CND (312-38) Network Defense Simulation

Core Network Protocol Analysis

Learn to differentiate between Well-Known, Registered, and Dynamic port ranges to identify unauthorized service exposure and refine firewall filtering policies.

Network Scenario

As a Network Security Analyst, you are auditing the perimeter firewall of an enterprise DMZ. The DMZ hosts several critical services including a Web Server (HTTP/S), an Email Gateway (SMTP), and a Secure File Transfer (SFTP) server.

DMZ Segment: 172.16.10.0/24
Policy: Strict Inbound Filtering

Objective: Ensure only standard administrative and user services are reachable from the public internet.

Traffic & Logs

// Firewall Log Snippet - Inbound Traffic

[2023-10-27 14:02:11] SRC: 198.51.100.45 DST: 172.16.10.10 PROTO: TCP SPT: 54221 DPT: 80 ACTION: ALLOW

[2023-10-27 14:02:15] SRC: 198.51.100.45 DST: 172.16.10.10 PROTO: TCP SPT: 54222 DPT: 443 ACTION: ALLOW

[2023-10-27 14:02:22] SRC: 203.0.113.88 DST: 172.16.10.25 PROTO: TCP SPT: 49120 DPT: 25 ACTION: ALLOW

[2023-10-27 14:03:01] SRC: 45.33.12.112 DST: 172.16.10.10 PROTO: TCP SPT: 33211 DPT: 8080 ACTION: DENY

[2023-10-27 14:03:05] SRC: 45.33.12.112 DST: 172.16.10.10 PROTO: TCP SPT: 33212 DPT: 3389 ACTION: DENY

// IDS Alert: Port Scan Detected on Well-Known Ranges from 45.33.12.112

Question

What is the range for well known ports?

Expert Analysis

1. Network Activity Overview

The traffic logs show a mix of legitimate traffic hitting standard services (Port 80/443/25) and an external probe targeting non-standard and administrative ports (8080/3389). In a defense-in-depth strategy, understanding which port ranges represent specific types of traffic is vital for effective ACL (Access Control List) management.

2. Behavioral Identification

The firewall is correctly filtering inbound traffic. The "Well-Known" range is where most standardized services live. An attacker scanning these ranges is attempting to map the "low-hanging fruit" of common vulnerabilities (e.g., outdated web servers or open RDP ports).

3. Why Correct Answer is Correct

D (0-1023) is the correct range for Well-Known Ports as defined by IANA. These ports are reserved for system processes or widely-used networking protocols. On Unix-like systems, a process requires superuser (root) privileges to bind to a port in this range, providing an inherent layer of security for foundational services.

4. Why Others are Wrong

A (49152-65535): These are Dynamic or Private Ports, often used for ephemeral source ports during a connection.
B (1024-49151): These are Registered Ports, used for specific vendor applications (like 3306 for MySQL).
C (Above 65535): TCP/UDP port numbers are 16-bit values; therefore, 65535 is the absolute maximum.

Defensive Action

Apply "Default Deny" on the firewall. Only explicitly permit required Well-Known ports. Use "Egress Filtering" to prevent internal hosts from initiating connections on Well-Known ports they shouldn't be using (e.g., a workstation sending traffic on Port 25).

Mini Lesson: Port Anatomy

Signatures: Attacks targeting ports < 1024 often signify service-specific exploitation attempts. In contrast, massive spikes in high-numbered ephemeral ports often indicate DoS attacks or active port scanning (enumeration).

Ready for the next challenge?

Explore more CND simulations