The University of Wyoming firewall was implemented to help secure university computing systems and comply with federal regulations. Department network and server administrators will find helpful information below.
Information Technology Security Office has installed a firewall device between the campus network and the Internet. The firewall will provide greater security for the campus network from the escalating attacks of hackers. The firewall isolates the campus network from the outside Internet while allowing campus users to access the Internet. See Firewall Zones Diagram.
Users who require and can justify a need for a Reserve DHCP address will be assigned one. They will need to submit the Reserve DHCP Address Request Form, justifying the need for a static address. Users requiring a Reserve DHCP address will be assigned a new static address and will have to manually install the address. Users should consider carefully if this would be a good time to switch to DHCP assigned addressing.
The IP addresses of servers available to the general public will be in a special zone called a DMZ (for demilitarized). The IP addresses of these systems will change and will have to be reentered manually. Operators of these systems need to submit a Reserve DHCP Address Request form. Users of servers that are not available to the general public can still access the servers from off campus by using VPN to access their servers - see information on WyoSecure VPN.
The firewall isolates the campus network from the outside Internet while allowing campus users to access the Internet by assigning non-routable IP addresses to the systems inside the firewall. These addresses are chosen from the Class A 10.x.x.x subnet and the Class B 172.16.0.0 thru 172.31.254.254 subnets. See UW Firewall Zones Diagram.
Information Technology has prohibited access to some network services through the gateway router as part of our ongoing efforts to improve information security. The gateway router connects the University’s campus network to the Internet. The services that are blocked are not commonly needed or are known to be popular vehicles for security compromise.
The restricted services are listed in the tables below. The restriction of these services should have little effect on most users with the exception of the netbios service. The netbios service is used by Windows systems for sharing files, Outlook, and other Window services. This will only affect remote access to the internal University of Wyoming network from the Internet. UW dial in and DSL users will not be affected. Authorized users who need these services and who access the University network from a non-university Internet Service Providers (ISP) such as MSN, AOL, AT&T, Qwest, etc., will need to use Virtual Private Networking (VPN) to access the restricted services. UW's WyoSecure VPN service is available at https://wyosecure.uwyo.edu/. For information see the WyoSecure VPN FAQ.
Because it is almost impossible to know all of the ramifications of restricting these services, IT had two testing periods before the restrictions were put in place permanently. The restrictions were activated on September 7, 2002 for networks in the IT Data Center and September 15, 2002 for all of campus. The network services were permanently restricted on Sunday, September 22, 2002. Any problems should be reported to IT_Security_Office@uwyo.edu.
Hackers commonly use these ports to probe and attack internal networks. This list of ports is taken from the National Security Agency recommendations and represents a minimum set they recommend should be blocked. These ports will be blocked for both incoming and outgoing requests. Users who are not connected to the UW network will need to use the WyoSecure VPN to access these services.
Port | Transport | Service |
---|---|---|
8 | icmp | echo |
1 | tcp & udp | tcpmux |
2 | tcp & udp | |
3 | tcp & udp | |
4 | tcp & udp | |
5 | tcp & udp | rje |
6 | tcp & udp | |
7 | tcp & udp | echo |
8 | tcp & udp | |
9 | tcp & udp | discard |
10 | tcp & udp | |
11 | tcp & udp | systat |
12 | tcp & udp | |
13 | tcp & udp | daytime |
14 | tcp & udp | |
15 | tcp & udp | |
16 | tcp & udp | |
17 | tcp & udp | quote |
18 | tcp & udp | msp |
19 | tcp & udp | dhargen |
25 | tcp | smtp |
37 | tcp & udp | time |
43 | tcp | whois |
67 | tcp | bootp |
69 | tcp & udp | tftp |
93 | tcp | dcp |
135 | tcp & udp | netbios |
137 | tcp & udp | netbios-ns |
138 | tcp & udp | netbios-dgm |
139 | tcp & udp | netbios-ssn |
Port | Transport | Service |
---|---|---|
177 | udp | xdmcp |
194 | tcp & udp | irc |
445 | tcp | microsoft-ds |
512 | tcp | exec |
515 | tcp | lpd |
517 | udp | talk |
518 | udp | ntalk |
529 | tcp & udp | irc-serv |
540 | tcp | uucp |
593 | tcp & udp | msblaster |
994 | tcp & udp | irc |
1433 | tcp & udp | ms sql slammer worm |
1434 | udp | ms sql slammer worm |
1812 | tcp & udp | radius |
1900 | tcp | ssdp |
1978 | tcp & udp | slapper worm |
2002 | tcp & udp | slapper worm |
2049 | udp | nfx |
4156 | tcp & udp | slapper worm |
4444 | tcp & udp | msblaster |
6346 | tcp | gnutella |
8007 | tcp & udp | sobig virus |
8009 | tcp & udp | sobig virus |
8998 | tcp & udp | sobig virus |
12345 | tcp | backdoor |
12346 | tcp | backdoor |
31337 | tcp & udp | |
6000 6099 | tcp | x-window |
6665 6669 | tcp & udp | irc |
These services are blocked on the incoming side from off-campus access. Users who are connected to the UW network will be able to use these services.
Port | Transport | Service |
---|---|---|
8 | ICMP | echo |
79 | TCP | finger |
111 | TCP | sunrpc |
161 | TCP & UDP | snmp |
162 | TCP & UDP | snmptrap |
513 | TCP & UDP | login |
514 | TCP & UDP | cmd |
550 | TCP & UDP | new-rwho |
1993 | TCP & UDP | cisco snmp |