Applications Using IP
No discussion of TCP/IP would be complete without a look at the applications that use IP. Unlike services, which frequently perform functions that are then used by IP, the applications that use IP are relatively independent of IP and typically interface with the users and are rarely used by other IP processes.
Common Applications Using IP
The most common applications that use IP tend to revolve around access to Internet-based resources such as web servers and mail servers. In addition, file and print services are the most common application that is implemented in most corporate networks.
Web browsers and web servers allow users to access graphical content using HTTP, which uses TCP port 80. In addition, if secure web browsing is required, the data can be secured using Secure Sockets Layer (SSL), commonly known as HTTPS, which uses TCP port 443.
Electronic mail is delivered via two primary mechanisms: SMTP and POP3. SMTP uses TCP port 25 and serves to primarily transmit e-mail messages to the mail server (or between mail servers) because it has a limited ability to queue e-mail messages on the client side. This is where POP3 (which uses TCP port 110) comes in. It does a much better job of queuing e-mail messages and therefore is typically used by the client to receive e-mail messages from the mail server.
File and printer sharing typically, but not always, occurs over TCP ports to provide for a reliable and connection-oriented delivery mechanism. A notable exception to this is Network File System (NFS), which is typically used by UNIX-based hosts and typically uses UDP port 2049. Microsoft file and print services typically use TCP port 139 or TCP port 445.
Less-Common Applications Using IP
Some less-common, but still frequently used, applications that are based on IP include the following:
Telnet Telnet is used to provide remote console connections over TCP port 23. Telnet is an insecure protocol, which means that the data being transmitted is not encrypted, rather it is done so in cleartext.
FTP FTP is used to transmit and receive files between hosts. Although this may seem similar to file sharing, the key difference is that file sharing tends to be an interactive session within the operating system itself (unlike FTP, which tends to operate as a distinct client application). FTP operates in two primary modes: active FTP and passive (PASV) FTP. Active FTP commonly uses two TCP ports for communication. TCP port 21 is used for connection establishment and control information, and TCP port 20 is used for the transmission of data. Passive FTP uses TCP port 21 for connection establishment and control information, and the client and server negotiate a random high port or a preconfigured port for the transmission of data. Like Telnet, FTP transmits all data in cleartext.
TFTP Although it is common to think of TFTP and FTP as practically the same because of the names, nothing could be further from the truth. TFTP is a completely self-contained protocol in no way associated with FTP. Whereas FTP can navigate directory structures and authenticate access, TFTP is unauthenticated and requires exact paths to transmit or receive data. In addition, TFTP uses UDP port 69 for connection establishment, and then performs the file transfer using two random UDP high ports. Because of the unreliable nature of TFTP, as well as the lack of authentication or robust file system navigation capabilities, TFTP tends to be used for small or specialized forms of file transfer such as transferring router and firewall configurations and operating systems.
Syslog Chapter 12, "What Is My Firewall Telling Me?," covers syslog in much greater detail; however, as a brief introduction, syslog is used by network devices to transmit event log information from a host to a server where the event is typically stored and reported upon. Because these messages can be extremely large in volume, syslog is typically configured to use UDP port 514 for the transport mechanism. This reduces the overhead involved in maintaining a syslog session, freeing up that memory and processor usage for other applications, programs, and services. The downside of this, of course, is that if UDP is used, there is no guarantee that the syslog data was successfully transmitted and received. To address this, some firewalls and syslog servers can be configured to use TCP port 514 (Cisco defaults to using port 1470), thereby using the native reliability characteristics of TCP to ensure that the syslog data is successfully delivered. Syslog is also an insecure protocol, requiring no authentication and delivering the data in cleartext.
Protocols Used to Implement Security
In addition to general protocols that are used on IP networks, a few specialized protocols were developed with security and/or secure methods of communication in mind. Some of the more commonly known protocols that are used for security on an IP network are as follows:
Secure Shell (SSH) SSH is similar to Telnet, but it provides for remote console connectivity that uses encryption and authentication to ensure that the data that is transmitted is secured and tamper proof and that all connections are authenticated. Therefore, SSH should be used instead of Telnet in all circumstances that allow it. SSH uses TCP port 22 for transport communications.
Internet Protocol Security (IPsec) Technically a framework of a number of protocols, IPsec provides security functionality for IP-based communications. This includes encryption, authentication, and nonrepudiation functionality. Unlike most encryption mechanisms that we have discussed at the application or presentation layer (such as SSH or HTTPS), IPsec functions at the network layer. It does this by essentially taking a complete data packet and encapsulating it with the corresponding IPsec-specific header information and then transmitting the data over IP. This procedure allows IPsec to be used to secure virtually any data transmitted over an IP network, regardless of the actual application source. Consequently, IPsec can be used to secure insecure protocols such as SNMP, NTP, or syslog by encapsulating that insecure data within a secure IPsec frame.