UW Firewall Implementation & Information
The University of Wyoming firewall was implemented to help secure university computing systems and comply with federal regulations. Department network and server administrators will find helpful
information below.
General Information
Information Technology Security Office has installed a firewall device
between the campus network and the Internet. The firewall will provide
greater security for the campus network from the escalating attacks of hackers.
The firewall isolates the campus network from the outside Internet while
allowing campus users to access the Internet. See
Firewall Zones Diagram.
Users who require and can justify a need for a Reserve DHCP address will be
assigned one. They will need to submit the
Reserve DHCP
Address Request Form, justifying the
need for a static address. Users requiring a Reserve DHCP address will be
assigned a new static address and will have to manually install the address.
Users should consider carefully if this would be a good time to switch to DHCP
assigned addressing.
The IP addresses of servers available to the general public will be in a
special zone called a DMZ (for demilitarized). The IP addresses of these
systems will change and will have to be reentered manually. Operators of these
systems need to submit a
Reserve DHCP Address Request form. Users of
servers that are not available to the general public can still access the
servers from off campus by using VPN to access their servers - see information
on WyoSecure VPN.
The firewall isolates the campus network from the outside Internet while
allowing campus users to access the Internet by assigning non-routable IP
addresses to the systems inside the firewall. These addresses are chosen from
the Class A 10.x.x.x subnet and the Class B 172.16.0.0 thru 172.31.254.254
subnets. See
UW Firewall Zones Diagram.
Access-Restricted UW Network Services
Information Technology has prohibited access to some network services
through the gateway router as part of our ongoing efforts to improve
information security. The gateway router connects the University’s
campus network to the Internet. The services that are blocked are not
commonly needed or are known to be popular vehicles for security
compromise.
The restricted services are listed in the tables below. The
restriction of these services should have little effect on most users
with the exception of the netbios service. The netbios service is used
by Windows systems for sharing files, Outlook, and other Window
services. This will only affect remote access to the internal University
of Wyoming network from the Internet. UW dial in and DSL users will not
be affected. Authorized users who need these services and who access the
University network from a non-university Internet Service Providers
(ISP) such as MSN, AOL, AT&T, Qwest, etc., will need to use Virtual
Private Networking (VPN) to access the restricted services. UW's
WyoSecure VPN service is available at
https://wyosecure.uwyo.edu/.
For information see the
WyoSecure VPN FAQ.
Because it is almost impossible to know all of the ramifications of
restricting these services, IT had two testing periods before the
restrictions were put in place permanently. The restrictions were
activated on September 7, 2002 for networks in the IT Data Center and
September 15, 2002 for all of campus. The network services were
permanently restricted on Sunday, September 22, 2002. Any problems
should be reported to
IT_Security_Office@uwyo.edu.
Services restricted (both incoming and outgoing)
Hackers commonly use these ports to probe and attack internal
networks. This list of ports is taken from the National Security Agency
recommendations and represents a minimum set they recommend should be
blocked. These ports will be blocked for both incoming and outgoing
requests. Users who are not connected to the UW network will need to use
the WyoSecure VPN to access
these services.
Port |
Transport |
Service |
8 |
icmp |
echo |
1 |
tcp & udp |
tcpmux |
2 |
tcp & udp |
|
3 |
tcp & udp |
|
4 |
tcp & udp |
|
5 |
tcp & udp |
rje |
6 |
tcp & udp |
|
7 |
tcp & udp |
echo |
8 |
tcp & udp |
|
9 |
tcp & udp |
discard |
10 |
tcp & udp |
|
11 |
tcp & udp |
systat |
12 |
tcp & udp |
|
13 |
tcp & udp |
daytime |
14 |
tcp & udp |
|
15 |
tcp & udp |
|
16 |
tcp & udp |
|
17 |
tcp & udp |
quote |
18 |
tcp & udp |
msp |
19 |
tcp & udp |
dhargen |
25 |
tcp |
smtp |
37 |
tcp & udp |
time |
43 |
tcp |
whois |
67 |
tcp |
bootp |
69 |
tcp & udp |
tftp |
93 |
tcp |
dcp |
135 |
tcp & udp |
netbios |
137 |
tcp & udp |
netbios-ns |
138 |
tcp & udp |
netbios-dgm |
139 |
tcp & udp |
netbios-ssn |
Port |
Transport |
Service |
177 |
udp |
xdmcp |
194 |
tcp & udp |
irc |
445 |
tcp |
microsoft-ds |
512 |
tcp |
exec |
515 |
tcp |
lpd |
517 |
udp |
talk |
518 |
udp |
ntalk |
529 |
tcp & udp |
irc-serv |
540 |
tcp |
uucp |
593 |
tcp & udp |
msblaster |
994 |
tcp & udp |
irc |
1433 |
tcp & udp |
ms sql slammer worm |
1434 |
udp |
ms sql slammer worm |
1812 |
tcp & udp |
radius |
1900 |
tcp |
ssdp |
1978 |
tcp & udp |
slapper worm |
2002 |
tcp & udp |
slapper worm |
2049 |
udp |
nfx |
4156 |
tcp & udp |
slapper worm |
4444 |
tcp & udp |
msblaster |
6346 |
tcp |
gnutella |
8007 |
tcp & udp |
sobig virus |
8009 |
tcp & udp |
sobig virus |
8998 |
tcp & udp |
sobig virus |
12345 |
tcp |
backdoor |
12346 |
tcp |
backdoor |
31337 |
tcp & udp |
|
6000 6099 |
tcp |
x-window |
6665 6669 |
tcp & udp |
irc |
Services restricted at the Router for incoming requests
These services are blocked on the incoming side from off-campus
access. Users who are connected to the UW network will be able to use
these services.
Port
| Transport
| Service
|
8 |
ICMP |
echo |
79 |
TCP |
finger |
111 |
TCP |
sunrpc |
161 |
TCP & UDP |
snmp |
162 |
TCP & UDP |
snmptrap |
513 |
TCP & UDP |
login |
514 |
TCP & UDP |
cmd |
550 |
TCP & UDP |
new-rwho |
1993 |
TCP & UDP |
cisco snmp |