TCP, UDP, Ports, and Common Applications

Ports are one of the fastest ways to understand a network scenario. An IP address identifies a host or interface. A transport protocol and port identify the application conversation. A firewall rule that allows TCP 443 is not just "allowing a server"; it is allowing HTTPS-style traffic to a service listening on that port. For ISC2 CC, the goal is not memorizing every possible port. The goal is recognizing the common ones and understanding what a port clue means.

TCP and UDP

TCP is connection-oriented. It uses a handshake, sequence numbers, acknowledgments, retransmission, and ordered delivery. Applications choose TCP when reliability matters more than minimal overhead. Web browsing over HTTP or HTTPS, SSH administration, SMTP mail transfer, FTP control connections, and RDP remote desktop are common TCP examples.

UDP is connectionless. It does not create a session in the same way and does not guarantee delivery or ordering by itself. Applications choose UDP when low overhead, fast exchange, or real-time behavior matters. DNS queries often use UDP 53, DHCP uses UDP, SNMP commonly uses UDP, and VPN or voice/video technologies may use UDP because retransmitting old real-time packets can be less useful than keeping up.

Security analysts should avoid a simple "TCP is secure and UDP is insecure" shortcut. Either can carry secure or insecure application data. The security depends on the application protocol, configuration, authentication, encryption, and controls around it.

Common Ports and Protocols

Reading Direction and Intent

Suppose a firewall log shows an internal laptop connecting to 203.0.113.10 on TCP 443. That is likely outbound HTTPS. If the destination is TCP 3389 on an internal server, it suggests remote desktop. If many clients suddenly query an unknown external resolver over UDP 53, investigate DNS configuration or possible malware. If an administrator opens TCP 22 from a management subnet to a Linux server, that aligns with SSH administration.

Port numbers also help with least privilege. A web server may need inbound TCP 443 from users, outbound DNS to approved resolvers, and management access only from an admin network. It usually does not need broad inbound FTP, RDP, or database exposure from the internet. The best rule is specific about source, destination, protocol, port, and business purpose.

Application Security Choices

Some protocols have older insecure forms. HTTP does not protect confidentiality by itself, while HTTPS uses TLS. Telnet sends credentials in clear text, while SSH protects the session. Older SNMP versions rely on community strings and weak protection; SNMPv3 can provide authentication and encryption. FTP is risky for sensitive transfers because credentials and data can be exposed. A question that asks for a secure remote command-line method is likely pointing to SSH. A question about protecting browser sessions is likely pointing to HTTPS.

Practical Scenario

A small office reports that users can browse websites but cannot receive dynamic addresses on a guest network. Web browsing proves some paths work, but DHCP is local broadcast and relay behavior using UDP 67 and 68. The right investigation is not HTTPS. Check whether the guest VLAN has a DHCP scope, whether a DHCP relay is configured, whether a rogue server is present, and whether access controls block the DHCP exchange.

Good CC exam reasoning connects the port to the function, the function to the symptom, and the symptom to a practical next step.