Network Protocols and Ports: 10 Critical Security Facts

You just deployed a new web server and it is not reachable from the public internet. Your first instinct is to open every port on the firewall to see if that fixes it. This is how junior engineers accidentally hand the keys to your infrastructure to ransomware groups. Understanding how protocols and ports actually interact is the only way to build a secure network that functions.

This guide explains the technical mechanics of network protocols and how to secure your attack surface.

What are Network Protocols and Ports?

Network protocols are the set of rules that define how data is formatted and transmitted between devices. Ports are virtual docking points that allow a single IP address to host multiple services at once. While an IP address identifies the machine, the port identifies the specific application waiting for data.

Every successful connection requires both a specific protocol and a destination port to function.

Understanding Transport Protocols: TCP vs. UDP

At the transport layer, you will deal with two primary protocols that handle how data moves. Transmission Control Protocol (TCP) is connection oriented and uses a three-way handshake to ensure every packet arrives in order. User Datagram Protocol (UDP) is a connectionless protocol that sends data without waiting for confirmation.

TCP is for data that must be perfect, while UDP is for data that must be fast.

Technical Flow: The Three-Way Handshake

When you initiate a TCP connection, your machine sends a SYN (Synchronize) packet. The server responds with a SYN-ACK (Synchronize-Acknowledgment) if the port is open. Your machine then sends an ACK (Acknowledgment) to finalize the connection. If the server does not respond or sends a RST (Reset), the port is likely closed or filtered by a firewall.

A technical flow diagram showing the TCP three-way handshake process involving protocols and synchronization packets.

UDP avoids this overhead entirely. It sends the data and does not care if the receiver is ready or if the packet drops. This makes UDP the standard for streaming and DNS lookups where speed is more important than a missed frame.

  • TCP → Reliable, ordered, slower due to overhead.
  • UDP → Fast, unordered, no error checking.
  • Handshake → The process of establishing a logical connection.
  • Sequencing → How TCP puts packets back in the correct order.

The Three Port Neighborhoods

The Internet Assigned Numbers Authority (IANA) manages 65,535 available ports. These are not just random numbers. They are categorized into three distinct ranges that tell you who can use them and what they are for.

A range map illustrating the different classifications of network protocols and ports according to IANA.

System ports from 0 to 1023 are reserved for core services like HTTP, SSH, and DNS. You usually need root or administrator permissions to bind a service to these ports. Registered ports from 1024 to 49151 are for specific applications like databases. Dynamic or ephemeral ports from 49152 to 65535 are used temporarily by your own machine when you connect to a server.

You must monitor the ephemeral range because many modern applications use these for return traffic.

Securing Common Network Ports

Every open port is a potential hole in your defense. Some protocols are inherently dangerous because they send data in cleartext. If you use FTP (Port 21) or Telnet (Port 23), anyone on the network path can see your passwords. You should replace these with SFTP (Port 22) and SSH (Port 22) immediately.

A security comparison matrix showing vulnerable versus secure network protocols and ports.

Encryption is not optional in a production environment.

The Attack Surface of Common Services

Domain Name System (DNS) on Port 53 is a frequent target for amplification attacks. Attackers use the connectionless nature of UDP to flood targets with massive amounts of traffic. Web traffic on Port 80 should be redirected to Port 443 to ensure TLS encryption. Even then, you must watch for SSL stripping attacks that force a downgrade to unencrypted traffic.

Server Message Block (SMB) on Port 445 is perhaps the most dangerous port to leave exposed. Ransomware like WannaCry used vulnerabilities in SMB to spread through networks in minutes. Never expose Port 445 to the public internet. If you need remote access, use a VPN or Port 3389 (RDP) behind a secure gateway.

Hardening your environment requires closing every port that does not have a specific business requirement.

Troubleshooting Scenario: The AWS Ephemeral Port Mystery

When I was working on a client environment in a secure cloud setup, we ran into an issue where an EC2 instance could not receive return traffic. The engineer had allowed Port 22 inbound but the connection kept timing out. They assumed the server was down. The actual cause was the stateless nature of AWS Network ACLs.

An architecture diagram explaining a common troubleshooting scenario involving protocols and blocked ephemeral ports in AWS.

Most engineers forget that outbound traffic needs a path back to the client.

When you connect to a server on Port 22, your computer picks a random port in the ephemeral range (like 52341) to receive the response. If your Network ACL blocks outbound traffic to the ephemeral range, the server can see your request but cannot reply. You must add an outbound rule allowing traffic to the 49152 to 65535 range to fix this.

Identifying stateless vs stateful firewalls is a core skill for any network engineer.

Practical Implementation: Port Auditing

You should regularly audit your servers to see which ports are actually listening. If you find a port open that you did not authorize, it could be a sign of a misconfiguration or a compromise. You can use native Linux tools to see this information in real time.

  1. Log into your server via SSH.
  2. Run ss -tuln to see all listening TCP and UDP sockets.
  3. Check the “Local Address” column for unexpected port numbers.
  4. If you see an unknown port, run lsof -i :[port_number] to find the process ID.
  5. Investigate the process and kill it if it is unauthorized.

ALT Text: Linux terminal output showing active listening ports with the ss command.

When you use the ss command, you get a clean look at the network state without the overhead of older tools. You can find more details on these commands in our guide on Linux Command Line Essentials.

Real World Enterprise Scenario: The Banking Leak

A major fintech provider recently suffered a data leak because an internal database used Port 3306 without encryption. The team assumed that because the server was “internal,” they did not need to secure the protocol. An attacker gained access to a low level employee workstation and used a packet sniffer to capture database credentials in plain text.

The team eventually fixed this by enforcing TLS for all internal database connections and moving the service to a non standard port. This did not stop the attack, but it made the data unreadable to the sniffer. Never trust your internal network to be secure by default.

Common Mistakes and Best Practices

One common mistake is using Port 80 for “internal” health checks because it is easier to set up. This creates a cleartext path that attackers can exploit if they pivot into your network. Another mistake is ignoring the source IP in firewall rules. If a service only needs to talk to one other server, do not open the port to the entire subnet.

  • Always use SSH keys instead of passwords on Port 22.
  • Disable Port 23 and Port 21 across the entire organization.
  • Limit RDP access to specific management IP addresses.
  • Use netstat or ss weekly to verify your listening services.

If a junior engineer tells you they need to open Port 445 to the internet for a “quick test,” the answer is always no.

Interview Questions

Q: What is the main difference between a stateful and a stateless firewall?

A: A stateful firewall remembers the state of active connections and automatically allows return traffic. A stateless firewall treats every packet in isolation, so you must manually create rules for both inbound and outbound traffic.

Q: Which protocol would you use for a real time voice application and why?

A: You would use UDP because it has lower latency. In voice applications, a dropped packet is better than a delayed packet that makes the audio sound out of sync.

Q: How do you check which process is using Port 443 on a Linux server?

A: You use the command lsof -i :443 or ss -tulpn | grep 443. This shows the process name and its PID.

Q: Why is DNS on Port 53 a security risk?

A: DNS uses UDP, which allows attackers to spoof source IP addresses. This is used in amplification attacks to reflect large amounts of traffic onto a victim.

Q: What is the range of well known ports and who manages them?

A: The range is 0 to 1023. They are managed by the Internet Assigned Numbers Authority (IANA).

FAQ

What is an ephemeral port?

An ephemeral port is a short lived transport protocol port for IP communications. It is allocated automatically from a predefined range by the IP stack software.

Can a single port use both TCP and UDP?

Yes. DNS is a prime example as it uses UDP for small queries and TCP for large zone transfers. Both operate on Port 53.

Is it safer to run services on non standard ports?

This is known as security by obscurity. It stops basic automated scanners but will not stop a determined attacker who performs a full port scan.

Why does my firewall show a port is “filtered”?

A filtered status means the firewall dropped the packet without sending a response. The scanner cannot determine if the port is open or closed.

What is Port 0 used for?

Port 0 is a reserved port and is not used for network traffic. In programming, requesting Port 0 often tells the system to allocate the next available dynamic port.

Conclusion

Understanding network protocols and ports is the foundation of any security strategy. If you cannot identify which services are running and how they communicate, you cannot protect them. Start by auditing your current environment with the ss command and closing legacy cleartext ports. You must treat every open port as a potential entry point for an attacker. Use this technical knowledge to harden your attack surface today.

To strengthen your foundation, learn IP address fundamentals with real-world examples.

Reference: wikipedia

Leave a Comment