Security+ Ports & Protocols Cheat Sheet: Complete Reference + Free Practice Exam
In This Guide
Why Ports and Protocols Matter for Security+
Ports and protocols form the foundation of network communication, and they are one of the most consistently tested topics on the CompTIA Security+ SY0-701 exam. Every time a device communicates over a network, it uses a port number to direct traffic to the correct service and a protocol to define the rules of that communication. As a security professional, you must know which ports belong to which services, which protocols are secure versus insecure, and how to apply this knowledge to real-world scenarios like firewall configuration and traffic analysis.
The SY0-701 exam objectives cover ports and protocols across multiple domains. Domain 3 (Security Architecture) at 18% of the exam tests your ability to design secure network architectures where port selection and protocol security are fundamental decisions. Domain 4 (Security Operations) at 28% requires you to analyze network traffic, configure firewalls, and troubleshoot connectivity issues - all of which demand instant recall of common port numbers. Domain 1 (General Security Concepts) at 12% also covers the principle of least privilege as it applies to opening only necessary ports.
Port knowledge is not abstract trivia for the exam. It directly applies to three critical skills that Security+ expects you to demonstrate. First, firewall rule analysis: you will see questions presenting a firewall rule table and asking which traffic is permitted or blocked. Without knowing that port 3389 is RDP or that port 636 is LDAPS, you cannot answer these questions. Second, security analysis: when a scenario describes suspicious traffic on a specific port, you need to identify what service normally uses that port and whether the traffic is legitimate. Third, troubleshooting: if a service is not working after a firewall change, you must know which port to check.
A common mistake candidates make is treating ports as a pure memorization exercise. While you do need to know the numbers, the exam rewards understanding. You should know why HTTPS replaced HTTP, why SFTP is preferred over FTP, and what makes SNMPv3 fundamentally different from SNMPv1. This guide is organized to give you both the reference tables for quick lookup and the conceptual understanding that the exam demands.
Well-Known Ports (0-1023)
Well-known ports range from 0 to 1023 and are assigned by IANA (Internet Assigned Numbers Authority) to the most common network services. These are the ports you will encounter most frequently on the Security+ exam. The table below covers every well-known port that appears in the SY0-701 exam objectives, organized by function so you can see how related services group together.
Pay attention to the Security Notes column. The exam does not just test whether you know a port number - it tests whether you understand the security implications of each protocol. A port that transmits data in cleartext is a fundamentally different risk than one that uses TLS encryption.
| Port | Protocol | TCP/UDP | Description | Security Notes |
|---|---|---|---|---|
| 20 | FTP Data | TCP | File Transfer Protocol - data transfer channel | Cleartext transfer; replace with SFTP or FTPS |
| 21 | FTP Control | TCP | File Transfer Protocol - command/control channel | Cleartext credentials; credentials visible to packet sniffers |
| 22 | SSH / SFTP / SCP | TCP | Secure Shell - encrypted remote access and file transfer | Secure replacement for Telnet and FTP; uses public key or password authentication |
| 23 | Telnet | TCP | Unencrypted remote terminal access | All data including passwords sent in cleartext; never use in production |
| 25 | SMTP | TCP | Simple Mail Transfer Protocol - email relay between servers | Originally cleartext; modern servers use STARTTLS on port 25 for server-to-server relay |
| 49 | TACACS+ | TCP | Terminal Access Controller Access-Control System Plus | Encrypts the entire packet body; preferred over RADIUS for device administration |
| 53 | DNS | TCP/UDP | Domain Name System - name resolution | UDP for standard queries, TCP for zone transfers and large responses; vulnerable to spoofing without DNSSEC |
| 67 | DHCP Server | UDP | Dynamic Host Configuration Protocol - server port | Vulnerable to rogue DHCP servers; use DHCP snooping to mitigate |
| 68 | DHCP Client | UDP | Dynamic Host Configuration Protocol - client port | Client listens on this port for DHCP offers |
| 69 | TFTP | UDP | Trivial File Transfer Protocol - simple file transfer | No authentication or encryption; used only for bootstrapping network devices on trusted networks |
| 80 | HTTP | TCP | Hypertext Transfer Protocol - unencrypted web traffic | Cleartext; all data visible to anyone on the network path. Always redirect to HTTPS (443) |
| 88 | Kerberos | TCP/UDP | Kerberos authentication protocol | Used in Active Directory environments; ticket-based authentication prevents password transmission |
| 110 | POP3 | TCP | Post Office Protocol v3 - email retrieval | Cleartext credentials and email content; replace with POP3S (995) |
| 123 | NTP | UDP | Network Time Protocol - time synchronization | Critical for log correlation and certificate validation; can be abused in amplification attacks |
| 143 | IMAP | TCP | Internet Message Access Protocol - email retrieval | Cleartext by default; replace with IMAPS (993) for encrypted access |
| 161 | SNMP | UDP | Simple Network Management Protocol - device queries | SNMPv1/v2c use community strings in cleartext; always use SNMPv3 with authentication and encryption |
| 162 | SNMP Trap | UDP | SNMP Trap - unsolicited alerts from devices to management station | Same security concerns as SNMP; use SNMPv3 traps for encrypted notifications |
| 389 | LDAP | TCP/UDP | Lightweight Directory Access Protocol - directory queries | Cleartext directory queries including credentials; replace with LDAPS (636) |
| 443 | HTTPS | TCP | HTTP Secure - encrypted web traffic using TLS | Standard for all web traffic; uses TLS certificates for encryption and server authentication |
| 514 | Syslog | UDP | System logging protocol - centralized log collection | Traditional syslog is cleartext over UDP; use syslog over TLS (port 6514) for secure logging |
| 587 | SMTP Submission | TCP | Email submission from clients to mail servers | Requires authentication; supports STARTTLS for encryption. This is the correct port for client email submission |
| 636 | LDAPS | TCP | LDAP over SSL/TLS - encrypted directory queries | Secure replacement for LDAP; encrypts all directory traffic including bind credentials |
| 993 | IMAPS | TCP | IMAP over SSL/TLS - encrypted email retrieval | Secure replacement for IMAP (143); encrypts entire email session |
| 995 | POP3S | TCP | POP3 over SSL/TLS - encrypted email retrieval | Secure replacement for POP3 (110); encrypts credentials and email content |
Registered Ports for Security+
Registered ports range from 1024 to 49151 and are assigned by IANA to specific services upon request. While there are thousands of registered ports, only a handful appear on the Security+ exam. These ports are particularly important because they cover authentication, database access, and remote administration services that are central to enterprise security.
| Port | Protocol | TCP/UDP | Description | Security Notes |
|---|---|---|---|---|
| 1433 | MSSQL | TCP | Microsoft SQL Server default instance | Frequently targeted in attacks; never expose directly to the internet. Use firewall rules and encrypted connections |
| 1812 | RADIUS Authentication | UDP | Remote Authentication Dial-In User Service - authentication and authorization | Encrypts only the password field, not the entire packet. Used for network access control (802.1X, VPN) |
| 1813 | RADIUS Accounting | UDP | RADIUS accounting - tracks session duration and data usage | Provides audit trail for network access; pair with authentication on 1812 |
| 3306 | MySQL | TCP | MySQL database server | Default installation often lacks encryption; configure TLS and restrict access by IP |
| 3389 | RDP | TCP | Remote Desktop Protocol - Windows remote access | High-value target for attackers; protect with NLA, MFA, and VPN. Never expose directly to the internet |
| 5432 | PostgreSQL | TCP | PostgreSQL database server | Supports SSL/TLS connections; configure pg_hba.conf for access control |
| 990 | FTPS | TCP | FTP over SSL/TLS - implicit mode | Secure file transfer using TLS; alternative to SFTP (port 22). Uses separate data and control channels |
Database ports (1433, 3306, 5432) are increasingly relevant for the Security+ exam as organizations migrate to cloud environments. The core principle remains constant: database ports should never be directly exposed to the internet. Use network segmentation, firewalls, and encrypted connections to protect database traffic. In a zero trust architecture, every connection to a database is authenticated and authorized regardless of the source network.
Secure vs Insecure Protocol Pairs
One of the most heavily tested concepts on the Security+ exam is knowing which secure protocol should replace an insecure one. The exam presents scenarios where an organization is using an insecure protocol and asks which secure alternative should be implemented. This table is arguably the single most valuable reference in this entire guide for exam preparation.
The pattern is consistent: insecure protocols transmit data (including credentials) in cleartext. Secure alternatives add encryption, typically through TLS/SSL or by tunneling traffic through an encrypted channel. Understanding how each secure protocol achieves its encryption is important - for example, SFTP tunnels file transfers through SSH, while FTPS wraps FTP in a separate TLS layer. For a deeper understanding of the cryptographic mechanisms behind these protocols, see our Cryptography and PKI guide.
| Insecure Protocol | Port | Secure Alternative | Port | Key Difference |
|---|---|---|---|---|
| FTP | 20/21 | SFTP | 22 | SFTP tunnels file transfer through SSH; single port, single encrypted connection |
| FTP | 20/21 | FTPS | 990 | FTPS wraps FTP in TLS; requires separate data channel ports (complicates firewalls) |
| HTTP | 80 | HTTPS | 443 | HTTPS adds TLS encryption and server certificate verification to all web traffic |
| Telnet | 23 | SSH | 22 | SSH encrypts the entire session including authentication; supports key-based auth |
| IMAP | 143 | IMAPS | 993 | IMAPS wraps IMAP in TLS; encrypts email content and credentials during retrieval |
| POP3 | 110 | POP3S | 995 | POP3S wraps POP3 in TLS; prevents credential and email content interception |
| SMTP (cleartext) | 25 | SMTP + STARTTLS | 587 | Port 587 requires authentication and supports STARTTLS for encrypted submission |
| SNMPv1/v2c | 161/162 | SNMPv3 | 161/162 | SNMPv3 adds authentication (SHA) and encryption (AES) on the same ports; community strings eliminated |
| LDAP | 389 | LDAPS | 636 | LDAPS wraps LDAP in TLS; encrypts all directory queries including bind (login) operations |
| RDP (without NLA) | 3389 | RDP + NLA + VPN | 3389 | Enable Network Level Authentication; access only through VPN or gateway; add MFA |
| Syslog (UDP) | 514 | Syslog over TLS | 6514 | Syslog over TLS uses TCP with encryption; prevents log tampering and eavesdropping |
SFTP vs FTPS is a distinction the exam expects you to understand. SFTP (SSH File Transfer Protocol) runs entirely over SSH on port 22 and is a completely different protocol from FTP. It uses a single connection, which makes it firewall-friendly. FTPS (FTP Secure) is traditional FTP wrapped in TLS, using port 990 for the implicit control channel. FTPS still requires additional ports for data transfer, making it more complex to manage through firewalls. In modern environments, SFTP is generally preferred because of its simplicity and strong security model.
Ports by Protocol Function
Grouping ports by their function is one of the most effective ways to internalize them for the exam. When you see a scenario question, you will naturally think in terms of what the service does rather than a raw port number. This section organizes every Security+ port by its functional category.
Authentication and Access Control
These protocols control who can access network resources and how their identity is verified. They are central to the security operations domain and appear frequently in questions about AAA frameworks, Active Directory, and network access control.
- Kerberos (88 TCP/UDP) - Ticket-based authentication used in Active Directory. The Key Distribution Center (KDC) issues Ticket Granting Tickets (TGTs) and service tickets. Kerberos prevents password transmission over the network.
- RADIUS (1812/1813 UDP) - Used for network access control including 802.1X wired/wireless authentication and VPN access. Encrypts only the password portion of the packet. Port 1812 handles authentication/authorization, port 1813 handles accounting.
- TACACS+ (49 TCP) - Preferred for network device administration. Encrypts the entire packet body (not just the password like RADIUS). Separates authentication, authorization, and accounting into distinct processes for granular control.
- LDAP/LDAPS (389/636 TCP) - Queries directory services like Active Directory for user, group, and resource information. LDAPS adds TLS encryption to protect bind credentials and query results.
Remote Access
Remote access protocols allow administrators and users to connect to systems across a network. The security of these protocols is critical because they provide direct access to system consoles and desktops.
- SSH (22 TCP) - The standard for secure remote access. Encrypts the entire session using symmetric encryption after an asymmetric key exchange. Supports password authentication, public key authentication, and key-based host verification.
- Telnet (23 TCP) - Legacy remote access with zero encryption. Every keystroke, including passwords, is visible in cleartext. The exam will always want you to replace Telnet with SSH.
- RDP (3389 TCP) - Provides graphical remote desktop access to Windows systems. Supports TLS encryption and Network Level Authentication (NLA), but must be protected by VPN or a gateway. RDP exposed to the internet is a top attack vector for ransomware.
Web Traffic
Web protocols are the most visible protocols on the internet and form the basis of most modern application communication.
- HTTP (80 TCP) - Unencrypted web traffic. All data, session cookies, and form submissions are visible to any observer on the network path. Modern best practice requires redirecting all HTTP to HTTPS.
- HTTPS (443 TCP) - HTTP secured with TLS. Provides encryption (confidentiality), server authentication (via certificates), and data integrity. HTTPS is required for any page that handles sensitive data, authentication, or payment information.
Email involves multiple protocols working together: SMTP handles sending and relaying, while POP3 and IMAP handle retrieval. Each has secure and insecure variants, and the exam tests all of them.
- SMTP (25 TCP) - Used for server-to-server email relay. Modern servers implement STARTTLS on port 25 for opportunistic encryption between mail servers.
- SMTP Submission (587 TCP) - Used for client-to-server email submission. Requires authentication and supports STARTTLS. This is the correct port for email clients like Outlook or Thunderbird to send mail.
- POP3 / POP3S (110 / 995 TCP) - Downloads email from the server to the client, typically removing it from the server. POP3S adds TLS encryption.
- IMAP / IMAPS (143 / 993 TCP) - Synchronizes email between server and client, keeping mail on the server. Supports multiple device access. IMAPS adds TLS encryption.
File Transfer
File transfer protocols move data between systems. The security of these protocols is critical because transferred files may contain sensitive data and the authentication credentials must be protected.
- FTP (20/21 TCP) - Legacy file transfer with cleartext credentials. Port 21 is the control channel (commands), port 20 is the data channel (active mode). Avoid in production.
- SFTP (22 TCP) - File transfer over SSH. Secure, single-port, firewall-friendly. The preferred replacement for FTP in most environments.
- FTPS (990 TCP) - FTP over TLS. Requires additional ports for data channels. More complex than SFTP but supported by legacy systems.
- TFTP (69 UDP) - Trivial file transfer with no authentication or encryption. Used only for device bootstrapping (PXE boot, firmware updates) on isolated management networks.
Network Management and Monitoring
These protocols allow administrators to manage devices, collect logs, and synchronize time across the network. They are critical for security operations and incident response.
- SNMP / SNMP Trap (161/162 UDP) - Monitors and manages network devices. SNMPv1/v2c use cleartext community strings. SNMPv3 adds authentication (SHA) and encryption (AES). The exam expects you to always recommend SNMPv3.
- Syslog (514 UDP) - Centralizes log collection from network devices, servers, and applications. Traditional syslog is unencrypted over UDP. Syslog over TLS (port 6514) provides encrypted, reliable log transport.
- NTP (123 UDP) - Synchronizes clocks across network devices. Accurate time is essential for log correlation, certificate validation, and Kerberos authentication (which has a 5-minute skew tolerance). NTP can be abused in amplification DDoS attacks.
- DNS (53 TCP/UDP) - Resolves domain names to IP addresses. Uses UDP for standard queries and TCP for zone transfers. Vulnerable to spoofing, poisoning, and tunneling. DNSSEC adds integrity verification but not encryption. DNS over HTTPS (DoH) and DNS over TLS (DoT) provide encrypted resolution.
- DHCP (67/68 UDP) - Automatically assigns IP addresses, subnet masks, gateways, and DNS servers. Server listens on 67, client listens on 68. Vulnerable to rogue DHCP servers and starvation attacks. Mitigate with DHCP snooping.
How to Remember Critical Ports
Memorizing 30+ port numbers can feel overwhelming, but there are patterns and techniques that make it much more manageable. After studying thousands of Security+ candidates, these are the strategies that work best.
Group by Number Ranges
Ports are not randomly assigned. Related services tend to cluster in the same numeric range, and recognizing these clusters dramatically reduces the mental effort required.
- The 20s (20-25) - File transfer and basic remote services: FTP Data (20), FTP Control (21), SSH/SFTP (22), Telnet (23), SMTP (25). These are the "original internet" services that were standardized early.
- The 50s-80s - Infrastructure services: DNS (53), DHCP (67/68), TFTP (69), HTTP (80), Kerberos (88). These handle the fundamental operations of resolving names, assigning addresses, and serving web content.
- The 100s - Email retrieval and monitoring: POP3 (110), NTP (123), IMAP (143), SNMP (161/162). All of these are "pull" or "poll" services where a client checks a server for information.
- The 300s-600s - Directory and secure services: LDAP (389), HTTPS (443), Syslog (514), SMTP Submission (587), LDAPS (636). Notice that 636 is exactly 389 + 247, though it is easier to just remember LDAP is 389 and LDAPS is 636.
- The 900s - Secure email: FTPS (990), IMAPS (993), POP3S (995). These are the TLS-wrapped versions of the email retrieval ports.
- The 1000s+ - Higher services: MSSQL (1433), RADIUS (1812/1813), MySQL (3306), RDP (3389), PostgreSQL (5432).
Use Mnemonics for Critical Pairs
For the ports that cause the most confusion, simple mnemonics can lock them into memory:
- "22 is the secure door" - SSH (22) is your secure entry point. It replaces Telnet (23, right next door but insecure) and handles SFTP (secure file transfer).
- "LDAP 389, LDAPS 636" - LDAP uses three digits starting with 3, LDAPS uses three digits starting with 6. The secure version roughly doubles the first digit.
- "993/995 lock the mailbox" - Both secure email ports are in the 990s. IMAPS is 993 (IMAP + 850), POP3S is 995 (POP3 + 885). Or simply remember both are 99x.
- "RDP at 3389 - Remote Desktop Port 3389" - The letters RDP can be associated with 3 (R is the 3rd from P), 3 (D is the 3rd from A), 89 (P is close to the end). Or simply drill this number since RDP is heavily tested.
- "RADIUS keeps you at 1812" - 1812 is a historical year (the War of 1812) which makes it memorable. RADIUS authentication lives at 1812, accounting at the next port, 1813.
Practical Associations
Connecting ports to real-world actions you perform regularly makes them stick naturally:
- Every time you type
https://in a browser, you are using port 443. Every time you see the padlock icon, that is port 443 at work. - When you SSH into a server at work, you are connecting to port 22. When you SCP or SFTP a file, that is also port 22.
- When your email client syncs (IMAP), it connects to either port 143 (insecure) or 993 (encrypted). Check your own email client settings - you will see these ports in the server configuration.
- When a Windows admin opens Remote Desktop Connection, that traffic goes to port 3389 on the target machine.
Firewall Rules and Port Security
Firewall configuration is where port knowledge becomes directly actionable. The Security+ exam tests your ability to read firewall rule sets, identify which traffic is allowed or blocked, and recommend correct port configurations for various scenarios. Understanding how firewalls evaluate rules is just as important as knowing the port numbers themselves.
The Default Deny Principle
Every properly configured firewall follows the default deny (also called implicit deny) principle: all traffic is blocked unless an explicit rule permits it. This is the foundation of the principle of least privilege applied to network traffic. On the exam, if a question asks about the "best practice" baseline for firewall configuration, the answer is always default deny.
Default deny means you build your ruleset by adding only the specific ports and protocols that legitimate services require. This approach ensures that any new, unknown, or malicious traffic is automatically blocked without needing a specific rule to address it. Compare this to a default allow posture (block only what you know is bad), which is inherently weaker because it cannot protect against unknown threats.
Example Firewall Rule Set
The following table shows a simplified firewall rule set for a web server in a DMZ. Understanding how to read and evaluate rule tables like this is essential for performance-based questions on the exam.
| Rule # | Action | Source | Destination | Port | Protocol |
|---|---|---|---|---|---|
| 1 | ALLOW | Any | Web Server | 443 | TCP |
| 2 | ALLOW | Any | Web Server | 80 | TCP |
| 3 | ALLOW | Admin Network | Web Server | 22 | TCP |
| 4 | DENY | Any | Web Server | 22 | TCP |
| 5 | DENY | Any | Any | Any | Any |
This rule set demonstrates several key concepts. Rule 1 allows HTTPS traffic from any source, which is correct for a public web server. Rule 2 allows HTTP so the server can redirect users to HTTPS. Rule 3 allows SSH only from the admin network for server management. Rule 4 explicitly blocks SSH from all other sources. Rule 5 is the implicit deny - everything not matched by rules 1-4 is blocked. Notice that rules are evaluated top-down, so the more specific admin SSH rule (3) must come before the general SSH deny rule (4).
Common Ports to Block and Allow
For the exam and real-world practice, here are the key port decisions:
- Always block inbound from the internet: Telnet (23), RDP (3389), database ports (1433, 3306, 5432), SNMP (161/162), NetBIOS (137-139), SMB (445). These services should never be directly accessible from untrusted networks.
- Block and replace: FTP (20/21) with SFTP (22), HTTP (80) with HTTPS (443) where possible, LDAP (389) with LDAPS (636), POP3 (110) with POP3S (995), IMAP (143) with IMAPS (993).
- Allow with restrictions: SSH (22) only from management networks, DNS (53) only to trusted resolvers, NTP (123) only to designated time servers, SMTP (25) only between mail servers.
- Allow for public services: HTTPS (443) for web servers, SMTP Submission (587) for mail servers accepting client connections.
Firewall rules connect directly to broader security architecture. In a zero trust model, firewalls are just one layer of enforcement. Every connection is verified regardless of whether it originates from inside or outside the network perimeter. Port-level filtering remains essential even in zero trust because it reduces the attack surface at the network layer.
Port Scanning Basics for the Exam
Port scanning is the process of probing a target system to discover which ports are open, closed, or filtered. It is a fundamental reconnaissance technique used by both penetration testers and attackers. The Security+ exam expects you to understand the major scan types, their characteristics, and how security systems detect and respond to scanning activity.
Nmap Scan Types
Nmap is the most widely used port scanning tool and is explicitly referenced in the Security+ exam objectives. You do not need to memorize complex Nmap syntax, but you do need to understand the behavior and purpose of each major scan type.
- TCP SYN Scan (Half-Open Scan) - Sends a SYN packet to each target port. If the port responds with SYN-ACK, it is open. The scanner sends RST instead of completing the three-way handshake, so no full connection is established. This is the default Nmap scan type and is considered "stealth" because it does not complete connections that would appear in application logs. However, modern IDS/IPS systems readily detect SYN scans.
- TCP Connect Scan (Full Connect) - Completes the entire TCP three-way handshake (SYN, SYN-ACK, ACK) for each port. This is the most reliable but also the most detectable scan type because every probe creates a full connection entry in the target's logs. Used when the scanner does not have raw socket privileges.
- UDP Scan - Sends UDP packets to target ports. Since UDP is connectionless, determining port status is more complex: no response may indicate either an open port or a filtered port. An ICMP "port unreachable" response indicates a closed port. UDP scanning is significantly slower than TCP scanning because of the lack of reliable responses and ICMP rate limiting.
- TCP FIN / Xmas / NULL Scans - These send TCP packets with unusual flag combinations (FIN only, FIN+PSH+URG, or no flags) to bypass simple firewall rules that only block SYN packets. According to the TCP RFC, closed ports should respond with RST while open ports should silently drop these packets. These scans are less reliable on modern systems, especially Windows, which does not follow the RFC strictly.
Understanding Scan Results
Port scanners report ports in one of three states, and the exam may test your ability to interpret these results in a scenario:
- Open - A service is actively listening and accepting connections on this port. This represents a potential attack surface that should be evaluated.
- Closed - The port is accessible (no firewall blocking it) but no service is listening. The system responds with RST, confirming the port is reachable but unused.
- Filtered - A firewall, packet filter, or other network device is blocking probes to this port. The scanner cannot determine whether the port is open or closed because no response is received (or an ICMP unreachable message is returned).
IDS/IPS Detection of Port Scans
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) use multiple techniques to identify port scanning activity. Understanding these detection methods is important for both the exam and real-world security operations, where analysts must distinguish between legitimate traffic and reconnaissance.
- Threshold-based detection - Triggers an alert when a single source IP connects to more than a configured number of distinct ports within a time window. For example, if one IP probes 100 ports in 10 seconds, this is almost certainly a scan.
- Signature-based detection - Identifies known scan patterns such as Nmap's default packet characteristics (specific TCP window sizes, TTL values, or flag combinations associated with Xmas or NULL scans).
- Anomaly-based detection - Establishes a baseline of normal traffic patterns and flags deviations. A workstation that suddenly starts connecting to sequential port numbers on a server is anomalous behavior that suggests scanning.
- Stateful inspection - Tracks TCP connection states and flags packets that do not follow the expected sequence (such as a FIN packet arriving without an established connection). This detects stealth scan techniques that rely on unusual flag combinations.
For more detail on how IDS/IPS systems detect these and other attacks, see our Types of Attacks guide, which covers network-based attacks and detection strategies in depth. Understanding the OSI model layers is also valuable for understanding at which layer different scan techniques operate (port scanning targets Layer 4, the transport layer).
Get the Complete Security+ Study Guide
When you purchase a Security+ practice exam, you get full access to our comprehensive study guides covering every exam topic in depth - not just the free samples here.
Want to go deeper?
CompTIA Security+ Ports and Protocols Practice Questions
Test your understanding with these 5 expert-created questions. Each includes a detailed explanation to reinforce your learning.
Ready for the Full Security+ Practice Exam?
You've just covered Ports and Protocols. Here's how to keep preparing for your CompTIA Security+:
Frequently Asked Questions
How many ports do I need to memorize for Security+?
You should focus on approximately 30 critical ports for the CompTIA Security+ SY0-701 exam. The exam tests your understanding of how ports relate to protocols and security more than pure memorization. Key ports include SSH (22), HTTP/HTTPS (80/443), DNS (53), LDAP/LDAPS (389/636), SMTP (25/587), the secure email ports (993, 995), RDP (3389), SNMP (161/162), RADIUS (1812/1813), TACACS+ (49), and Kerberos (88). Focus on knowing which ports are secure alternatives to insecure protocols and how ports appear in firewall rules and security analysis.
What is the Security+ SY0-701 passing score?
The CompTIA Security+ SY0-701 exam requires a passing score of 750 on a scale of 100-900. The exam consists of up to 90 questions with a 90-minute time limit. Questions include multiple-choice and performance-based questions (PBQs). Port and protocol knowledge appears across multiple question types, especially in scenario-based questions about firewall configuration, network troubleshooting, and security analysis.
Does Security+ test on specific port numbers?
Yes, the CompTIA Security+ SY0-701 exam does test on specific port numbers. You will encounter questions that ask you to identify which protocol runs on a specific port, which port to open or block in a firewall rule, and which secure protocol and port should replace an insecure one. Performance-based questions may present firewall rule tables or network diagrams where you need to apply port knowledge. Knowing port numbers is not optional for passing this exam.
Is Security+ SY0-701 harder than SY0-601?
The SY0-701 exam restructured the domains from five to four and places greater emphasis on modern threats including cloud security, zero trust architecture, and AI-driven threats. Many candidates find SY0-701 slightly more challenging because it covers newer concepts and requires a deeper understanding of security architecture. However, the port and protocol fundamentals remain largely the same. If you have strong networking fundamentals and understand both legacy and modern protocols, the port-related questions should be straightforward. Study guides and practice exams have been updated to reflect the new objectives.
What are the most important ports for Security+?
The most critical ports for the Security+ exam are: SSH (22) as the secure remote access standard, HTTPS (443) for encrypted web traffic, LDAPS (636) for secure directory queries, RADIUS (1812/1813) for AAA services, the secure email ports IMAPS (993) and POP3S (995), SMTP submission (587), DNS (53), RDP (3389), Kerberos (88), TACACS+ (49), and SNMP (161/162). You should also know insecure ports like Telnet (23), HTTP (80), FTP (21), and LDAP (389) so you can identify when they should be replaced with secure alternatives.