Computer ProtectionUW Firewall Implementation & Information
The University of Wyoming firewall was implemented to help secure university computing systems and comply with federal regulations. Department network and server administrators will find helpful information below.
General Information
Information Technology Security Office has installed a firewall device between the campus network and the Internet. The firewall will provide greater security for the campus network from the escalating attacks of hackers. The firewall isolates the campus network from the outside Internet while allowing campus users to access the Internet. See Firewall Zones Diagram.
Users who require and can justify a need for a Reserve DHCP address will be assigned one. They will need to submit the Reserve DHCP Address Request Form (http://www.uwyo.edu/firewall/FireWallRequestForm.htm), justifying the need for a static address. Users requiring a Reserve DHCP address will be assigned a new static address and will have to manually install the address. Users should consider carefully if this would be a good time to switch to DHCP assigned addressing.
The IP addresses of servers available to the general public will be in a special zone called a DMZ (for demilitarized). The IP addresses of these systems will change and will have to be reentered manually. Operators of these systems need to submit a Reserve DHCP Address Request form (http://www.uwyo.edu/firewall/FireWallRequestForm.htm). Users of servers that are not available to the general public can still access the servers from off campus by using VPN to access their servers - see information on WyoSecure VPN.
The firewall isolates the campus network from the outside Internet while allowing campus users to access the Internet by assigning non-routable IP addresses to the systems inside the firewall. These addresses are chosen from the Class A 10.x.x.x subnet and the Class B 172.16.0.0 thru 172.31.254.254 subnets. See UW Firewall Zones Diagram.
Access-Restricted UW Network Services
Information Technology has prohibited access to some network services through the gateway router as part of our ongoing efforts to improve information security. The gateway router connects the University’s campus network to the Internet. The services that are blocked are not commonly needed or are known to be popular vehicles for security compromise.
The restricted services are listed in the tables below. The restriction of these services should have little effect on most users with the exception of the netbios service. The netbios service is used by Windows systems for sharing files, Outlook, and other Window services. This will only affect remote access to the internal University of Wyoming network from the Internet. UW dial in and DSL users will not be affected. Authorized users who need these services and who access the University network from a non-university Internet Service Providers (ISP) such as MSN, AOL, AT&T, Qwest, etc., will need to use Virtual Private Networking (VPN) to access the restricted services. UW,s WyoSecure VPN service is available at https://wyosecure.uwyo.edu/. For information see the WyoSecure VPN FAQ.
Because it is almost impossible to know all of the ramifications of restricting these services, IT had two testing periods before the restrictions were put in place permanently. The restrictions were activated on September 7, 2002 for networks in the IT Data Center and September 15, 2002 for all of campus. The network services were permanently restricted on Sunday, September 22, 2002. Any problems should be reported to IT_Security_Office@uwyo.edu.
Services restricted (both incoming and outgoing)
Hackers commonly use these ports to probe and attack internal networks. This list of ports is taken from the National Security Agency recommendations and represents a minimum set they recommend should be blocked. These ports will be blocked for both incoming and outgoing requests. Users who are not connected to the UW network will need to use the WyoSecure VPN to access these services.
| Port | Transport | Service |
| 8 | icmp | echo |
| 1 | tcp & udp | tcpmux |
| 2 | tcp & udp | |
| 3 | tcp & udp | |
| 4 | tcp & udp | |
| 5 | tcp & udp | rje |
| 6 | tcp & udp | |
| 7 | tcp & udp | echo |
| 8 | tcp & udp | |
| 9 | tcp & udp | discard |
| 10 | tcp & udp | |
| 11 | tcp & udp | systat |
| 12 | tcp & udp | |
| 13 | tcp & udp | daytime |
| 14 | tcp & udp | |
| 15 | tcp & udp | |
| 16 | tcp & udp | |
| 17 | tcp & udp | quote |
| 18 | tcp & udp | msp |
| 19 | tcp & udp | dhargen |
| 25 | tcp | smtp |
| 37 | tcp & udp | time |
| 43 | tcp | whois |
| 67 | tcp | bootp |
| 69 | tcp & udp | tftp |
| 93 | tcp | dcp |
| 135 | tcp & udp | netbios |
| 137 | tcp & udp | netbios-ns |
| 138 | tcp & udp | netbios-dgm |
| 139 | tcp & udp | netbios-ssn |
| 177 | udp | xdmcp |
| 194 | tcp & udp | irc |
| 445 | tcp | microsoft-ds |
| 512 | tcp | exec |
| 515 | tcp | lpd |
| 517 | udp | talk |
| 518 | udp | ntalk |
| 529 | tcp & udp | irc-serv |
| 540 | tcp | uucp |
| 593 | tcp & udp | msblaster |
| 994 | tcp & udp | irc |
| 1433 | tcp & udp | ms sql slammer worm |
| 1434 | udp | ms sql slammer worm |
| 1812 | tcp & udp | radius |
| 1900 | tcp | ssdp |
| 1978 | tcp & udp | slapper worm |
| 2002 | tcp & udp | slapper worm |
| 2049 | udp | nfx |
| 4156 | tcp & udp | slapper worm |
| 4444 | tcp & udp | msblaster |
| 6346 | tcp | gnutella |
| 8007 | tcp & udp | sobig virus |
| 8009 | tcp & udp | sobig virus |
| 8998 | tcp & udp | sobig virus |
| 12345 | tcp | backdoor |
| 12346 | tcp | backdoor |
| 31337 | tcp & udp | |
| 6000 6099 | tcp | x-window |
| 6665 6669 | tcp & udp | irc |
Services restricted at the Router for incoming requests
These services are blocked on the incoming side from off-campus access. Users who are connected to the UW network will be able to use these services.
| Port | Transport | Service |
| 8 | ICMP | echo |
| 79 | TCP | finger |
| 111 | TCP | sunrpc |
| 161 | TCP & UDP | snmp |
| 162 | TCP & UDP | snmptrap |
| 513 | TCP & UDP | login |
| 514 | TCP & UDP | cmd |
| 550 | TCP & UDP | new-rwho |
| 1993 | TCP & UDP | cisco snmp |
ResNet Internet Restrictions & Rate Limiting at UW
The University of Wyoming data network is separated from the Internet by a firewall. Based on recommendations of the National Security Agency (www.nsa.gov), specific ports (i.e., network protocols) are blocked for security purposes. Ports are added to the list when the NSA determines that the ports are widely used for hacking and security penetration purposes. The current list of ports blocked by UW can be found on the Restricted Services page. Currently there is no difference in port blocking between the general campus and the UW residential network (Resnet).
In addition to port blocking, certain ports are rate limited by a packet shaping device. Prior to packet shaping at UW, protocols used for entertainment purposes (primarily downloading music) consumed an increasingly large portion of the Internet capacity (i.e., bandwidth) to the point where the Internet became unusable for UW users. Today, packet shaping applies to both the general UW campus network as well as the UW residential network (ResNet).
In addition to rate limiting (a.k.a.packet shaping) various protocols, the packet shaper also limits the overall off-campus Internet usage of ResNet to 10 mbps during daytime hours and 15 mbps nights (5 PM to 7 AM) and weekends.
Current ResNet Internet transfer rate limiting (packet shaping):
| Port | Overall limitation | Per flow limitation |
| Aimster | 1 mbps | 64 kbps |
| Audiogalaxy | 1 mbps | 64 kbps |
| eDonkey | 1 mbps | 64 kbps |
| FTP (file transfer) | 10 mbps | |
| Gnutella | 1 mbps | 64 kbps |
| HTTP (web) | 10 mbps | |
| IMAP (email) | 10 mbps | |
| KaZaA | 1 mbps | 64 kbps |
| MSN-Messenger (IM) | 10 mbps | |
| Napster | 1 mbps | 64 kbps |
| POP3 (email) | 10 mbps | |
| Quicktime | 1 mbps | 64 kbps |
| Real | 1 mbps | 64 kbps |
| RTP-I | 5 mbps | 1 mbps |
| SMTP (email) | 10 mbps | |
| SSH | 10 mbps | |
| SSL | 10 mbps | |
| WinMedia | 1 mbps | 64 kbps |
| Quicktime | 1 mbps | 64 kbps |
| Default (all other protocols) |
2 mbps daytime 5 mbps night/weekends |
64 kbps daytime 300 kbps nights/weekends |
