being used by millions of people every day is email. 81 00:03:07,470 --> 00:03:09,890 And so we have several email protocols as well-- 82 00:03:09,890 --> 00:03:12,240 SMT, the Simple Mail Transfer protocol, 83 00:03:12,240 --> 00:03:15,320 which is being used for outbound email or email that's 84 00:03:15,320 --> 00:03:17,840 going back and forth between email servers. 85 00:03:17,840 --> 00:03:19,400 We have Post Office Protocol version 86 00:03:19,400 --> 00:03:23,510 3, or, POP which is a client application used to get email 87 00:03:23,510 --> 00:03:24,990 from an email server. 88 00:03:24,990 --> 00:03:27,560 We also have a protocol called IMAP, Internet Message Access 89 00:03:27,560 --> 00:03:29,990 Protocol that can be used between an email client 90 00:03:29,990 --> 00:03:32,810 and an email server for the retrieval and notifications 91 00:03:32,810 --> 00:03:34,220 of email messages. 92 00:03:34,220 --> 00:03:37,040 And those three protocols have three well-known ports 93 00:03:37,040 --> 00:03:39,920 respectively associated with each of them. 94 00:03:39,920 --> 00:03:42,740 Sometimes we need access to a remote device. 95 00:03:42,740 --> 00:03:44,360 And one protocol we can use to do that 96 00:03:44,360 --> 00:03:46,880 is RDP, Remote Desktop Protocol. 97 00:03:46,880 --> 00:03:50,949 And it's well-known port is TCP port 3389. 98 00:03:50,949 --> 00:03:52,490 Among the things we take for granted, 99 00:03:52,490 --> 00:03:55,940 including accurate time, and most computer systems 100 00:03:55,940 --> 00:03:58,760 are using, in the background, some flavor of NTP, Network 101 00:03:58,760 --> 00:04:01,820 Time Protocol, which uses UDP port 102 00:04:01,820 --> 00:04:05,040 123, as the well-known port associated with the NTP 103 00:04:05,040 --> 00:04:08,180 server that can allow a computer to reach out, get the time, 104 00:04:08,180 --> 00:04:11,450 and then synchronize its own time based on the server. 105 00:04:11,450 --> 00:04:13,610 Another big advance over the last decade or so 106 00:04:13,610 --> 00:04:16,399 in the world of IP networks is to have voice traffic 107 00:04:16,399 --> 00:04:18,809 and telephone calls over IP networks. 108 00:04:18,809 --> 00:04:20,600 And one of the protocols involved with that 109 00:04:20,600 --> 00:04:23,230 is SIP, Session Initiation Protocol. 110 00:04:23,230 --> 00:04:25,340 And well known ports associated with SIP 111 00:04:25,340 --> 00:04:30,490 include TCP and UDP port 5060 as well as TCP port 5061. 112 00:04:30,490 --> 00:04:32,960 A very popular protocol in a Microsoft network 113 00:04:32,960 --> 00:04:35,060 that includes the ability to receive and send 114 00:04:35,060 --> 00:04:37,280 files over the network is a protocol 115 00:04:37,280 --> 00:04:39,290 called SMB, Server Message Block, 116 00:04:39,290 --> 00:04:43,380 which is associated with the well known port of TCP 445. 117 00:04:43,380 --> 00:04:46,460 One popular option of merging lots and lots of users 118 00:04:46,460 --> 00:04:49,047 in an organization is to have a central repository 119 00:04:49,047 --> 00:04:49,880 with all the users-- 120 00:04:49,880 --> 00:04:51,882 Bob, Sally, Lois, et cetera-- 121 00:04:51,882 --> 00:04:53,840 and then, whenever it needs to check and verify 122 00:04:53,840 --> 00:04:55,730 things like passwords for those users, 123 00:04:55,730 --> 00:04:58,130 they can check with that centralized server or servers. 124 00:04:58,130 --> 00:04:59,713 And one protocol it can use to do that 125 00:04:59,713 --> 00:05:03,370 is LDAP, the Lightweight Directory Access Protocol. 126 00:05:03,370 --> 00:05:05,560 There is a version that does not use security 127 00:05:05,560 --> 00:05:06,825 for the communications. 128 00:05:06,825 --> 00:05:08,200 And there's, yet, another version 129 00:05:08,200 --> 00:05:09,550 that does include the security. 130 00:05:09,550 --> 00:05:12,220 And that's LDAPS, and that is for LDAP 131 00:05:12,220 --> 00:05:15,430 that includes the benefits to TLS/SSL 132 00:05:15,430 --> 00:05:18,640 for the protection of that communication when using LDAP. 133 00:05:18,640 --> 00:05:22,300 So the less secure LDAP uses TCP and UDP port 389, 134 00:05:22,300 --> 00:05:25,609 while LDAPS uses TCP port 636. 135 00:05:25,609 --> 00:05:28,150 And the last protocol, on the list here I want to talk about, 136 00:05:28,150 --> 00:05:32,380 is H.323, which is a whole suite of protocols 137 00:05:32,380 --> 00:05:36,280 that can be used for audio and video over networks. 138 00:05:36,280 --> 00:05:38,830 And some well-known ports associated with H.323 139 00:05:38,830 --> 00:05:45,114 include UDP port 1719, TCP port 1720, and a boatload more. 140 00:05:45,114 --> 00:05:46,780 And what you'll discover is that, as you 141 00:05:46,780 --> 00:05:48,730 work with specific protocols more and more, 142 00:05:48,730 --> 00:05:50,230 you'll become more and more familiar 143 00:05:50,230 --> 00:05:53,470 with those specific ports used by those protocols. 144 00:05:53,470 --> 00:05:55,690 I hope this has been informative for you. 145 00:05:55,690 --> 00:05:59,250 And I'd like to thank you for viewing.