Skip to Main Content

Menu

Contact Us

Information Technology

Phone: (307) 766-HELP (4357)

Email: userhelp@uwyo.edu

UW Firewall Implementation & Information

The University of Wyoming firewall was implemented to help secure university computing systems and comply with federal regulations. Department network and server administrators will find helpful information below.

General Information

Information Technology Security Office has installed a firewall device between the campus network and the Internet.  The firewall will provide greater security for the campus network from the escalating attacks of hackers.  The firewall isolates the campus network from the outside Internet while allowing campus users to access the Internet. See Firewall Zones Diagram.

 Users who require and can justify a need for a Reserve DHCP address will be assigned one.  They will need to submit the Reserve DHCP Address Request Form, justifying the need for a static address.  Users requiring a Reserve DHCP address will be assigned a new static address and will have to manually install the address.  Users should consider carefully if this would be a good time to switch to DHCP assigned addressing.

The IP addresses of servers available to the general public will be in a special zone called a DMZ (for demilitarized).  The IP addresses of these systems will change and will have to be reentered manually. Operators of these systems need to submit a Reserve DHCP Address Request form.  Users of servers that are not available to the general public can still access the servers from off campus by using VPN to access their servers - see information on WyoSecure VPN.

The firewall isolates the campus network from the outside Internet while allowing campus users to access the Internet by assigning non-routable IP addresses to the systems inside the firewall. These addresses are chosen from the Class A 10.x.x.x subnet and the Class B 172.16.0.0 thru 172.31.254.254 subnets.  See UW Firewall Zones Diagram.

Access-Restricted UW Network Services

Information Technology has prohibited access to some network services through the gateway router as part of our ongoing efforts to improve information security. The gateway router connects the University’s campus network to the Internet. The services that are blocked are not commonly needed or are known to be popular vehicles for security compromise.

The restricted services are listed in the tables below. The restriction of these services should have little effect on most users with the exception of the netbios service. The netbios service is used by Windows systems for sharing files, Outlook, and other Window services. This will only affect remote access to the internal University of Wyoming network from the Internet. UW dial in and DSL users will not be affected. Authorized users who need these services and who access the University network from a non-university Internet Service Providers (ISP) such as MSN, AOL, AT&T, Qwest, etc., will need to use Virtual Private Networking (VPN) to access the restricted services. UW's WyoSecure VPN service is available at https://wyosecure.uwyo.edu/. For information see the WyoSecure VPN FAQ.

Because it is almost impossible to know all of the ramifications of restricting these services, IT had two testing periods before the restrictions were put in place permanently. The restrictions were activated on September 7, 2002 for networks in the IT Data Center and September 15, 2002 for all of campus. The network services were permanently restricted on Sunday, September 22, 2002. Any problems should be reported to IT_Security_Office@uwyo.edu.

Services restricted (both incoming and outgoing)

Hackers commonly use these ports to probe and attack internal networks. This list of ports is taken from the National Security Agency recommendations and represents a minimum set they recommend should be blocked. These ports will be blocked for both incoming and outgoing requests. Users who are not connected to the UW network will need to use the WyoSecure VPN to access these services.

Port Transport Service
8 icmp echo
1 tcp & udp tcpmux
2 tcp & udp  
3 tcp & udp  
4 tcp & udp  
5 tcp & udp rje
6 tcp & udp  
7 tcp & udp echo
8 tcp & udp  
9 tcp & udp discard
10 tcp & udp  
11 tcp & udp systat
12 tcp & udp  
13 tcp & udp daytime
14 tcp & udp  
15 tcp & udp  
16 tcp & udp  
17 tcp & udp quote
18 tcp & udp msp
19 tcp & udp dhargen
25 tcp smtp
37 tcp & udp time
43 tcp whois
67 tcp bootp
69 tcp & udp tftp
93 tcp dcp
135 tcp & udp netbios
137 tcp & udp netbios-ns
138 tcp & udp netbios-dgm
139 tcp & udp netbios-ssn
Port Transport Service
177 udp xdmcp
194 tcp & udp irc
445 tcp microsoft-ds
512 tcp exec
515 tcp lpd
517 udp talk
518 udp ntalk
529 tcp & udp irc-serv
540 tcp uucp
593 tcp & udp msblaster
994 tcp & udp irc
1433 tcp & udp ms sql slammer worm
1434 udp ms sql slammer worm
1812 tcp & udp radius
1900 tcp ssdp
1978 tcp & udp slapper worm
2002 tcp & udp slapper worm
2049 udp nfx
4156 tcp & udp slapper worm
4444 tcp & udp msblaster
6346 tcp gnutella
8007 tcp & udp sobig virus
8009 tcp & udp sobig virus
8998 tcp & udp sobig virus
12345 tcp backdoor
12346 tcp backdoor
31337 tcp & udp  
6000 6099 tcp x-window
6665 6669 tcp & udp irc

Services restricted at the Router for incoming requests

These services are blocked on the incoming side from off-campus access. Users who are connected to the UW network will be able to use these services.

Port Transport Service
8 ICMP echo
79 TCP finger
111 TCP sunrpc
161 TCP & UDP snmp
162 TCP & UDP snmptrap
513 TCP & UDP login
514 TCP & UDP cmd
550 TCP & UDP new-rwho
1993 TCP & UDP cisco snmp

Contact Us

Information Technology

Phone: (307) 766-HELP (4357)

Email: userhelp@uwyo.edu