506  Chapter 11  ■  Secure Network Architecture and Components

The protocol analyzer can examine individual frames down to the binary level. Most analyzers or sniffers automatically parse out the contents of the header into an expandable outline form. Any configuration or setting can be easily seen in the header details. The payload of packets is often displayed in both hexadecimal and ASCII.

Protocol analyzers typically offer both capture filters and display filters. A capture filter is a set of rules to govern which frames are saved into the capture file or buffer and which are discarded. A display filter is used to show only those frames from the packet file or buffer that match your requirements.

Protocol analyzers vary from simple raw frame/packet-capturing tools to fully automated analysis engines. There are both open source (such as Wireshark) and commercial (such as Omnipeek, NetWitness, and NetScout) options.

Common Application Layer Protocols

In the Application layer of the OSI model reside numerous applicationor service-specific protocols:

Telnet, TCP Port 23   This is a terminal emulation network application that supports remote connectivity for executing commands and running applications but does not support transfer of files. Telnet should not be used; replace it with SSH.

File Transfer Protocol (FTP), TCP Ports 20 (Active Mode Data Connection)/Ephemeral (Passive Mode Data Connection) and 21 (Control Connection)   This is a network application that supports an exchange of files that requires anonymous or specific authentication. FTP should not be used; replace it with SFTP or FTPS.

Trivial File Transfer Protocol (TFTP), UDP Port 69   This is a network application that supports an exchange of files that does not require authentication. Used to host network device configuration files and can support multicasting. TFTP should not be used.

Simple Mail Transfer Protocol (SMTP), TCP Port 25   This is a protocol used to transmit email messages from a client to an email server and from one email server to another. Only use if encrypted with TLS to create SMTPS.

Post Office Protocol (POP3), TCP Port 110   This is a protocol used to pull email messages from an inbox on an email server down to an email client (aka client archiving). Only use if encrypted with TLS to create POPS.

Internet Message Access Protocol (IMAP4), TCP Port 143   This is a protocol used to pull email messages from an inbox on an email server down to an email client. IMAP offers the ability to retrieve only headers from an email server as well as to delete messages directly off the email server (i.e., server archiving). Only use if encrypted with TLS to create IMAPS.

Dynamic Host Configuration Protocol (DHCP), UDP Ports 67 (server) and 68 (client)   DHCP provides for centralized control of TCP/IP configuration settings assigned to systems upon bootup.

Hypertext Transfer Protocol (HTTP), TCP Port 80   This is the protocol used to transmit web page elements from a web server to web browsers in cleartext.

Hypertext Transfer Protocol Secured (HTTPS) TCP Port 443   This is the TLSencrypted version of HTTP. (HTTPS with TLS does support use of TCP port 80—but only for server-to-server communications.)

Line Printer Daemon (LPD), TCP Port 515   This is a network service that is used to spool print jobs and send print jobs to printers. Consider enclosing in a VPN for use.

X Window, TCP Ports 6000–6063   This is a GUI API for command-line operating systems. Consider enclosing in a VPN for use.

Network File System (NFS), TCP Port 2049   This is a network service used to support file sharing between dissimilar systems. Consider enclosing in a VPN for use.

Simple Network Management Protocol (SNMP), UDP Port 161 (UDP Port 162 for Trap Messages)   This is a network service used to collect network health and status information from a central monitoring station. Use the secure SNMPv3 only.

For more examples of secure protocols, see the later section “Secure Communication Protocols.”

SNMPv3

Simple Network Management Protocol (SNMP) is a standard network-management protocol supported by most network devices andTCP/IP-compliant hosts.These include routers, switches, WAPs, firewalls, VPNs, printers, and so on. From a management console, you can use SNMP to interact with various network devices to obtain status information, performance data, statistics, and configuration details. Some devices support the modification of configuration settings through SNMP.

Early versions of SNMP relied on plaintext transmission of community strings as authentication. Communities are named collections of network devices.The original default community names were public and private.The latest version of SNMP allows for encrypted communications, as well as robust authentication protection.

UDP port 161 is used by the SNMP agent (that is, network device) to receive requests, and UDP port 162 is used by the management console to receive responses and notifications (also known as trap messages).Trap messages inform the management console when an event or threshold violation occurs on a monitored system.