Ports and Protocol Decision Table
Key Takeaways
- Port knowledge is high yield only when tied to use case, transport (TCP/UDP), and the secure alternative.
- TCP is connection-oriented (three-way handshake); UDP is connectionless, used for low-latency and query/response.
- Secure protocols (SSH, SFTP, HTTPS, SNMPv3, LDAPS) replace cleartext management and transfer protocols.
- Scenarios ask which port to allow on a firewall, which service failed, or which protocol fits a requirement.
- Never memorize ports in isolation; attach each to a symptom and a design decision.
Ports Become Useful in Context
The N10-009 objectives explicitly list ports/protocols, and they appear in firewall-rule and "which service failed" items. You rarely get a bare "what port is X" question; instead you must pick a secure management protocol, identify a blocked service, or write the rule that satisfies a requirement. Learn the well-known range (0-1023), then connect each entry to a use case.
Ports exist because a single IP address must host many services at once. The combination of an IP address and a port is a socket, and the pair of sockets (source and destination) plus the protocol uniquely identifies a connection, which is how one web server fields thousands of simultaneous sessions on TCP 443. Servers listen on well-known destination ports; clients open an ephemeral source port (commonly 49152-65535) for the return traffic.
Understanding this is what lets you read a firewall log or a netstat output: an entry showing a local ephemeral port talking to a remote 443 is an outbound HTTPS session, while a listener bound to 0.0.0.0:3389 is an exposed RDP service that the exam would flag as a hardening risk to restrict or move behind a VPN.
| Protocol | Port(s) | Transport | Use | Decision clue |
|---|---|---|---|---|
| FTP (control/data) | 21/20 | TCP | File transfer | Cleartext; prefer SFTP/FTPS |
| SSH / SFTP | 22 | TCP | Secure shell, secure file transfer | Secure remote admin |
| Telnet | 23 | TCP | Remote terminal | Insecure cleartext, avoid |
| SMTP | 25 | TCP | Server-to-server mail | Mail relay |
| DNS | 53 | UDP/TCP | Name resolution | UDP for queries, TCP for zone transfer |
| DHCP | 67/68 | UDP | Address leasing | Client cannot get a lease |
| TFTP | 69 | UDP | Simple file transfer | No auth, network boot/configs |
| HTTP | 80 | TCP | Web | Cleartext web |
| Kerberos | 88 | TCP/UDP | Authentication | Time-sensitive AD auth |
| POP3 | 110 | TCP | Mail download | Removes mail from server |
| NTP | 123 | UDP | Time sync | Drift breaks logs, certs, Kerberos |
| IMAP | 143 | TCP | Mail access | Mail stays on server |
| SNMP | 161/162 | UDP | Monitoring/traps | Prefer SNMPv3 |
| LDAP | 389 | TCP/UDP | Directory | Cleartext directory queries |
| HTTPS | 443 | TCP | Encrypted web | TLS-secured web |
| SMB | 445 | TCP | Windows file sharing | File shares, domain access |
| Syslog | 514 | UDP/TCP | Log forwarding | Central logging |
| LDAPS | 636 | TCP | Encrypted directory | Secure LDAP |
| SQL Server | 1433 | TCP | MS SQL | Database access |
| RDP | 3389 | TCP/UDP | Remote desktop | GUI admin, restrict it |
| SIP | 5060/5061 | UDP/TCP/TLS | VoIP signaling | 5061 = TLS-secured SIP |
TCP vs. UDP and the Three-Way Handshake
TCP (Transmission Control Protocol) is connection-oriented and reliable: it opens a session with the SYN, SYN-ACK, ACK three-way handshake, numbers and acknowledges bytes, retransmits losses, and closes with FIN. UDP (User Datagram Protocol) is connectionless "fire and forget": no handshake, no acknowledgment, lower overhead. That trade-off drives protocol choice.
| Need | Usually fits |
|---|---|
| Reliable, ordered delivery and session control | TCP |
| Low overhead, real-time, query/response | UDP |
| Name lookup | DNS, UDP for queries, TCP for zone transfers |
| Address lease | DHCP over UDP |
| Time sync | NTP over UDP |
| Web session | HTTP/HTTPS over TCP |
Secure Replacement Table
A recurring exam theme is swapping a cleartext protocol for its encrypted equivalent. If the requirement says "protect credentials in transit" or "encrypt management," pick the secure column.
| Weaker choice | Secure replacement | Why |
|---|---|---|
| Telnet (23) | SSH (22) | Encrypts remote administration |
| FTP (21) | SFTP (22) or FTPS (990) | Protects credentials and data |
| HTTP (80) | HTTPS (443) | TLS confidentiality and integrity |
| SNMPv1/v2c (161) | SNMPv3 | Adds authentication and encryption |
| LDAP (389) | LDAPS (636) / StartTLS | Protects directory queries |
Worked Firewall and Failure Scenarios
| Scenario | Port/protocol focus |
|---|---|
| Securely administer a switch CLI | SSH, TCP 22 |
| Clients cannot obtain a DHCP lease across a router | UDP 67/68 plus a DHCP relay/IP helper |
| Monitoring system cannot poll interface counters securely | SNMPv3, UDP 161 |
| Internal portal must protect credentials | HTTPS, TCP 443 |
| Directory bind exposes credentials in capture | LDAPS, TCP 636, or StartTLS |
If a firewall allows TCP 443 but a web app still fails, confirm DNS (53) and that the server is actually listening on 443; a missing rule and a stopped service look identical from the client. Anchor every port to an operational story, that is how they appear on the test.
A handful of dependencies between these protocols generate exam questions on their own. NTP (UDP 123) is foundational: if device clocks drift, Kerberos (88) authentication fails because tickets are time-stamped, TLS certificates appear invalid, and log correlation across devices becomes useless, so a wave of seemingly unrelated auth and certificate errors often traces back to a single bad time source. DNS (53) underpins almost everything by name, so a DNS outage masquerades as a total network failure even though IP connectivity is fine, a fast check is to ping by IP address versus by name.
DHCP (UDP 67/68) is broadcast-based and therefore subnet-local, so cross-subnet leasing depends on a relay. Building these cause-and-effect chains, rather than memorizing isolated numbers, is what carries you through the multi-step firewall and troubleshooting items that dominate this objective.
An administrator must remotely manage a router's command line while encrypting credentials in transit, replacing an insecure legacy protocol. Which protocol and port fit best?
Clients on a remote subnet cannot obtain IP addresses, while clients on the DHCP server's own subnet work fine. Besides UDP 67/68, what is most likely missing?
Which protocol-and-port pairings are correct? Select all that apply.
Select all that apply
Match each requirement to the best protocol choice.
Match each item on the left with the correct item on the right