TCP/IP Ports and Protocols

advertisement
TCP/IP Ports and Protocols
Programme
Sub-Prog /
Project
Prog. Director
Owner
Author
Version Date
NPfIT
Technology Office
Mark Ferrar
Malcolm
McKeating
Phil Benn
23/08/2007
DOCUMENT RECORD ID KEY
NPFIT-FNT-TO-TAR-0050.01x
Version
1.0
Status
Approved
TCP/IP Ports and Protocols:
Good Practice Guidelines
© Crown Copyright 2005
Page 1 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
Amendment History:
Version Date
0.1
23/08/2006
1.0
23/08/2007
Amendment History
First draft for comment
Approved for distribution to N3SP for Network Access
Control
Forecast Changes:
Anticipated Change
Annual Review
When
April 2007
Reviewers:
This document must be reviewed by the following. Indicate any delegation for
sign off.
Name
Malcolm
McKeating
Tim Davis
Signature
Title / Responsibility
IG Security Team
Manager
Head of Information
Governance
Date Version
1.0
1.0
Approvals:
This document requires the following approvals:
Name
Mark Ferrar
Signature
Tim Davis
Title / Responsibility
Date Version
Director Of Infrastructure
1.0
Head of Information
Governance
1.0
Distribution:
Information Governance website: http://nww.connectingforhealth.nhs.uk/
© Crown Copyright 2006
Page 2 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
Document Status:
This is a controlled document.
This document version is only valid at the time it is retrieved from controlled
filestore, after which a new approved version will replace it.
On receipt of a new issue, please destroy all previous issues (unless a
specified earlier issue is baselined for use throughout the programme).
Related Documents:
Ref no Doc Reference Number
Title
1
NPFIT-SHR-QMS-PRP-0015 Glossary of Terms
Consolidated.doc
© Crown Copyright 2006
Version
13
Page 3 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
Contents
TCP/IP Ports and Protocols:...................................................................................................... 1
1
Introduction ....................................................................................................................... 5
Abstract .................................................................................................................................. 5
1.1 Aims and Objectives ..................................................................................................... 5
1.2 Assumed Reader Knowledge ....................................................................................... 6
1.3 Background................................................................................................................... 6
1.4 Disclaimer ..................................................................................................................... 6
2
The New NHS Network (N3)............................................................................................. 7
3
Change Control and Security Assessment ....................................................................... 7
3.1 Protocol Classification Scheme .................................................................................... 8
3.2 Common Ports and Protocols....................................................................................... 9
4
Glossary .......................................................................................................................... 19
© Crown Copyright 2006
Page 4 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
1 Introduction
Abstract
This guide provides a general source of information for the use of common
application ports and protocols used with the TCP/IP or UDP/IP networking
protocols. It is provided mainly to assist NHS and Non-NHS organisations in
performing their own security assessments on the implementation and use of
certain networked applications.
It does not describe all information security considerations when utilising
certain protocols, and is not intended to be an exhaustive guide or a
networking standards document.
You will find guidance on the known information security issues with certain
network protocols, and the general level of confidentiality and integrity that
could be expected when they are in use.
This includes:
•
The definition of the protocol’s primary purpose.
•
The capabilities of the protocol, and the areas in which known
weaknesses may be present.
1.1 Aims and Objectives
The following information provides a knowledge-based framework that will
help maintain best practice values in your own organisation. In using this
guide you will be conforming to best practice and therefore avoid some of the
consequences of non-compliance.
After completing this guide you should understand:
•
The minimum standards applicable to the transmission of Patient
Identifiable Data (PID) or other sensitive electronic information using
certain network protocols.
•
The procedures and mechanisms for the control of PID, or other
sensitive electronic information (in a NHS or other healthcare
environment), when using certain network protocols.
© Crown Copyright 2006
Page 5 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
1.2 Assumed Reader Knowledge
•
•
A general familiarity with the requirement to protect patient sensitive
data at all times.
A basic understanding of TCP/IP, port numbers, and application
protocols.
Further information on network security and related matters is available from
the NHS Connecting for Health Information Security website.
1.3 Background
N3 is a private Wide Area Network (WAN). Connection is therefore strictly
limited to authorised endpoints. All organisations wishing to make a new
connection to N3 are responsible for ensuring that their connection to the
WAN does not compromise the security measures already in place.
N3 is a private network consisting of thousands of PCs, servers, printers and
other items of equipment all acting as the nodes or endpoints on the network.
Information is unencrypted when transmitted over the network therefore
confidentiality of sensitive information within N3 is not assured.
N3 faces numerous threats to security as a result of incompletely protected
partner networks or connections to uncontrolled external networks such as the
internet. These threats are continually evolving in both strength and
frequency: ongoing vigilance against these threats and the maintenance of
strict security standards are essential to the continuing success of N3.
1.4 Disclaimer
Reference to any specific commercial product, process or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply its
endorsement, recommendation, or favouring by NHS Connecting for Health.
The views and opinions of authors expressed within this document shall not
be used for advertising or product endorsement purposes.
Any party relying on or using, any information contained in this document,
and/or relying on or using any system implemented based upon information
contained in this document, should do so only after performing a risk
assessment. It is important to note that a risk assessment is a prerequisite for
the design of effective security countermeasures, and when completed
correctly enables an NHS organisation to demonstrate that a methodical
process has been undertaken which can adequately describe the rationale
behind any decisions made.
NHS Connecting for Health shall also accept no responsibility for any
disruption to services arising as a consequence of use of a solution based
upon information contained in this document.
© Crown Copyright 2006
Page 6 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
2 The New NHS Network (N3)
The N3 infrastructure connects organisations, such as non-NHS healthcare
providers and approved third-party partners, to other organisations within the
NHS. Currently, this infrastructure is a managed service provided and
supported by a number of contractors with British Telecom (BT) acting as
service integrator.
BT Consultancy & Systems Integration (BT C&SI) is delivering the National
Application Service Provider (NASP) and London Local Service Provider
(LSP). BT Exact (BT’s IT and operations business) supplies the Data Centre
hosting while British Telecom N3 Service Provider (BT N3SP) manages the
N3 network
BT provides certain guarantees regarding the protection of the network
infrastructure – this makes the network a private transport medium. The N3
infrastructure is therefore suitable for consideration as a WAN.
Although the N3 network is private, it is not ‘secure’. The network is a
transport mechanism for data and as such does not encrypt (or similarly
protect) the data transmitted. Users of the network are required to apply such
methods of information confidentiality and integrity as are appropriate to the
data transmitted and the applications used.
Further information on suitable levels of encryption and protection is available
in the Approved Cryptographic Algorithms: Good Practice Guidelines
document.
3 Change Control and Security Assessment
Each protocol is measured for use in both internal and external instances.
Internal means one or more local LAN segments present on a single site or
campus. This would often comprise one or more of the following:
•
•
•
•
•
local Ethernet LAN segments
local Wireless LAN segments
local DMZ segments
dedicated point to point copper links
dedicated point to point fibre optic links
External means any network or communications medium which connects two
or more separate LAN segments together. This encompasses the following:
•
•
•
Point to point leased fibre or copper links i.e. LES, Frame Relay, ATM
N3 Network connections
Internet connections
© Crown Copyright 2006
Page 7 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
3.1 Protocol Classification Scheme
The following classification scheme is applied to each network protocol:
; -
The protocol is suitable for use in most instances with low information
security risks
; -
The protocol is suitable for use only in certain instances, and may
introduce moderate information security risks
: -
The protocol is not suitable for use, and may introduce significant
information security risks
The classifications are provided to guide a user in identifying possible
characteristics or issues with regard to each protocol, however the
classifications may not apply in all cases. Factors such as network
architecture, data security services and the type of information transported will
all affect the overall risk associated with the use of each protocol.
NHS Connecting for Health recommend that users and system providers
should utilise protocols that are classified as green where possible.
It is recommended that when using protocols classified as yellow, users and
system providers follow the recommendations or workarounds detailed with
each protocol description.
If protocols that are classified as red are currently in use, migration plans
should be developed to phase out the use of the protocol as soon as possible.
© Crown Copyright 2006
Page 8 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
3.2 Common Ports and Protocols
echo
7/tcp
:
Internal:
External:
:
7/udp
discard
9/tcp
9/udp
systat
11/tcp
11/udp
daytime
13/tcp
13/udp
qotd
17/tcp
17/udp
chargen
19/tcp
19/udp
Access to the tcp/udp ‘simple services’ or ‘small services’ should be disabled
as part of good systems management practice. These services should only
be used for debugging purposes, and disabled in all other cases.
ftp-data
20/tcp
Internal:
;
External:
:
20/udp
21/tcp
ftp-control
21/udp
FTP is a clear-text communications protocol. Data is transmitted in the clear;
therefore the protocol is not suitable for transmission of Patient Identifiable
Data or other sensitive material. FTP also transmits usernames and
passwords in the clear, which could potentially compromise the security of a
system. Secure alternatives such as SCP or Secure FTP should be used as a
replacement for FTP.
ssh
22/tcp
Internal:
;
External:
;
22/udp
© Crown Copyright 2006
Page 9 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
SSH or Secure Shell provides a method to log on to systems over a network,
move files, execute commands and so on. It utilises strong authentication and
encryption to provide security for its communications. SSH is a suitable
replacement for ‘legacy’ services such as telnet, ftp, and the ‘r’ services
(rsh/rdist/rlogin).
When correctly configured, SSH secures both the username/password
authentication, and any data in transit.
SFTP (SSH File Transfer Protocol) is mostly operated as subsystem of SSH2. SFTP is a newer and more modern protocol, designed to perform in a
manner similar to FTP. It is widely supported, even on non-Unix-like platforms,
but not nearly as universally as SCP. SFTP (based on SSH) should not be
confused with FTPS/Secure FTP (based on SSL); they are distinct protocols
which do not interoperate.
Unlike SCP, for connection with an SFTP server you do not need access to
shell. Thus the SFTP protocol is more independent of the remote operating
system.
telnet
23/tcp
Internal:
;
External:
:
23/udp
Telnet is a clear-text communications protocol. Data is transmitted in the
clear; therefore the protocol is not suitable for transmission of Patient
Identifiable Data or other sensitive material. Telnet also transmits usernames
and passwords in the clear, which could potentially compromise the security
of a system. The SSH protocol should be used as a direct replacement for
the telnet protocol.
smtp
25/tcp
Internal:
;
External:
;
25/udp
SMTP is commonly used to send email messages between mail servers, and
in addition between clients and servers. SMTP does not provide any security
features by default, therefore it requires the system administrator to correctly
configure appropriate filters and controls within the mail server.
© Crown Copyright 2006
Page 10 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
SMTP is a clear text protocol. Data is transmitted in the clear; therefore the
protocol is not suitable for transmission of Patient Identifiable Data or other
sensitive material. Users should look to other methods such as email/data
encryption services to provide adequate security for information being
transmitted. Software products such as Pretty Good Privacy (PGP) and Gnu
Privacy Guard (GPG) offer encryption and digital signing services at the client
system. The eSMTP protocol offers support for the use of Transport Layer
Security (TLS) to secure traffic between mail systems such as MUAs and
MTAs. Alternatively, the NHS Contact Service provides a secure method to
exchange data via email between Contact users.
tacacs
49/tcp
Internal:
;
External:
:
49/udp
TACACS (Terminal Access Controller Access Control System) is a protocol
used to transmit authentication information between a remote access server
and an authentication server.
Use of TACACS has generally been
superseded by newer protocols such as TACACS+ and RADIUS.
TACACS transmits authentication information in the clear; therefore it is not
recommended for use. Systems administrators should investigate the use of
newer authentication protocols.
domain
53/tcp
Internal:
;
External:
;
53/udp
The Domain Name Server (or DNS) protocol is used to translate domain
names into IP addresses.
Note that port 53/tcp is used mainly for zone transfers, whereas port 53/udp is
commonly used for DNS requests. Most client systems should require only
port 53/udp for correct operation. It is good practice to block the 53/tcp zone
transfer port if it is not explicitly required.
bootps
67/tcp
Internal:
;
External:
;
67/udp
bootpc
68/tcp
68/udp
The BOOTP protocol is used to provide a system with an IP address. The
DHCP protocol performs a similar function and also operates using ports 67
and 68.
© Crown Copyright 2006
Page 11 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
Whereas BOOTP/DHCP is common within local network segments, it is
generally not considered best practice to forward BOOTP/DHCP requests and
responses across Wide-Area Networks or the Internet.
Tftp
69/tcp
Internal:
;
External:
:
69/udp
The Trivial File Transfer Protocol is a basic ‘legacy’ protocol used to transfer
files between a client and a server. Connections are not authenticated and all
communications are made in the clear, therefore the service is not secure. It
is not recommended for general use.
Some network infrastructure equipment relies on the use of TFTP to store or
retrieve configuration information. Network administrators should investigate
secure methods of configuration management which are now available to
replace the TFTP service.
Finger
79/tcp
Internal:
:
External:
:
79/udp
Finger is a ‘legacy’ protocol which allows a user to query a system in order to
discover who is logged on. A number of security vulnerabilities are closely
linked with the finger service; therefore it is not recommended for use and
should be disabled.
http
80/tcp
Internal:
;
External:
;
80/udp
HTTP is commonly used to allow web browsers to retrieve information from
web servers. It can also be used to provide a universal front end for webbased applications.
HTTP is a clear text protocol. Data is transmitted in the clear; therefore the
protocol is not suitable for transmission of Patient Identifiable Data or other
sensitive material. Users should investigate the use of protocols such as SSL
and TLS to provide secure communications using HTTP.
kerberos
88/tcp
Internal:
;
External:
;
88/udp
© Crown Copyright 2006
Page 12 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
Kerberos is a network authentication protocol. It is designed to provide strong
authentication for client/server applications. The Kerberos protocol uses
strong cryptography so that a client can prove its identity to a server (and vice
versa) across an insecure network connection. After a client and server have
used Kerberos to prove their identity, they can also encrypt all of their
communications to assure privacy and data integrity as they go about their
business.
pop3
110/tcp
Internal:
;
External:
;
110/udp
Post Office Protocol version 3 (POP3) is an application layer Internet standard
protocol, to retrieve email from a remote server over a TCP/IP connection.
Most subscribers to individual Internet Service Provider e-mail accounts
access their e-mail with client software that uses POP3, although IMAP
support is now emerging as an alternative.
POP3 protocol transactions, including electronic mail data, are sent in the
clear over the network; therefore the protocol is not suitable for transmission
of Patient Identifiable Data or other sensitive material. Users should
investigate the use of protocols such as TLS to provide secure
communications using POP3. Support for this functionality is available within
the POP3 protocol.
sunrpc
111/tcp
Internal:
;
External:
:
111/udp
Sun's RPC (Remote Procedure Call) forms the basis of many UNIX services,
especially NFS (Network File System). However, RPC is vulnerable when left
exposed to external networks.
The NFS service relies upon the availability of sunrpc for correct operation. If
NFS is used, access to the sunrpc port will be required. The NFS service is
inherently insecure and therefore should only be utilised within internal
networks. The use of Secure NFS is recommended where possible.
sftp
115/tcp
Internal:
;
External:
:
115/udp
© Crown Copyright 2006
Page 13 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
The Simple File Transfer Protocol as detailed in RFC 913 was proposed as an
unsecured file transfer protocol. It is now superseded by a number of other
file transfer methods offering better security and additional features.
Due to the lack of any security measures within the protocol it should not be
used and other alternatives should be investigated.
nntp
119/tcp
Internal:
;
External:
;
119/udp
The Network News Transfer Protocol or NNTP is an Internet application
protocol used primarily for reading and posting Usenet articles, as well as
transferring news among news servers.
NNTP protocol transactions are sent in the clear over the network; therefore
the protocol can expose information such as usernames, passwords and data
in transit.
NNTPS (Secure NNTP) uses SSL to secure information in transit. It uses
563/tcp instead of 119/tcp.
ntp
123/tcp
Internal:
;
External:
;
123/udp
The Network Time Protocol (NTP) is a protocol for synchronizing the clocks of
computer systems over packet-switched, variable-latency data networks. NTP
uses UDP port 123 to transport information. It is designed particularly to resist
the effects of variable latency.
NTP can be further secured in later versions of the protocol by using
authentication methods such as preshared keys, digital certificates and
hashing functions.
epmap
135/tcp
Internal:
;
External:
:
135/udp
The endpoint mapper port (135/udp) is commonly used by the RPC protocol.
Remote procedure call (RPC) is a protocol that allows a computer program
running on one computer to cause a subroutine on another computer to be
executed without the programmer explicitly coding the details for this
interaction. When the software in question is written using object-oriented
principles, RPC may be referred to as remote invocation or remote method
invocation.
© Crown Copyright 2006
Page 14 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
The RPC (Remote Procedure Call) was made famous in 2003 by the Blaster
Worm virus, which used the protocol to initiate a shutdown of the Windows
computer system, without the user's input. This worm caused widespread
chaos in the Windows XP community when it was released. Other worms and
viruses have since attempted to exploit vulnerabilities in unsecured RPC
services, often with some success.
Microsoft has adopted DCE/RPC as the basis of their Microsoft RPC
(MSRPC) mechanism, and implemented DCOM (and ActiveX) around it.
MSRPC is often required for applications such as Microsoft Exchange and
Microsoft Active Directory.
If RPC access is required it should be either restricted to local LAN segments,
or appropriately secured by tunnelling inside an encrypted IPSec or SSL VPN.
Netbios
137/tcp
-ns
137/udp
Internal:
;
External:
:
138/tcp
Netbios
138/udp
-dgm
139/tcp
139/udp
Netbios
-ssn
NetBIOS (Network Basic Input/Output System) is a layer of software
developed to link a network operating system with specific hardware or
software written using the NetBIOS interface. It is used extensively by the
Microsoft Operating systems family.
NetBIOS is often used as the transport and session services for common
tasks such as file and print sharing. Many well known security vulnerabilities
exist within both NetBIOS and associated applications, therefore it is not
recommended for use outside of private LAN segments. NetBIOS does not
natively offer data encryption services, therefore the transmission of sensitive
or Patient Identifiable Data should be treated with caution. If NetBIOS access
is required across a wide area network or the Internet it should be
appropriately secured, most often via the use of an IPSec or SSL VPN tunnel.
imap
143/tcp
Internal:
;
External:
;
143/udp
© Crown Copyright 2006
Page 15 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
IMAP stands for Internet Message Access Protocol. It is a method of
accessing electronic mail or bulletin board messages that are kept on a
(possibly shared) mail server. In other words, it permits a "client" email
program to access remote message stores as if they were local.
IMAP protocol transactions, including electronic mail data, are sent in the
clear over the network; therefore the protocol is not suitable for transmission
of Patient Identifiable Data or other sensitive material. Users should
investigate the use of protocols such as TLS to provide secure
communications using IMAP. Support for this functionality is available within
the IMAP protocol.
snmp
161/tcp
Internal:
;
External:
:
161/udp
162/tcp
snmp-trap
162/udp
The Simple Network Management Protocol (SNMP) is an application layer
protocol that facilitates the exchange of management information between
network devices. SNMP enables network administrators to manage network
performance, find and solve network problems, and plan for network growth.
Three versions of SNMP exist: SNMPv1, SNMPv2 and SNMPv3. All versions
have a number of features in common, but SNMPv2 offers enhancements
such as additional protocol operations whilst the SNMPv3 standard goes
further to provide a number of security features. SNMPv3 includes three
important services; authentication, privacy, and access control.
SNMPv1 and SNMPv2 lack any authentication capabilities, which results in
vulnerability to a variety of security threats. These include masquerading
occurrences, modification of information, message sequence and timing
modifications, and disclosure.
SNMPv1 and SNMPv2 also transmit community strings (similar to passwords)
in the clear, which could potentially compromise the security of a system or
network infrastructure.
SNMPv3 provides a much more secure framework for the use of the protocol,
and should be utilised in replacement of SNMPv1 and SNMPv2 where
possible.
It is good practice to restrict the use of SNMP to local network infrastructures.
If SNMP access is required to remote devices or systems, the use of IPSec or
SSL VPN tunnels should be used.
© Crown Copyright 2006
Page 16 of 22
TCP/IP Ports and Protocols
xdmcp
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
177/tcp
Internal:
;
External:
:
177/udp
The use of XDMCP is inherently insecure; therefore most software
distributions ship with XDMCP turned off by default. If the use of XDMCP is
required, it should be used only within a trusted local network, such as
corporate network within a firewall.
XDMCP protocol transactions including any session data are sent in the clear
over the network; therefore the protocol is not suitable for transmission of
Patient Identifiable Data or other sensitive material outside of a local LAN
segment. Users should investigate the use of protocols such as SSH to
provide secure communications using XDMCP.
XDMCP uses UDP port 177 and TCP port 6000; therefore, it is not natively
able to be used with SSH. Currently, SSH1 and SSH2 implementations are
not able to securely forward the UDP communication. To secure the
connection with SSH, use X11 TCP/IP Port Forwarding.
ldap
389/tcp
Internal:
;
External:
;
389/udp
The Lightweight Directory Access Protocol, or LDAP, is a networking protocol
for querying and modifying directory services running over TCP/IP.
LDAP protocol transactions, including authentication and data, are sent in the
clear over the network; therefore the protocol is not suitable for transmission
of Patient Identifiable Data or other sensitive material. Users should
investigate the use of protocols such as TLS to provide secure
communications using LDAP. Support for this functionality is available within
the LDAP protocol. See ‘LDAPS’ within this document for further details.
timbuktu
407/tcp
Internal:
;
External:
;
407/udp
Timbuktu is a remote control software product developed by a company called
Netopia. Remote control software allows a user to control another computer
across the local network or the Internet, viewing its screen and using its
keyboard and mouse as if he or she were sitting in front of it. Timbuktu is
compatible with computers running both Mac OS X and Windows.
© Crown Copyright 2006
Page 17 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
Timbuktu was first developed in the late 1980s as a Macintosh product and
later was developed for Windows. Timbuktu communicates over TCP port
407, and has integrated support for SSH tunnelling to provide encryption and
authentication for control sessions. SSH tunnelling should be used when
transporting Patient Identifiable Data or other sensitive information via the
Timbuktu protocol.
https
443/tcp
Internal:
;
External:
;
443/udp
HTTP was originally used in the clear on the Internet. However, increased use
of HTTP for sensitive applications has created a requirement for additional
security measures. The Secure Sockets layer (SSL) protocol, and its
successor the Transport Layer Security (TLS) protocol were designed to
provide channel-oriented security.
HTTPS with SSL or TLS should be used when Patient Identifiable Data or
other sensitive information is to be transported using HTTP methods.
rdp
3389/tcp
Internal:
;
External:
;
3389/udp
Remote Desktop Protocol (RDP) is a multi-channel protocol that allows a user
to connect to a computer running Microsoft Terminal Services. Clients exist for
most versions of Windows, and other operating systems such as Linux,
FreeBSD, and Mac OS X. The server listens on TCP port 3389 by default.
RDP offers support for 128-bit encryption, using the RC4 encryption algorithm.
RC4 is the default security mechanism; older clients may use encryption of
lesser strength. Some variants of RDP are able to use Transport Layer
Security (TLS) to provide encryption and data authentication services.
Encryption should be enabled on all sessions that contain Patient Identifiable
Data or other sensitive information.
vnc
5900/tcp
Internal:
;
External:
;
5900/udp
© Crown Copyright 2006
Page 18 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
Virtual Network Computing (VNC) is a desktop sharing system which uses the
RFB (Remote FrameBuffer) protocol to remotely control another computer. It
transmits the keyboard presses and mouse clicks from one computer to
another relaying the screen updates back in the other direction, over a
network.
VNC by default uses ports 5900 to 5906, each representing the corresponding
X screen (ports 5900 to 5906, for screens :0 to :6).
By default, VNC is not a secure protocol. While passwords are not sent in
plain-text (as in telnet), brute-force cracking could prove successful if both the
encryption key and encoded password are sniffed from a network. For this
reason it is recommended that a password of at least 8 characters is used.
However, VNC may be tunnelled over an SSH or VPN connection which
would add an extra security layer with stronger encryption. SSH clients are
available for all major platforms (and many smaller platforms as well); SSH
tunnels can be created from UNIX clients, Windows clients, Macintosh clients
(including OS X and System 7 and up) - and many others.
Products such as UltraVNC, RealVNC and Workspot offer additional
encryption and authentication services, which help to provide a sufficient level
of security for the use of VNC.
4 Glossary
ARCFOUR: Also called RC4. A stream cipher, widely used in protocols such
as Wired Equivalency Privacy (WEP) and Secure Sockets Layer
(SSL). It falls short of modern cryptographic standards but is
suitable for practical use in legacy or existing systems.
BT:
British Telecommunications Plc. The current service provider for
the N3 network.
BT N3SP:
British Telecom N3 Service Provider. N3 is the name for the
New NHS Network that will provide wide area networking
services to the NHS in England. The NHS has chosen BT as
the Service Provider for the N3 network. In this role BT is
referred as the N3SP. BTN3SP has formulated the Internet
Protocol (IP) addressing policy for N3.
HTTPS:
Hypertext Transfer Protocol over Secure Socket Layer. A
method of using HTTP which moves information using SSL or
TLS. It is not a separate protocol but a URI scheme that allows
a system to know that HTTP is to be used but with additional
security measures applied to the transactions.
© Crown Copyright 2006
Page 19 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
IETF:
The Internet Engineering Task Force. A large open international
community of network designers, operators, vendors, and
researchers concerned with the evolution of the Internet
architecture and the smooth operation of the Internet. It is open
to any interested individual.
IP:
Internet Protocol. A data oriented communications protocol. IP
version 4 is the common element found in today’s internet.
IPSec:
Internet Protocol Security.
A method of securing IP
communications for security that takes place at the network or
packet processing layer of network communication.
LAN:
Local Area Network.
A local computer network for
communication between computers; especially a network
connecting computers and word processors and other electronic
office equipment to create a communication system between
offices
LSP:
Local Service Provider. A provider of LSP Services which has
been appointed by the Authority for a Cluster. Responsible for
making sure the new systems and services delivered through
the NPfIT meet local requirements and are implemented
efficiently.
N3:
The New NHS Network.
A private Wide Area Network
consisting of thousands of PCs, servers, printers and other items
of equipment. Information is unencrypted when transmitted over
the network therefore confidentiality of sensitive information
within N3 is not assured.
NASP:
National Application Service Provider. A supplier selected to
provide one of the NPfIT national solution services.
PID:
Patient Identifiable Data. Key identifiable information includes:
patient’s name, address, full post code, date of birth, pictures,
photographs, videos, audio-tapes or other images of patients.
PID also encompasses NHS local patient identifiable codes or
anything else that could identify a patient directly or indirectly.
For example, rare diseases, drug treatments or statistical
analyses which have very small numbers within small population
may allow the identification of individuals.
PKCS#1:
Public Key Cryptography Standards.
format of RSA encryption.
© Crown Copyright 2006
PKCS#1 defines the
Page 20 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
PKI:
Public Key Infrastructure.
Enables users of a basically
unsecured public network (such as the internet) to securely and
privately exchange data through the use of a public and a
private cryptographic key pair, obtained and shared through a
trusted authority. The public key infrastructure provides for a
digital certificate that can identify an individual or an organization
and directory services that can store and, when necessary,
revoke the certificates.
PPP:
Point to Point Protocol. A data transfer protocol which operates
at the Data Link Layer.
RC4:
See ARCFOUR (above).
SSH:
Secure Shell protocol. Using SSH, a user can log into a server
and all of their interactions are tunnelled through an encrypted
session so that even if someone intercepts the data, all they will
encounter is gibberish.
SSL:
Secure Sockets Layer. A protocol designed to provide secure
communications across the Internet.
TCP:
Transmission Control Protocol. A protocol that works with IP to
ensure that packets travel safely on the Internet. This is the
method by which most Internet activity takes place.
TLS:
Transport Layer Security. A protocol designed to provide secure
communications across the Internet designed as a successor to
SSL. It uses the same cryptographic methods but supports
more cryptographic algorithms.
UDP:
User Datagram Protocol. A protocol that allows information to
be transferred across IP networks. It is similar in operation to
TCP; however it lacks the reliability and ordering guarantees,
and is stateless. It offers higher performance due to lower
overheads in processing and delivery.
VPN:
Virtual Private Network. A private data network that makes use
of the public telecommunication infrastructure; privacy is
maintained through the use of a tunnelling protocol and security
procedures.
© Crown Copyright 2006
Page 21 of 22
TCP/IP Ports and Protocols
NPFIT-FNT-TO-TAR-0050.01 v1.0
23/08/2007 Approved
WAN:
Wide Area Network. A computer network that spans a relatively
large geographical area, typically a WAN consists of two or more
local-area networks (LANs). The largest WAN in existence is
the internet.
WEP:
Wired Equivalency Privacy. A security system that uses a series
of keys on both sides of a wireless transmission to encrypt data
for secure transmission. WEP is not considered secure and
there is a range of freely available, pre-existing software
programs designed to break its encryption.
X.509:
The ITU-T standard for Public Key Infrastructure (PKI). It
specifies information and attributes required for the identification
of a person or a computer system.
© Crown Copyright 2006
Page 22 of 22
Download