In my early IT days, about 20 years ago, I had a hard time grasping the concept of network ports. I read books and articles about how hackers exploited such and such ports, how you had to close some ports and secure others. I must confess it took me some time to fully understand the concept, and most importantly, how to apply the knowledge.
I decided to write this article to shed some light on this topic to help those new to IT or networking having difficulties understanding the concept too, if your area of expertise is not networking or you are a beginner this article will help you. I personally know many talented IT professionals whose expertise is in database, system administration, and application support who find it a bit difficult to conceptualize networking concepts, especially network ports. If you are an experienced network engineer you may find it refreshing or perhaps basic as this is something we’ve all been pounded with for most of our careers.
To understand what a network port is we first have to build a foundation, for that we’ll cover various networking concepts that will help you understand how communication between endpoints works in a network, that understanding will ultimately lead us to see the network ports in action.
Let’s look at the following network diagram. This is a flat, simple Ethernet network configuration that is very common in most small environments:
We have 3 Windows desktop computers, 1 Windows server, 1 managed switch, a FirewallRouter, and a connection to the internet.
The network uses TCP/IP protocol suite, meaning that each device has a unique IP address. The server in the network serves multiple purposes: it’s a Windows Domain Controller, and it also serves as an FTP, Web, and application server for the local users to access resources.
When hosts want to communicate with each other many interesting happen in the background, for the sake of this article we’ll ignore the ARP, IP, and DNS resolution process. Let’s just say that each host knows how to get to all other hosts in the network. As we are dealing with an IP network each host has a unique IP address that identifies it.
Now let’s go over a couple of day to day activities that occur in a network and how network protocols work in them:
- When PC1 accesses a shared drive on PC3 it uses SMB network protocol for communication. PC3 sees the request and if PC1 request is authenticated PC3 allows the communication to take place.
- PC2 accesses the local website hosted by Server1, in this case the end user uses a desktop application to reach the server’s web content, in the background a network application handles the communication and information is transferred between devices.
- Lastly, the office admin needs to create another network account. For this the local admin accesses Server1 from PC2 via a network application known as RDP which gives her direct access to the server console.
The aforementioned examples show simple network tasks. In order for those tasks to take place, hosts need to communicate with each other for various functions, that communication is established and maintained by the corresponding network protocol.
So far we have mentioned network protocols and network applications, let’s review what they are as we need that information to understand network ports.
Network Protocols.
Ever since I started in IT I’ve heard the same general definition of network protocols: a set of rules devices utilized for communication, it is a good general definition in its most basic form for what a protocol does in a network environment. The same way we have rules and procedures to effectively communicate with someone through verbal conversations Protocols serve as a standard for devices to communicate among themselves.
The term protocol is widely used in IT and depending on the context is used its meaning may vary. This was something I really had to stress to my students when I taught networking classes. For them, at the time, every time they heard protocols they automatically associated them with network protocols. It made sense at the time, but once we started going over more technologies they soon realized that it was not always the case and that the term protocol is widely used.
For instance, the Institute of Electrical and Electronics Engineers (IEEE) has created many network standards such as the 802, 802.11 and each standard is divided into subcategories as they create different projects. Those standards are also known as protocols, they provide the rules and guidelines hardware manufacturers use to create their products to ensure interoperability. There are other network architectures such as Token Ring, ATM, and FDDI that are also referred to as network protocols. In these cases, they are referring to network industry standards and not to the protocols we see in action in the OSI or the TCP/IP model. That is the reason why we have to understand the context where protocol appears, you may have been asking yourself: what does all this have to do with network ports? And the answer is A Lot, you’ll see how it all comes together as you keep reading.
A brief review of the OSI and TCP/IP model.
The Open System Interconnection (OSI) and the TCP/IP model is conceptual representation of network communication. They are the result of industry organizations attempting to explain, define, and represent internetworking communication and how protocols operate. Each standard represents communications in abstraction layers to help us understand the communication process, the OSI has 7 layers and the TCP/IP model has 4 layers. I will not expand on this in this article but I felt it was important to mention what the OSI and TCP/IP model does as we understand network ports. There are different thoughts about each model, however, the OSI model has become the de facto technical representations of protocol communication. For that reason, I will also refer to protocols communication from the OSI point of view in this article.
Network Applications: a network application is not to be confused with a user application such as Microsoft Word, Excel, Autodesk, QuickBooks, etc., even if they are used over the network. Network applications provide services that work at the Application Layer of the OSI model, thus the name Network Application. Users don’t have direct access to the network applications but they access them through other applications and API. In the IT world, we can refer to a Network Protocol as a Network Application, it does not apply to all protocols but in many instances, some protocols can function and serve as the Network Application. To make the concept clear let’s go over this example:
- The FTP example: File Transfer Protocol is a network protocol used is to send and receive files over TCP. FTP is a protocol but because it works at the Application Layer of the OSI model and performs a function that serves the users is also considered a Network Application. For details on FTP check rfc5797.
- The HTTP example: Hyper Text Transfer Protocol is a network protocol used by devices to communicate in the World Wide Web. It was the original protocol created during the early internet days that allowed system to read hyperlinks from systems. As in the case of FTP, HTTP is also considered a network application. Click here for details on HTTP.
- The TCP – UDP example: Transmission Control Protocol and User Datagram Protocol are, as their names imply, network protocols. They both function at the Transport Layer (Layer4) of the OSI model and their most basic function is to deliver information. However, they are not considered Network Applications because they don’t operate at the network layer.
The list could go on and on but by now I’m sure we’ve grasped the general concept.
IP comes into play.
Most networks nowadays, and any network that connects in one way or another to the internet relies on IP (protocol). You rarely hear of IP by itself but rather you see it being referred to in the TCP/IP protocol suite. Both protocols provide the structure necessary for communication in a network. In the case of IP (Internet Protocol) provides the “identification” of a host in a network by assigning a unique IP address. There are two “versions” of IP protocols, IPv4 and IPv6. For the sake of this article when I mention IP I will be referring to IPv4.
So in a simple network, you have different hosts that are identified by their unique IP address in their corresponding network, meaning no other host has the same IP address. If you have a passion for networking and enjoy reading pages of what seems to be boring, unattractive, typewriter formatted documents you’ll enjoy the IETF TCP/IP tutorial, the information is based on IPv4 and provides a deep background of how TCP/IP work. If you don’t have that strong conviction to spend hours reading the document don’t worry, you don’t know to know the nuts and bolts for a good general concept of network ports.
As stated earlier, an IP address is unique in each network. An example of a private IPv4 address is 172.16.5.122, 198.253.65.23, etc. This is not an article on how IP works so I’m not spending time talking about IP classes, Subnetting, Public and Private IPs, etc. but for the sake of the article knowing that an IP address is the unique identification of a host in an IP network will suffice.
Reviewing what we’ve covered so far we can say we have a basic understanding of protocols, network application, and IP addresses. Let’s put the pieces together as we move closer to see network ports in action:
When a user on PC1 (172.16.5.122) accesses resources on the Server (172.16.5.127) the user on PC1 uses a desktop application to initiate the process. To elaborate the point we’ll say that the Server is a web server hosting a site and the end-user on PC1 wants to access it. The most common application to access a website is a web browser, applications such as Firefox, Internet Explorer, Safari, Chrome are the most popular web browser.
The web browser represents the user or desktop application, when the user enters the URL in the address bar, let’s say www.precisetek.com, the web browser calls for the network application (HTTP) to read and process the content of the site and present it to the user. So far so good, right?
Now, let’s say that the Server (172.16.5.127) is not only hosting a website but it’s also an FTP server hosting files. How does the Server know how to answer back to PC1 when a request is initiated? Well, when the connection arrives in the Server it sees that HTTP is requesting communication on Port 80 therefore the Server understands that the request is made over HTTP and the protocol rules kick in. If the communication arrives in the server on port 21 the Server understands it’s an FTP request, and the process goes on and on with all network services.
So what is the purpose of a port? The IETF explains the concept clearly “Ports serve two purposes: first, they provide a demultiplexing identifier to differentiate transport sessions between the same pair of endpoints, and second, they may also identify the application protocol and associated service to which the process connects” Rfc6335 – page 7.
Now let’s break it down:
“Provide a demultiplexing identifier to differentiate transport session between the same pair of endpoints”: when endpoints communicate with each other they have to keep track of the communication session. For example, you are using your computer to access a website, as stated earlier HTTP service runs on TCP port 80. The server you are connecting to listening on port 80 but you initiate the connection on a port other than it, for that session you get assigned a dynamic port – let’s say 533369. Now, you open another session to the server but this time you access it via an FTP client to pull data from it, since the Server has an FTP server enabled on it is listening on TCP port 21, when you successfully establish the FTP session you also get assigned a dynamic port for that session – let’s say 533579.
Each device in the network keeps track of the network sessions, in the Microsoft Windows world you can use the netstat command to view the session information. When you run the netstat command with no switches, meaning just typing netstat, you’ll see the Transport protocol in one column, your Local IP Address and Port in another column, the foreign or remote address, and port on another column, and the session state.
Let’s take a look at a session table, right here you can see:
The Transport protocol is TCP,
The Local address shows you the loopback adapter (127.0.0.1) and
The IP address (172.15.5.121) is each associated with a network port used for communication.
The foreign address represents the remote host, in the case of the loopback address, the remote address in session represents the computer itself by the hostname (X5). The remote host also shows the listening port of the remote device.
So network ports help both endpoint devices keep track of the communication and session and also identify the services during that communication. Using the previous capture as an example you’ll notice server-54-192-37-102:https listed in the foreign address column. In this example, server-54-192-37-102 represents the server name and HTTPS represents the network protocol the remote hosts are listening to, we know that HTTPS is port 443. The port can be shown in its numerical or name value.
“A port identifies protocols and associated service”: A service can be considered as a network application in this case, and a port number is a numerical value assigned to it for identification purposes so when people mention port 80 they are referring to HTTP, or port 21 they are referring to FTP, port 3389 they refer to RDP, etc. The name is really irrelevant to network devices but they make our life easier.
Ports are categorized: Network ports are categorized based on their numerical value. . There are 65353 available ports and they are divided into three categories:
- Well known ports: ports between 0-1023, these ports are the common ports assigned to the services such as telnet (23), dns (53), http (80), etc. Most common network applications fall under this category as they have been around since the early days that is why they are called well-known ports.
- Registered or User ports: ports between 1024-49151, these ports are used by processes and programs for communication, sometimes internal communication within the application itself. An example of application using users ports are: SQL Anywhere database server uses TCP port 2638. SonicWall anti-spam traffic communication between Remote Analyzer and the Control Center uses TCP 2599.
- Ephemeral or Dynamic ports: ports between 49152-65535. These ports are randomly assigned to the client side of the connection when establishing a session. Remember, the client is assigned an Ephemeral port as it connects to a well-known port. Look at the packet capture below, notice how a DNS request is made for a host name (www.precisetek.com), the request is sent over port 59210 from the local host to port 53 on the destination server. In this case, port 53 is DNS which works over UDP transport protocol.
Let’s look at the following example to go over the concept: When you initiate communication to a website you usually use HTTP or HTTPS if it’s secure communication. To keep it simple we’ll use HTTP as an example. When you launch the web browser to access any website, let’s say www.jdtechsolutions.net, your system automatically understands that you want to initiate the communication over HTTP protocol on TCP port 80. The Server in our example is not only a web server but also an FTP and DNS server, therefore, servicing requests made on ports 21 and 53, as clients request connections to such services the Server needs to keep track of the requests to ensure proper communication. As more sessions are open the session table keeps growing, the process occurs for all hosts in the network as they communicate with each other.
Some applications can work on ports other than their default number, for instance, you can have a web server listen on port 83 for HTTP instead of port 80. You can have RDP listen on port 3350 instead of 3389. There are various reasons to change the default port for an application but the most important thing to keep in mind is that the client must also initiate the connection to the new port number otherwise it will use the default port number and have the connection rejected.
Port Forwarding: so far we’ve been covering communication in an internal network. You may have the need to access local resources from a remote location, for that, you can use port forwarding. Remember, when your hosts are in an internal network they are configured with private IP addresses, meaning that those IP addresses are not routable to the internet. When devices on your internal network browse the web they are seen as coming from one IP address, your firewall or router IP address. So if you want to communicate to a host in your internal network you have to communicate with the “gatekeeper” (your firewall or router) and have it relay the message (port forward) to your internal devices.
Port Security: as remember port represents network protocols and protocols are used for communication. If you have a port open another device with access to it can start communication, depending on the application the port is using a hacker can gain access to the rest of your network through it. As a best practice, if you are not using a port don’t have it open.
___________________________________________________________________________________________________________________________________
This concludes this article, I hope it helped you understand what network ports are and their basic functions. As a quick recap, network ports identify a server or protocol and help keep the session between hosts. There are many topics I weeded out just to stay focused on network ports as my goal was to help those wanting to get a better understanding of the concept without going through a complete networking class.
You may like my other network-related articles:
WiFi Best Practice – SSID allocation.
Meraki Identity PSK without Radius.
It’s not the WiFi, it’s DHCP.
Feel free to contact us at 888-580-4450 or [email protected] for details about our support and services. JDTech is a technical service provider that delivers fortune 500-grade technical support to small organizations. We are network experts servicing Nothern NJ and NYC.