Demystifying Network Ports ( TCP/ IP )

Updated: 21 July 2016

Demystifying Network Ports ( TCP/ IP )

as it relates to Backup Exec

DISCLAIMER:

This is totally unofficial. Use what you like and disregard the rest.

Comments, suggestions and constructive criticisms are always welcomed, just email them to :

I see misunderstandings regarding port reassignments, how network ports work, and the /etc/services file.

Think of the your domain as a street.

On this street, there are apartment buildings (servers).

Each such building has its own unique street (i.e. IP ) address.

Each building is also comprised of exactly 65,535 apartments (ports), though most are vacant.

When a message is sent down the street, every doorman (NIC) reads the address to see if it is for their building. If the address matches, he checks for the apartment number ( port number ) and knocks on that door ( tries to connect to that port).

If someone is home ( if a service is running and listening to that port), the door is opened and the message is delivered. The entity in that apartment opens the message and tries to make sense of it. If this is apartment 80, then the message is expected to be written in the language (protocol) called HTTP. If addressed to port 10000, then NDMPv3 (RAWS) or NDMPv4 is expected (NAS appliances).

A message is that is written in any other language will not be understood and the door will either slam shut, or remain open in the vain hope of something intelligible will soon follow. The precise action is some what arbitrary , being entirely dependant upon the gods who created the service that answered that particular door.

The Backup Exec Remote agent isin apartment #10000. If he moves to some other apartment, then everyone who needs to contact him, needs to know he has moved. If you edit the Services file on the Media Server by specifying some other port for NDMP, then Backup Exec will always use that port when attempting to connect to RAWS on each remote server. This then means that the Services file on all remote servers that this particular media server contacts, must also be changed. This is normally a bad idea. (Newer versions of BE might behave differently)

Once RAWS has been installed and running, there should never be any reason to moveit to another port. However, if you start RAWS for the first time and get the error "Address in use", then this means some other service is residing in #10000 . In this case, either the existing service needs to be evicted (moved to another port), or RAWS must find another apartment ( port ).

In the lobby of every apartment building there is a directory showing who lives where. The directory is known as the SERVICES file. The Internet Assigned Numbers Authority (IANA) has assigned certain port numbers for well known network protocols. The Services file often contains the full list of assigned ports, though, theorically, the file is not generally needed.

When a service starts up ( say a web server ), it first checks the Services file to see if there is a local preferences as to which apartment ( port ) he must reside in. If there is no entry in the Services file (and if the software was properly written), then the default port as define by the IANA is used and the service takes up residences there, where he sits and waits (listens) for a knock on the door.

Sometimes, like when trying to backup a server in the DMZ, we need to use Dynamic Port Ranges to avoid a firewall.

There are three stratums for ports;

Well Known Ports ; ports 0 - 1023 Assigned by IANA

Registered Ports ; 1024 - 49151 Assigned by IANA to applicants

Dynamic Port Range; 49152 - 65535 for temporary use by any software

When we ask others to open ports in the Dynamic Range, some people get concerned, believing that an open port represents a vulnerability. It is not.An open port does not mean the apartment is occupied. It only means the apartment is available for a listener to move in to. Backup Exec will onlylisten to one of these ports when it has coordinated with the remote agent and they, in unison, begin to use an additional port. It is only during those few milliseconds that Backup Exec agent is listening for RAWS to respond that any chance of compromise exists. It is extremely unlikely that some out of band process will try to knock on one of these ports duringvery brief window.

The open port network vulnerability refers only to ports having listeners established. When an imposture knocks on the door, the occupant (service) answers only to then get suffocated by some big fat guy ( buffer over flow) who is designed to harvest a command prompt. In Backup Exec, we have SSL certificates to prevent this sort of an attack from succeeding.

The simplest network client (not to be confused with its counter part the server, or listener part) is ; telnet .

There is nothing simpler then telnet. It opens a port and once connected, all it can do is transfer your key presses to the listener on the other side. You might say it uses the ASCII protocol. When you telnet to a Backup Exec remote agent, we are only testing to verify someone will answer the door. Since RAWS speaks its own binary protocol, we are greeted only by a few funny looking (non-ASCII) characters.We have no hope of understanding it, and it has no hope of understanding us, but we do know someone is home and ready for guest (RAWS agent).

If you use telnet to connect to a port that has no listener (no service lives in that apartment) you will get a message saying the connection could not be opened( or connection failed ) which isto say, "there is nobody home".

I hope many will find this useful. Please feel free to pass this along.