TCP/IP Ports and Protocols Programme Sub-Prog / Project Prog. Director Owner Author Version Date NPfIT Technology Office Mark Ferrar Malcolm McKeating Phil Benn 23/08/2007 DOCUMENT RECORD ID KEY NPFIT-FNT-TO-TAR-0050.01x Version 1.0 Status Approved TCP/IP Ports and Protocols: Good Practice Guidelines © Crown Copyright 2005 Page 1 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved Amendment History: Version Date 0.1 23/08/2006 1.0 23/08/2007 Amendment History First draft for comment Approved for distribution to N3SP for Network Access Control Forecast Changes: Anticipated Change Annual Review When April 2007 Reviewers: This document must be reviewed by the following. Indicate any delegation for sign off. Name Malcolm McKeating Tim Davis Signature Title / Responsibility IG Security Team Manager Head of Information Governance Date Version 1.0 1.0 Approvals: This document requires the following approvals: Name Mark Ferrar Signature Tim Davis Title / Responsibility Date Version Director Of Infrastructure 1.0 Head of Information Governance 1.0 Distribution: Information Governance website: http://nww.connectingforhealth.nhs.uk/ © Crown Copyright 2006 Page 2 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved Document Status: This is a controlled document. This document version is only valid at the time it is retrieved from controlled filestore, after which a new approved version will replace it. On receipt of a new issue, please destroy all previous issues (unless a specified earlier issue is baselined for use throughout the programme). Related Documents: Ref no Doc Reference Number Title 1 NPFIT-SHR-QMS-PRP-0015 Glossary of Terms Consolidated.doc © Crown Copyright 2006 Version 13 Page 3 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved Contents TCP/IP Ports and Protocols:...................................................................................................... 1 1 Introduction ....................................................................................................................... 5 Abstract .................................................................................................................................. 5 1.1 Aims and Objectives ..................................................................................................... 5 1.2 Assumed Reader Knowledge ....................................................................................... 6 1.3 Background................................................................................................................... 6 1.4 Disclaimer ..................................................................................................................... 6 2 The New NHS Network (N3)............................................................................................. 7 3 Change Control and Security Assessment ....................................................................... 7 3.1 Protocol Classification Scheme .................................................................................... 8 3.2 Common Ports and Protocols....................................................................................... 9 4 Glossary .......................................................................................................................... 19 © Crown Copyright 2006 Page 4 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved 1 Introduction Abstract This guide provides a general source of information for the use of common application ports and protocols used with the TCP/IP or UDP/IP networking protocols. It is provided mainly to assist NHS and Non-NHS organisations in performing their own security assessments on the implementation and use of certain networked applications. It does not describe all information security considerations when utilising certain protocols, and is not intended to be an exhaustive guide or a networking standards document. You will find guidance on the known information security issues with certain network protocols, and the general level of confidentiality and integrity that could be expected when they are in use. This includes: • The definition of the protocol’s primary purpose. • The capabilities of the protocol, and the areas in which known weaknesses may be present. 1.1 Aims and Objectives The following information provides a knowledge-based framework that will help maintain best practice values in your own organisation. In using this guide you will be conforming to best practice and therefore avoid some of the consequences of non-compliance. After completing this guide you should understand: • The minimum standards applicable to the transmission of Patient Identifiable Data (PID) or other sensitive electronic information using certain network protocols. • The procedures and mechanisms for the control of PID, or other sensitive electronic information (in a NHS or other healthcare environment), when using certain network protocols. © Crown Copyright 2006 Page 5 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved 1.2 Assumed Reader Knowledge • • A general familiarity with the requirement to protect patient sensitive data at all times. A basic understanding of TCP/IP, port numbers, and application protocols. Further information on network security and related matters is available from the NHS Connecting for Health Information Security website. 1.3 Background N3 is a private Wide Area Network (WAN). Connection is therefore strictly limited to authorised endpoints. All organisations wishing to make a new connection to N3 are responsible for ensuring that their connection to the WAN does not compromise the security measures already in place. N3 is a private network consisting of thousands of PCs, servers, printers and other items of equipment all acting as the nodes or endpoints on the network. Information is unencrypted when transmitted over the network therefore confidentiality of sensitive information within N3 is not assured. N3 faces numerous threats to security as a result of incompletely protected partner networks or connections to uncontrolled external networks such as the internet. These threats are continually evolving in both strength and frequency: ongoing vigilance against these threats and the maintenance of strict security standards are essential to the continuing success of N3. 1.4 Disclaimer Reference to any specific commercial product, process or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by NHS Connecting for Health. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. Any party relying on or using, any information contained in this document, and/or relying on or using any system implemented based upon information contained in this document, should do so only after performing a risk assessment. It is important to note that a risk assessment is a prerequisite for the design of effective security countermeasures, and when completed correctly enables an NHS organisation to demonstrate that a methodical process has been undertaken which can adequately describe the rationale behind any decisions made. NHS Connecting for Health shall also accept no responsibility for any disruption to services arising as a consequence of use of a solution based upon information contained in this document. © Crown Copyright 2006 Page 6 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved 2 The New NHS Network (N3) The N3 infrastructure connects organisations, such as non-NHS healthcare providers and approved third-party partners, to other organisations within the NHS. Currently, this infrastructure is a managed service provided and supported by a number of contractors with British Telecom (BT) acting as service integrator. BT Consultancy & Systems Integration (BT C&SI) is delivering the National Application Service Provider (NASP) and London Local Service Provider (LSP). BT Exact (BT’s IT and operations business) supplies the Data Centre hosting while British Telecom N3 Service Provider (BT N3SP) manages the N3 network BT provides certain guarantees regarding the protection of the network infrastructure – this makes the network a private transport medium. The N3 infrastructure is therefore suitable for consideration as a WAN. Although the N3 network is private, it is not ‘secure’. The network is a transport mechanism for data and as such does not encrypt (or similarly protect) the data transmitted. Users of the network are required to apply such methods of information confidentiality and integrity as are appropriate to the data transmitted and the applications used. Further information on suitable levels of encryption and protection is available in the Approved Cryptographic Algorithms: Good Practice Guidelines document. 3 Change Control and Security Assessment Each protocol is measured for use in both internal and external instances. Internal means one or more local LAN segments present on a single site or campus. This would often comprise one or more of the following: • • • • • local Ethernet LAN segments local Wireless LAN segments local DMZ segments dedicated point to point copper links dedicated point to point fibre optic links External means any network or communications medium which connects two or more separate LAN segments together. This encompasses the following: • • • Point to point leased fibre or copper links i.e. LES, Frame Relay, ATM N3 Network connections Internet connections © Crown Copyright 2006 Page 7 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved 3.1 Protocol Classification Scheme The following classification scheme is applied to each network protocol: ; - The protocol is suitable for use in most instances with low information security risks ; - The protocol is suitable for use only in certain instances, and may introduce moderate information security risks : - The protocol is not suitable for use, and may introduce significant information security risks The classifications are provided to guide a user in identifying possible characteristics or issues with regard to each protocol, however the classifications may not apply in all cases. Factors such as network architecture, data security services and the type of information transported will all affect the overall risk associated with the use of each protocol. NHS Connecting for Health recommend that users and system providers should utilise protocols that are classified as green where possible. It is recommended that when using protocols classified as yellow, users and system providers follow the recommendations or workarounds detailed with each protocol description. If protocols that are classified as red are currently in use, migration plans should be developed to phase out the use of the protocol as soon as possible. © Crown Copyright 2006 Page 8 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved 3.2 Common Ports and Protocols echo 7/tcp : Internal: External: : 7/udp discard 9/tcp 9/udp systat 11/tcp 11/udp daytime 13/tcp 13/udp qotd 17/tcp 17/udp chargen 19/tcp 19/udp Access to the tcp/udp ‘simple services’ or ‘small services’ should be disabled as part of good systems management practice. These services should only be used for debugging purposes, and disabled in all other cases. ftp-data 20/tcp Internal: ; External: : 20/udp 21/tcp ftp-control 21/udp FTP is a clear-text communications protocol. Data is transmitted in the clear; therefore the protocol is not suitable for transmission of Patient Identifiable Data or other sensitive material. FTP also transmits usernames and passwords in the clear, which could potentially compromise the security of a system. Secure alternatives such as SCP or Secure FTP should be used as a replacement for FTP. ssh 22/tcp Internal: ; External: ; 22/udp © Crown Copyright 2006 Page 9 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved SSH or Secure Shell provides a method to log on to systems over a network, move files, execute commands and so on. It utilises strong authentication and encryption to provide security for its communications. SSH is a suitable replacement for ‘legacy’ services such as telnet, ftp, and the ‘r’ services (rsh/rdist/rlogin). When correctly configured, SSH secures both the username/password authentication, and any data in transit. SFTP (SSH File Transfer Protocol) is mostly operated as subsystem of SSH2. SFTP is a newer and more modern protocol, designed to perform in a manner similar to FTP. It is widely supported, even on non-Unix-like platforms, but not nearly as universally as SCP. SFTP (based on SSH) should not be confused with FTPS/Secure FTP (based on SSL); they are distinct protocols which do not interoperate. Unlike SCP, for connection with an SFTP server you do not need access to shell. Thus the SFTP protocol is more independent of the remote operating system. telnet 23/tcp Internal: ; External: : 23/udp Telnet is a clear-text communications protocol. Data is transmitted in the clear; therefore the protocol is not suitable for transmission of Patient Identifiable Data or other sensitive material. Telnet also transmits usernames and passwords in the clear, which could potentially compromise the security of a system. The SSH protocol should be used as a direct replacement for the telnet protocol. smtp 25/tcp Internal: ; External: ; 25/udp SMTP is commonly used to send email messages between mail servers, and in addition between clients and servers. SMTP does not provide any security features by default, therefore it requires the system administrator to correctly configure appropriate filters and controls within the mail server. © Crown Copyright 2006 Page 10 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved SMTP is a clear text protocol. Data is transmitted in the clear; therefore the protocol is not suitable for transmission of Patient Identifiable Data or other sensitive material. Users should look to other methods such as email/data encryption services to provide adequate security for information being transmitted. Software products such as Pretty Good Privacy (PGP) and Gnu Privacy Guard (GPG) offer encryption and digital signing services at the client system. The eSMTP protocol offers support for the use of Transport Layer Security (TLS) to secure traffic between mail systems such as MUAs and MTAs. Alternatively, the NHS Contact Service provides a secure method to exchange data via email between Contact users. tacacs 49/tcp Internal: ; External: : 49/udp TACACS (Terminal Access Controller Access Control System) is a protocol used to transmit authentication information between a remote access server and an authentication server. Use of TACACS has generally been superseded by newer protocols such as TACACS+ and RADIUS. TACACS transmits authentication information in the clear; therefore it is not recommended for use. Systems administrators should investigate the use of newer authentication protocols. domain 53/tcp Internal: ; External: ; 53/udp The Domain Name Server (or DNS) protocol is used to translate domain names into IP addresses. Note that port 53/tcp is used mainly for zone transfers, whereas port 53/udp is commonly used for DNS requests. Most client systems should require only port 53/udp for correct operation. It is good practice to block the 53/tcp zone transfer port if it is not explicitly required. bootps 67/tcp Internal: ; External: ; 67/udp bootpc 68/tcp 68/udp The BOOTP protocol is used to provide a system with an IP address. The DHCP protocol performs a similar function and also operates using ports 67 and 68. © Crown Copyright 2006 Page 11 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved Whereas BOOTP/DHCP is common within local network segments, it is generally not considered best practice to forward BOOTP/DHCP requests and responses across Wide-Area Networks or the Internet. Tftp 69/tcp Internal: ; External: : 69/udp The Trivial File Transfer Protocol is a basic ‘legacy’ protocol used to transfer files between a client and a server. Connections are not authenticated and all communications are made in the clear, therefore the service is not secure. It is not recommended for general use. Some network infrastructure equipment relies on the use of TFTP to store or retrieve configuration information. Network administrators should investigate secure methods of configuration management which are now available to replace the TFTP service. Finger 79/tcp Internal: : External: : 79/udp Finger is a ‘legacy’ protocol which allows a user to query a system in order to discover who is logged on. A number of security vulnerabilities are closely linked with the finger service; therefore it is not recommended for use and should be disabled. http 80/tcp Internal: ; External: ; 80/udp HTTP is commonly used to allow web browsers to retrieve information from web servers. It can also be used to provide a universal front end for webbased applications. HTTP is a clear text protocol. Data is transmitted in the clear; therefore the protocol is not suitable for transmission of Patient Identifiable Data or other sensitive material. Users should investigate the use of protocols such as SSL and TLS to provide secure communications using HTTP. kerberos 88/tcp Internal: ; External: ; 88/udp © Crown Copyright 2006 Page 12 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business. pop3 110/tcp Internal: ; External: ; 110/udp Post Office Protocol version 3 (POP3) is an application layer Internet standard protocol, to retrieve email from a remote server over a TCP/IP connection. Most subscribers to individual Internet Service Provider e-mail accounts access their e-mail with client software that uses POP3, although IMAP support is now emerging as an alternative. POP3 protocol transactions, including electronic mail data, are sent in the clear over the network; therefore the protocol is not suitable for transmission of Patient Identifiable Data or other sensitive material. Users should investigate the use of protocols such as TLS to provide secure communications using POP3. Support for this functionality is available within the POP3 protocol. sunrpc 111/tcp Internal: ; External: : 111/udp Sun's RPC (Remote Procedure Call) forms the basis of many UNIX services, especially NFS (Network File System). However, RPC is vulnerable when left exposed to external networks. The NFS service relies upon the availability of sunrpc for correct operation. If NFS is used, access to the sunrpc port will be required. The NFS service is inherently insecure and therefore should only be utilised within internal networks. The use of Secure NFS is recommended where possible. sftp 115/tcp Internal: ; External: : 115/udp © Crown Copyright 2006 Page 13 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved The Simple File Transfer Protocol as detailed in RFC 913 was proposed as an unsecured file transfer protocol. It is now superseded by a number of other file transfer methods offering better security and additional features. Due to the lack of any security measures within the protocol it should not be used and other alternatives should be investigated. nntp 119/tcp Internal: ; External: ; 119/udp The Network News Transfer Protocol or NNTP is an Internet application protocol used primarily for reading and posting Usenet articles, as well as transferring news among news servers. NNTP protocol transactions are sent in the clear over the network; therefore the protocol can expose information such as usernames, passwords and data in transit. NNTPS (Secure NNTP) uses SSL to secure information in transit. It uses 563/tcp instead of 119/tcp. ntp 123/tcp Internal: ; External: ; 123/udp The Network Time Protocol (NTP) is a protocol for synchronizing the clocks of computer systems over packet-switched, variable-latency data networks. NTP uses UDP port 123 to transport information. It is designed particularly to resist the effects of variable latency. NTP can be further secured in later versions of the protocol by using authentication methods such as preshared keys, digital certificates and hashing functions. epmap 135/tcp Internal: ; External: : 135/udp The endpoint mapper port (135/udp) is commonly used by the RPC protocol. Remote procedure call (RPC) is a protocol that allows a computer program running on one computer to cause a subroutine on another computer to be executed without the programmer explicitly coding the details for this interaction. When the software in question is written using object-oriented principles, RPC may be referred to as remote invocation or remote method invocation. © Crown Copyright 2006 Page 14 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved The RPC (Remote Procedure Call) was made famous in 2003 by the Blaster Worm virus, which used the protocol to initiate a shutdown of the Windows computer system, without the user's input. This worm caused widespread chaos in the Windows XP community when it was released. Other worms and viruses have since attempted to exploit vulnerabilities in unsecured RPC services, often with some success. Microsoft has adopted DCE/RPC as the basis of their Microsoft RPC (MSRPC) mechanism, and implemented DCOM (and ActiveX) around it. MSRPC is often required for applications such as Microsoft Exchange and Microsoft Active Directory. If RPC access is required it should be either restricted to local LAN segments, or appropriately secured by tunnelling inside an encrypted IPSec or SSL VPN. Netbios 137/tcp -ns 137/udp Internal: ; External: : 138/tcp Netbios 138/udp -dgm 139/tcp 139/udp Netbios -ssn NetBIOS (Network Basic Input/Output System) is a layer of software developed to link a network operating system with specific hardware or software written using the NetBIOS interface. It is used extensively by the Microsoft Operating systems family. NetBIOS is often used as the transport and session services for common tasks such as file and print sharing. Many well known security vulnerabilities exist within both NetBIOS and associated applications, therefore it is not recommended for use outside of private LAN segments. NetBIOS does not natively offer data encryption services, therefore the transmission of sensitive or Patient Identifiable Data should be treated with caution. If NetBIOS access is required across a wide area network or the Internet it should be appropriately secured, most often via the use of an IPSec or SSL VPN tunnel. imap 143/tcp Internal: ; External: ; 143/udp © Crown Copyright 2006 Page 15 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved IMAP stands for Internet Message Access Protocol. It is a method of accessing electronic mail or bulletin board messages that are kept on a (possibly shared) mail server. In other words, it permits a "client" email program to access remote message stores as if they were local. IMAP protocol transactions, including electronic mail data, are sent in the clear over the network; therefore the protocol is not suitable for transmission of Patient Identifiable Data or other sensitive material. Users should investigate the use of protocols such as TLS to provide secure communications using IMAP. Support for this functionality is available within the IMAP protocol. snmp 161/tcp Internal: ; External: : 161/udp 162/tcp snmp-trap 162/udp The Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the exchange of management information between network devices. SNMP enables network administrators to manage network performance, find and solve network problems, and plan for network growth. Three versions of SNMP exist: SNMPv1, SNMPv2 and SNMPv3. All versions have a number of features in common, but SNMPv2 offers enhancements such as additional protocol operations whilst the SNMPv3 standard goes further to provide a number of security features. SNMPv3 includes three important services; authentication, privacy, and access control. SNMPv1 and SNMPv2 lack any authentication capabilities, which results in vulnerability to a variety of security threats. These include masquerading occurrences, modification of information, message sequence and timing modifications, and disclosure. SNMPv1 and SNMPv2 also transmit community strings (similar to passwords) in the clear, which could potentially compromise the security of a system or network infrastructure. SNMPv3 provides a much more secure framework for the use of the protocol, and should be utilised in replacement of SNMPv1 and SNMPv2 where possible. It is good practice to restrict the use of SNMP to local network infrastructures. If SNMP access is required to remote devices or systems, the use of IPSec or SSL VPN tunnels should be used. © Crown Copyright 2006 Page 16 of 22 TCP/IP Ports and Protocols xdmcp NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved 177/tcp Internal: ; External: : 177/udp The use of XDMCP is inherently insecure; therefore most software distributions ship with XDMCP turned off by default. If the use of XDMCP is required, it should be used only within a trusted local network, such as corporate network within a firewall. XDMCP protocol transactions including any session data are sent in the clear over the network; therefore the protocol is not suitable for transmission of Patient Identifiable Data or other sensitive material outside of a local LAN segment. Users should investigate the use of protocols such as SSH to provide secure communications using XDMCP. XDMCP uses UDP port 177 and TCP port 6000; therefore, it is not natively able to be used with SSH. Currently, SSH1 and SSH2 implementations are not able to securely forward the UDP communication. To secure the connection with SSH, use X11 TCP/IP Port Forwarding. ldap 389/tcp Internal: ; External: ; 389/udp The Lightweight Directory Access Protocol, or LDAP, is a networking protocol for querying and modifying directory services running over TCP/IP. LDAP protocol transactions, including authentication and data, are sent in the clear over the network; therefore the protocol is not suitable for transmission of Patient Identifiable Data or other sensitive material. Users should investigate the use of protocols such as TLS to provide secure communications using LDAP. Support for this functionality is available within the LDAP protocol. See ‘LDAPS’ within this document for further details. timbuktu 407/tcp Internal: ; External: ; 407/udp Timbuktu is a remote control software product developed by a company called Netopia. Remote control software allows a user to control another computer across the local network or the Internet, viewing its screen and using its keyboard and mouse as if he or she were sitting in front of it. Timbuktu is compatible with computers running both Mac OS X and Windows. © Crown Copyright 2006 Page 17 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved Timbuktu was first developed in the late 1980s as a Macintosh product and later was developed for Windows. Timbuktu communicates over TCP port 407, and has integrated support for SSH tunnelling to provide encryption and authentication for control sessions. SSH tunnelling should be used when transporting Patient Identifiable Data or other sensitive information via the Timbuktu protocol. https 443/tcp Internal: ; External: ; 443/udp HTTP was originally used in the clear on the Internet. However, increased use of HTTP for sensitive applications has created a requirement for additional security measures. The Secure Sockets layer (SSL) protocol, and its successor the Transport Layer Security (TLS) protocol were designed to provide channel-oriented security. HTTPS with SSL or TLS should be used when Patient Identifiable Data or other sensitive information is to be transported using HTTP methods. rdp 3389/tcp Internal: ; External: ; 3389/udp Remote Desktop Protocol (RDP) is a multi-channel protocol that allows a user to connect to a computer running Microsoft Terminal Services. Clients exist for most versions of Windows, and other operating systems such as Linux, FreeBSD, and Mac OS X. The server listens on TCP port 3389 by default. RDP offers support for 128-bit encryption, using the RC4 encryption algorithm. RC4 is the default security mechanism; older clients may use encryption of lesser strength. Some variants of RDP are able to use Transport Layer Security (TLS) to provide encryption and data authentication services. Encryption should be enabled on all sessions that contain Patient Identifiable Data or other sensitive information. vnc 5900/tcp Internal: ; External: ; 5900/udp © Crown Copyright 2006 Page 18 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved Virtual Network Computing (VNC) is a desktop sharing system which uses the RFB (Remote FrameBuffer) protocol to remotely control another computer. It transmits the keyboard presses and mouse clicks from one computer to another relaying the screen updates back in the other direction, over a network. VNC by default uses ports 5900 to 5906, each representing the corresponding X screen (ports 5900 to 5906, for screens :0 to :6). By default, VNC is not a secure protocol. While passwords are not sent in plain-text (as in telnet), brute-force cracking could prove successful if both the encryption key and encoded password are sniffed from a network. For this reason it is recommended that a password of at least 8 characters is used. However, VNC may be tunnelled over an SSH or VPN connection which would add an extra security layer with stronger encryption. SSH clients are available for all major platforms (and many smaller platforms as well); SSH tunnels can be created from UNIX clients, Windows clients, Macintosh clients (including OS X and System 7 and up) - and many others. Products such as UltraVNC, RealVNC and Workspot offer additional encryption and authentication services, which help to provide a sufficient level of security for the use of VNC. 4 Glossary ARCFOUR: Also called RC4. A stream cipher, widely used in protocols such as Wired Equivalency Privacy (WEP) and Secure Sockets Layer (SSL). It falls short of modern cryptographic standards but is suitable for practical use in legacy or existing systems. BT: British Telecommunications Plc. The current service provider for the N3 network. BT N3SP: British Telecom N3 Service Provider. N3 is the name for the New NHS Network that will provide wide area networking services to the NHS in England. The NHS has chosen BT as the Service Provider for the N3 network. In this role BT is referred as the N3SP. BTN3SP has formulated the Internet Protocol (IP) addressing policy for N3. HTTPS: Hypertext Transfer Protocol over Secure Socket Layer. A method of using HTTP which moves information using SSL or TLS. It is not a separate protocol but a URI scheme that allows a system to know that HTTP is to be used but with additional security measures applied to the transactions. © Crown Copyright 2006 Page 19 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved IETF: The Internet Engineering Task Force. A large open international community of network designers, operators, vendors, and researchers concerned with the evolution of the Internet architecture and the smooth operation of the Internet. It is open to any interested individual. IP: Internet Protocol. A data oriented communications protocol. IP version 4 is the common element found in today’s internet. IPSec: Internet Protocol Security. A method of securing IP communications for security that takes place at the network or packet processing layer of network communication. LAN: Local Area Network. A local computer network for communication between computers; especially a network connecting computers and word processors and other electronic office equipment to create a communication system between offices LSP: Local Service Provider. A provider of LSP Services which has been appointed by the Authority for a Cluster. Responsible for making sure the new systems and services delivered through the NPfIT meet local requirements and are implemented efficiently. N3: The New NHS Network. A private Wide Area Network consisting of thousands of PCs, servers, printers and other items of equipment. Information is unencrypted when transmitted over the network therefore confidentiality of sensitive information within N3 is not assured. NASP: National Application Service Provider. A supplier selected to provide one of the NPfIT national solution services. PID: Patient Identifiable Data. Key identifiable information includes: patient’s name, address, full post code, date of birth, pictures, photographs, videos, audio-tapes or other images of patients. PID also encompasses NHS local patient identifiable codes or anything else that could identify a patient directly or indirectly. For example, rare diseases, drug treatments or statistical analyses which have very small numbers within small population may allow the identification of individuals. PKCS#1: Public Key Cryptography Standards. format of RSA encryption. © Crown Copyright 2006 PKCS#1 defines the Page 20 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved PKI: Public Key Infrastructure. Enables users of a basically unsecured public network (such as the internet) to securely and privately exchange data through the use of a public and a private cryptographic key pair, obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates. PPP: Point to Point Protocol. A data transfer protocol which operates at the Data Link Layer. RC4: See ARCFOUR (above). SSH: Secure Shell protocol. Using SSH, a user can log into a server and all of their interactions are tunnelled through an encrypted session so that even if someone intercepts the data, all they will encounter is gibberish. SSL: Secure Sockets Layer. A protocol designed to provide secure communications across the Internet. TCP: Transmission Control Protocol. A protocol that works with IP to ensure that packets travel safely on the Internet. This is the method by which most Internet activity takes place. TLS: Transport Layer Security. A protocol designed to provide secure communications across the Internet designed as a successor to SSL. It uses the same cryptographic methods but supports more cryptographic algorithms. UDP: User Datagram Protocol. A protocol that allows information to be transferred across IP networks. It is similar in operation to TCP; however it lacks the reliability and ordering guarantees, and is stateless. It offers higher performance due to lower overheads in processing and delivery. VPN: Virtual Private Network. A private data network that makes use of the public telecommunication infrastructure; privacy is maintained through the use of a tunnelling protocol and security procedures. © Crown Copyright 2006 Page 21 of 22 TCP/IP Ports and Protocols NPFIT-FNT-TO-TAR-0050.01 v1.0 23/08/2007 Approved WAN: Wide Area Network. A computer network that spans a relatively large geographical area, typically a WAN consists of two or more local-area networks (LANs). The largest WAN in existence is the internet. WEP: Wired Equivalency Privacy. A security system that uses a series of keys on both sides of a wireless transmission to encrypt data for secure transmission. WEP is not considered secure and there is a range of freely available, pre-existing software programs designed to break its encryption. X.509: The ITU-T standard for Public Key Infrastructure (PKI). It specifies information and attributes required for the identification of a person or a computer system. © Crown Copyright 2006 Page 22 of 22