The Application Layer is the most visible layer because it interacts with software applications that need access to network services and resources. When an application wants to request (consume) a service, such as a webpage, it sends a network message to a specific server. However, modern servers commonly provide lots of services, so how does the server know what a remote process wants? In addition to sending a request to a server, a service requester (i.e., a client) also provides a port number with the request. A port is just a number that tells the server what type of service the client is requesting. On the server, many programs run as services, which are programs that monitor a specific port for requests. When a server receives a request for a service at a specific port, the Application Layer passes the request to the service listening on the specified port. An instance of a service listening for traffic on a specific port is called a socket.

Each service uses a port number to help direct traffic. There are 65,536 ports, which are divided into well-known ports (0–1023), registered ports (1024–49151), and dynamic ports (49152–65535). Although there are hundreds of ports and corresponding applications, in practice, fewer than 100 are in common use. Of these, only a handful will be encountered on a regular basis. The most common of these are shown in TABLE 6-3.

You should practice the deny-all principle and enable just those ports that are needed instead of memorizing each port and deciding whether or not to block it. Simply put, you should block everything and allow only what is needed. If a port is not being used, and deny-all is the practice, it will already be closed.

Because the most popular protocol suite, Transmission Control Protocol/Internet Protocol (TCP/IP), was designed when more trust was given to networks, all applications are not created equally. Although some, such as SSH, are designed to be secure, you might encounter the less secure options in practice. The following list discusses the operation and security issues of some of the common applications:

• DNS—Domain Name System (DNS) operates on port 53 and performs address translation. DNS serves a critical function in that it converts fully qualified domain names (FQDNs) into numeric IP addresses or IP addresses into FQDNs. DNS uses UDP and TCP.
• FTP—File Transfer Protocol (FTP) is a TCP service that operates on ports 20 and 21. This application is used to move files from one computer to another. Port 20 is used for the data stream and transfers the data between the client and the server. Port 21 is the control stream and is used to pass commands between the client and the FTP server.
• HTTP—Hypertext Transfer Protocol (HTTP) is a TCP service that operates on port 80. HTTP uses a request–response protocol in which a client sends a request and a server sends a response. Because HTTP is generally on web servers, and web servers are a very public and exposed asset, the protocol is commonly exploited by all sorts of threats, including malware.
• SNMP—Simple Network Management Protocol (SNMP) is a UDP service for sharing and collecting information about network devices; it operates on ports 161 and 162. Some of the security problems that plague SNMP are caused because community strings (which act as a pseudo-password) can be passed as cleartext, and the default community strings (public/private) are well known. SNMP version 3 is the most current, and it offers authentication and encryption.
• Telnet—Telnet is a TCP service that operates on port 23. Telnet enables a client at one site to establish a session with a host at another site. The program passes the information typed at the client’s keyboard to the host computer system. Telnet sends data in the clear, which makes it easy for an attacker with a sniffer to see everything that is typed—including passwords.
• SMTP—Simple Mail Transfer Protocol (SMTP) is a TCP service that operates on port 25. It is designed for the exchange of electronic mail between networked systems. Spoofing and spamming are two of the vulnerabilities associated with SMTP.
• TFTP—Trivial File Transfer Protocol (TFTP) operates on UDP port 69. It also requires no authentication, which could pose a big security risk. It is used to transfer router configuration files, and by cable companies to configure cable modems.