Complete Networking Guide: Ports, OSI Model & Security

Network Ports Fundamentals

HTTP

HTTPS

SSH

DNS

What are Network Ports?

Network ports are virtual endpoints for communication in an operating system. They allow multiple network services to operate simultaneously on a single IP address by using different port numbers.

Think of ports as doors in a building (the IP address). Each door leads to a different room (service/application) inside the building. When data arrives at a device, the operating system uses the port number to determine which application should receive that data.

Port Number Range

Port numbers range from 0 to 65535, divided into three main categories:

Well-known ports: 0-1023 (Require admin privileges)
Registered ports: 1024-49151 (Assigned by IANA)
Dynamic/Private ports: 49152-65535 (Ephemeral ports)

Port Communication

Ports work in conjunction with IP addresses to enable communication:

IP Address → Identifies the device on the network

Port Number → Identifies the service/application on that device

Together, they form a socket - a unique communication endpoint.

Advantages of Ports

Enable multiple services on a single device
Provide standardized communication endpoints
Allow for traffic filtering and security
Facilitate service discovery
Enable load balancing across multiple instances

Network Topology Example

PC
192.168.1.10

Switch

Router

Web Server
203.0.113.5:80

TCP Three-Way Handshake

Client

SYN

Server

Client

SYN-ACK

Server

Client

ACK

Server

The TCP three-way handshake establishes a reliable connection between client and server before data transmission begins. This process ensures both devices are ready to communicate and agree on initial sequence numbers.

OSI Model - 7 Layers

7

Application Layer

HTTP, HTTPS, FTP, SMTP, DNS - User interfaces and network services

6

Presentation Layer

SSL/TLS, Encryption, Compression - Data translation and encryption

5

Session Layer

NetBIOS, RPC - Connection establishment, management and termination

4

Transport Layer

TCP, UDP - End-to-end communication, error recovery, flow control

3

Network Layer

IP, ICMP, Routers - Logical addressing and path determination

2

Data Link Layer

Ethernet, Switches, MAC addresses - Physical addressing and error detection

1

Physical Layer

Cables, Hubs, Signals - Raw bit transmission over physical medium

Data Encapsulation Process

Application Data (HTTP Request)

Transport Layer adds TCP Header → Segment

Network Layer adds IP Header → Packet

Data Link Layer adds Frame Header & Trailer → Frame

Physical Layer converts to bits for transmission

Data Flow Down the OSI Stack

As data moves down the OSI model, each layer adds its own header (encapsulation):

Application creates the data
Presentation encrypts or formats
Session manages the connection
Transport segments data and adds port information
Network adds IP addresses
Data Link adds MAC addresses
Physical converts to signals

Data Flow Up the OSI Stack

As data moves up the OSI model, each layer removes its header (decapsulation):

Physical receives signals
Data Link checks MAC address and removes frame header
Network checks IP address and removes IP header
Transport reassembles segments and removes TCP/UDP header
Session manages the connection state
Presentation decrypts or reformats
Application receives the data

TCP/IP Model vs OSI Model

The TCP/IP model is a more practical implementation used on the internet, with 4 layers instead of 7:

TCP/IP Model	OSI Model
Application	Application, Presentation, Session
Transport	Transport
Internet	Network
Network Interface	Data Link, Physical

Network Port Types & Protocols

Well-Known Ports (0-1023)

These ports are assigned by IANA for specific services and protocols. They are standardized across all systems and typically require administrator privileges to use.

Examples: HTTP (80), HTTPS (443), SSH (22), FTP (21), DNS (53), SMTP (25)

Registered Ports (1024-49151)

These ports can be registered with IANA for specific services but are not as strictly controlled as well-known ports. Many database and middleware applications use these ports.

Examples: MySQL (3306), PostgreSQL (5432), Redis (6379), MongoDB (27017), Jenkins (8080)

Dynamic/Private Ports (49152-65535)

Also known as ephemeral ports, these are used for temporary connections, typically as source ports for client applications. The operating system assigns these automatically when a client initiates a connection to a server.

Common Well-Known Ports

Port	Service	Protocol	Description
20/21	FTP	TCP	File Transfer Protocol (Data/Control)
22	SSH	TCP	Secure Shell
23	Telnet	TCP	Telecommunication Network
25	SMTP	TCP	Simple Mail Transfer Protocol
53	DNS	TCPUDP	Domain Name System
67/68	DHCP	UDP	Dynamic Host Configuration Protocol
80	HTTP	TCP	Hypertext Transfer Protocol
110	POP3	TCP	Post Office Protocol v3
123	NTP	UDP	Network Time Protocol
143	IMAP	TCP	Internet Message Access Protocol
443	HTTPS	TCP	HTTP Secure
993	IMAPS	TCP	IMAP over SSL
995	POP3S	TCP	POP3 over SSL

Port Protocols: TCP vs UDP

TCP (Transmission Control Protocol)

Connection-oriented
Reliable, guaranteed delivery
Error checking and correction
Flow control
Sequencing of packets
Higher overhead
Used for: HTTP, HTTPS, SSH, FTP, SMTP

UDP (User Datagram Protocol)

Connectionless
Faster, lower overhead
No guarantee of delivery
No error correction
No sequencing
No flow control
Used for: DNS, DHCP, VoIP, streaming, gaming

Network Traffic Flow

Inbound Traffic

Traffic coming into a network or device from external sources. This includes:

Web requests to your server
Email delivery
Remote connections (SSH, RDP)
File transfers
API calls to your services

Outbound Traffic

Traffic leaving a network or device to external destinations. This includes:

Web browsing requests
Email sending
Cloud service connections
Software updates
API calls to external services

Traffic Flow Diagram

Client Device

Outbound Request
Src Port: 54321
Dst Port: 80

Router

Firewall

Web Server

Inbound Request
Src Port: 54321
Dst Port: 80

Port States

LISTEN

A service is actively waiting for connections on this port. The port is open and ready to accept incoming connections.

ESTABLISHED

An active connection exists between source and destination. Data can flow bidirectionally between the endpoints.

TIME_WAIT

The connection is being closed, waiting to ensure all packets are received and to handle any delayed packets.

CLOSED

No application is listening on this port. The port is not associated with any active service.

Port Exhaustion

Port exhaustion occurs when a system runs out of available ephemeral ports. This can happen when:

Many connections are made in a short time
Connections remain in TIME_WAIT state for too long
The ephemeral port range is too small
Application bugs creating too many connections

Solutions: Increase the ephemeral port range, reduce connection timeout, use connection pooling, or implement connection reuse.

Network Port Security

Security Warning: Open ports can be entry points for attackers. Always follow the principle of least privilege when configuring port access. Regularly audit open ports and close any that are not necessary.

Network Security Concepts

Firewall

Controls traffic based on security rules

Encryption

Protects data in transit

IDS/IPS

Detects and prevents intrusions

VPN

Secure remote access

Firewall Configuration

Firewalls control traffic based on port numbers:

Allow rules: Explicitly permit traffic to specific ports
Deny rules: Block traffic to specific ports
Stateful inspection: Track connection state to allow response traffic
Application filtering: Inspect payload content
Zone-based policies: Different rules for different network segments

Port Scanning

Attackers use port scanning to discover open ports on target systems:

TCP Connect Scan: Attempts to complete TCP handshake
SYN Scan: Sends SYN packets without completing handshake
UDP Scan: Sends UDP packets to check for responses
XMAS Scan: Sends packets with FIN, URG, PUSH flags set
NULL Scan: Sends packets with no flags set

Port Scanner Visualization

Common Security Risks

Telnet (Port 23)

Telnet transmits all data in plaintext, including passwords. It should be replaced with SSH (port 22) which encrypts all communication. Telnet is considered insecure and should be disabled on all systems.

Unnecessary Services

Running unnecessary services increases the attack surface. Disable any services that aren't required for your system's function. Regularly audit running services and close any that are not needed.

Default Passwords

Many services have default credentials that are well-known. Always change default passwords on network services. Use strong, unique passwords and consider implementing multi-factor authentication.

Port Exhaustion

When a system runs out of available ephemeral ports, it can't establish new connections. This can be exploited in DoS attacks. Monitor port usage and consider increasing the ephemeral port range if needed.

Security Best Practices

Close all ports that aren't explicitly needed
Use firewall rules to restrict access to necessary IP ranges only
Regularly scan your systems for open ports
Use VPNs for remote access instead of exposing services directly
Keep services updated with security patches
Use intrusion detection/prevention systems
Implement network segmentation
Use port knocking for hidden services
Monitor network traffic for anomalies
Implement least privilege access controls
Use application-level firewalls where possible
Regularly review and update security policies

Network Port Tools

Netstat

Netstat (Network Statistics) is a command-line tool that displays network connections, routing tables, and interface statistics. It's available on Windows, Linux, and macOS.

                    # Display all listening ports

                    netstat -tuln

                    # Display all connections

                    netstat -tun

                    # Display process name with ports

                    netstat -tulnp

                    # Display statistics by protocol

                    netstat -s

                    # Continuous monitoring

                    netstat -c

SS (Socket Statistics)

SS is a modern replacement for netstat that provides more information and faster performance. It's the preferred tool on modern Linux systems.

                    # Display all listening ports

                    ss -tuln

                    # Display all established connections

                    ss -tun state established

                    # Display process information

                    ss -tulnp

                    # Display all TCP connections

                    ss -t -a

                    # Display summary statistics

                    ss -s

Nmap

Nmap (Network Mapper) is a powerful network scanning tool used for security auditing and network discovery. It can detect open ports, running services, operating systems, and more.

                    # Basic port scan

                    nmap target.com

                    # Scan specific ports

                    nmap -p 80,443,22 target.com

                    # Scan all ports

                    nmap -p- target.com

                    # Service version detection

                    nmap -sV target.com

                    # OS detection

                    nmap -O target.com

                    # Aggressive scan

                    nmap -A target.com

                    # TCP SYN scan (stealth)

                    nmap -sS target.com

                    # UDP port scan

                    nmap -sU target.com

/etc/services File

The /etc/services file on Unix-like systems contains a list of network services and their associated port numbers and protocols. This file is used by various network utilities to map port numbers to service names.

                    # View well-known ports

                    cat /etc/services | grep 80/tcp

                    # Search for a specific service

                    grep ssh /etc/services

                    # Count total services

                    cat /etc/services | wc -l

                    # View all HTTP-related services

                    grep http /etc/services

Additional Network Tools

iptables

Linux firewall tool for packet filtering and NAT:

                        # List all rules

                        iptables -L

                        # Allow SSH

                        iptables -A INPUT -p tcp --dport 22 -j ACCEPT

                        # Block an IP address

                        iptables -A INPUT -s 192.168.1.100 -j DROP

tcpdump

Command-line packet analyzer:

                        # Capture packets on interface

                        tcpdump -i eth0

                        # Capture HTTP traffic

                        tcpdump -i eth0 port 80

                        # Save capture to file

                        tcpdump -w capture.pcap

                        # Read from capture file

                        tcpdump -r capture.pcap

Wireshark

Graphical network protocol analyzer for deep packet inspection. Provides detailed analysis of network traffic with powerful filtering capabilities.

lsof

List open files and the processes that opened them (including network connections):

                        # Show processes using port 80

                        lsof -i :80

                        # Show all network connections

                        lsof -i

                        # Show TCP connections only

                        lsof -i tcp