Ports, Protocols, and Acronyms High-Yield Tables
Key Takeaways
- Know common service ports well enough to recognize risky exposure and secure alternatives.
- Port questions are usually scenario questions about what should be allowed, blocked, encrypted, or monitored.
- Secure protocol choices are often tested against legacy or insecure options.
- Acronyms matter most when they change the decision, such as SIEM versus SOAR or SAML versus OIDC.
- For PBQs, read direction and business purpose before choosing a port or protocol.
Last updated: April 2026
High-Yield Ports and Protocols
Memorizing ports is not enough. The exam usually gives a business or security situation and expects you to identify which traffic is appropriate, which protocol is safer, or which exposed service creates risk.
Core Ports Table
| Port | Protocol | Service | Exam cue |
|---|---|---|---|
| 20/21 | TCP | FTP | Legacy file transfer; credentials may be exposed |
| 22 | TCP | SSH/SFTP/SCP | Secure remote shell and secure file transfer |
| 23 | TCP | Telnet | Insecure remote administration |
| 25 | TCP | SMTP | Mail transfer between servers |
| 53 | TCP/UDP | DNS | Name resolution; UDP common, TCP for zone transfers and large responses |
| 67/68 | UDP | DHCP | Dynamic address assignment |
| 69 | UDP | TFTP | Simple unauthenticated file transfer |
| 80 | TCP | HTTP | Unencrypted web traffic |
| 88 | TCP/UDP | Kerberos | Ticket-based authentication |
| 110 | TCP | POP3 | Legacy mailbox retrieval |
| 123 | UDP | NTP | Time synchronization |
| 135 | TCP | RPC endpoint mapper | Windows service discovery; risky if exposed |
| 137-139 | TCP/UDP | NetBIOS | Legacy Windows name/session services |
| 143 | TCP | IMAP | Mailbox access |
| 161/162 | UDP | SNMP | Monitoring and traps; prefer SNMPv3 |
| 389 | TCP/UDP | LDAP | Directory queries; unencrypted unless protected |
| 443 | TCP | HTTPS | Encrypted web traffic |
| 445 | TCP | SMB | Windows file sharing; do not expose to Internet |
| 465/587 | TCP | SMTPS/submission | Encrypted or authenticated mail submission use cases |
| 514 | UDP/TCP | Syslog | Central logging; secure transport may use TLS depending on design |
| 636 | TCP | LDAPS | LDAP over TLS |
| 993 | TCP | IMAPS | IMAP over TLS |
| 995 | TCP | POP3S | POP3 over TLS |
| 1433 | TCP | Microsoft SQL Server | Database access; tightly restrict |
| 1521 | TCP | Oracle Database | Database access; tightly restrict |
| 3306 | TCP | MySQL/MariaDB | Database access; tightly restrict |
| 3389 | TCP/UDP | RDP | Windows remote desktop; avoid direct Internet exposure |
| 5432 | TCP | PostgreSQL | Database access; tightly restrict |
| 5985/5986 | TCP | WinRM | Windows remote management; 5986 uses HTTPS |
Secure Alternatives
| Insecure or risky choice | Better choice | Why |
|---|---|---|
| Telnet | SSH | Protects remote administration sessions |
| FTP | SFTP, SCP, or FTPS | Protects credentials and file contents depending on implementation |
| HTTP login page | HTTPS | Protects session and credentials in transit |
| LDAP over 389 for sensitive auth | LDAPS or LDAP with StartTLS | Encrypts directory traffic |
| SNMPv1/v2c | SNMPv3 | Adds stronger authentication and privacy options |
| Direct RDP from Internet | VPN, ZTNA, jump box, or PAM path | Reduces attack surface |
| Public SMB | No public SMB; use controlled file sharing | SMB exposure is a major risk |
Acronym Table for Fast Review
| Acronym | Meaning | Exam decision clue |
|---|---|---|
| AAA | Authentication, authorization, accounting | Identity proof, permission decision, activity record |
| ACL | Access control list | Allow or deny based on object, network, or identity |
| AES | Advanced Encryption Standard | Symmetric encryption |
| APT | Advanced persistent threat | Sophisticated, patient, targeted attacker |
| CASB | Cloud access security broker | Visibility and policy control for cloud services |
| CSR | Certificate signing request | Request used when obtaining a certificate |
| DLP | Data loss prevention | Detects or blocks sensitive data movement |
| EDR | Endpoint detection and response | Endpoint telemetry, detection, and response |
| FIM | File integrity monitoring | Detects file changes |
| IdP | Identity provider | Authenticates identities for applications |
| IAM | Identity and access management | Lifecycle, roles, policy, and access reviews |
| MDM | Mobile device management | Device configuration and policy |
| NAC | Network access control | Allows or restricts network access based on posture or identity |
| NTP | Network Time Protocol | Time sync for logs and Kerberos |
| OIDC | OpenID Connect | Identity layer commonly used with OAuth 2.0 |
| PAM | Privileged access management | Controls privileged elevation and sessions |
| PKI | Public key infrastructure | Certificates, keys, trust chains |
| RADIUS | Remote Authentication Dial-In User Service | AAA for VPN, Wi-Fi, and network access |
| SAML | Security Assertion Markup Language | Federation and SSO assertions |
| SIEM | Security information and event management | Log collection, correlation, and alerting |
| SOAR | Security orchestration, automation, and response | Automated or semi-automated response playbooks |
| SPF/DKIM/DMARC | Email authentication controls | Reduce spoofing and improve mail trust decisions |
| TLS | Transport Layer Security | Encryption in transit |
| TPM | Trusted Platform Module | Hardware-backed key storage and measured boot support |
| ZTNA | Zero trust network access | App-specific access without broad network trust |
PBQ Port Pattern
If the prompt says "allow customers to access the public ordering site," think TCP 443 to the web tier. If it says "allow the web tier to query the database," allow only the web tier source to the database destination on the required database port. If it says "allow administrators to manage Linux servers," prefer SSH from an admin subnet or jump box, not Telnet or broad Internet access.
Mini Scenario
A company publishes a customer portal, runs a database behind it, and uses a jump box for administration.
| Flow | Good rule |
|---|---|
| Internet to portal | Allow TCP 443 to web server |
| Web server to database | Allow required database port from web server only |
| Admin subnet to jump box | Allow SSH or RDP as required by platform |
| Jump box to internal servers | Allow management ports from jump box only |
| Internet to database | Deny |
| Internet to SMB/RDP/SSH on servers | Deny unless a specific secure remote access design is stated |
The exam likes broad answers that sound convenient. Prefer the narrow answer that meets the business goal.
Test Your Knowledge
A PBQ shows TCP 445 allowed from the Internet to an internal file server. What is the best interpretation?
A
B
C
D
Test Your KnowledgeMatching
Match the protocol or acronym to the best exam cue.
Match each item on the left with the correct item on the right
1
LDAPS
2
SIEM
3
PAM
4
NTP
Test Your Knowledge
Which option is the best secure replacement for Telnet administration?
A
B
C
D