Protocol IDs for Security+ and SSCP Exams

If you're preparing for the Security+ or SSCP exams, you'll need to know a few of the protocol IDs used by TCP/IP. The protocol ID is a number embedded in the header of the packet to identify the protocol. It is used for many protocols that are not identified with a port number.

I recently wrote a blog titled Ports for Network+, Security+, and SSCP Exams which covered the relevant port numbers for these exams. Both port numbers and protocol IDs are used to identify protocols by devices such as routers and firewalls. However, they are different numbers. For example, Hypertext Transfer Protocol (HTTP) uses port number 80, but it is not accurate to say that it uses protocol ID 80. In fact, there isn't a protocol ID that identifies HTTP.

Practice Test Question

Test your knowledge of protocol IDs with this question. This is an example that you may see on the SSCP exam.

Q. You want to block DoS attacks using ping at a firewall. What would you do?

A. Block port 1 at the firewall

B. Block protocol ID 1 at the firewall

C. Block port 6 at the firewall

D. Block protocol ID 6 at the firewall

Answer at end of blog

Now available
SSCP Systems Security Certified Practitioner All-in-One Exam Guide

Protocol IDs

The following table identifies some of the commonly used protocol IDs that you may be tested on.

Protocol	Protocol ID
ICMP - Internet Control Message Protocol	1
IGMP - Internet Group Management Protocol	2
TCP - Transmission Control Protocol	6
UDP - User Datagram Protocol	17
IPsec ESP - Internet Protocol security Encapsulating Security Payload	50
IPsec AH - Internet Protocol security Authentication Header	51

You are more likely to be tested on the protocol IDs in the SSCP exam. If you do see this content on the Security+ exam, it will probably only focus on IPsec ESP or IPsec AH. If you want to see a full listing of protocol ID numbers, check out this list on Internet Assigned Numbers Authority (IANA).

Pass the Security+ exam the first time you take it:
CompTIA Security+: Get Certified Get Ahead: SY0-301 Study Guide

Routers and firewalls use access control lists (ACLs) to filter traffic. They can filter traffic based on IP addresses, network IDs, ports, and protocol IDs. The ports are used to filter traffic using well-known ports mapped to specific protocols. For example, you can block or allow outgoing email by closing or opening port 25, the well-known port for Simple Mail Transport Protocol (SMTP). Similarly, you can block ICMP traffic (used by ping) by blocking any traffic using protocol ID 1.

Q. You want to block DoS attacks using ping at a firewall. What would you do?

A. Block port 1 at the firewall

B. Block protocol ID 1 at the firewall

C. Block port 6 at the firewall

D. Block protocol ID 6 at the firewall

Answer: B

Ping uses Internet Control Message Protocol (ICMP) and ICMP is identified with protocol ID 1. Blocking protocol ID 1 blocks all pings including a denial-of-service (DoS) attack using ping.

Ports 1 and 6 are unrelated to ping or ICMP so would not have any effect on blocking pings.

Protocol ID 6 identifies Transmission Control Protocol (TCP) so by blocking protocol ID 6, you would block all TCP traffic.