Skip to main content
IT Connect

Information technology tools and resources at the UW

UW Network Port Blocking

Security enhancements to the UW Network

The University is making important security enhancements to protect the UW network against an increasing number of malicious attacks that put personal and University data, devices and systems at risk. These changes will affect people and groups that connect to UW resources from off-campus using a remote desktop or file-sharing application.

Changes to the UW network

Starting on April 24, 2018, if you access UW resources from off-campus through a remote desktop or network file-sharing application, you will be required to first use the Husky OnNet VPN, a department/unit VPN, or UW Medicine secure virtual private network (VPN) service. A VPN is an application on your computer that establishes a secure connection to a network.

How to prepare for changes

If you are not currently using Husky OnNet, a department/unit VPN, or UW Medicine VPN, please see below for options.

Available VPN secure services include:

  • Current students, faculty, including emeriti, and staff can use Husky OnNet, a free service. Please review the information on this web page, and get the software.
  • UW Medicine and clinical department users with AMC accounts can use SSL VPN (Pulse Secure). For more information about Pulse Secure, please visit the UW Medicine IT Services web page or contact UW Medicine IT Services.
  • Alumni and retirees can contact their unit or department’s IT group to see if an UW department/unit VPN is available.
  • Departmental VPN: Contact your unit or department’s IT group to see if they provide an UW department/unit VPN for your use.
  • College/Division/Department/Units: If you do not have a department VPN, a new for-fee Husky OnNet-Department service can provide secure access for retirees, alumni and other groups.

If you are connecting from on-campus (the Seattle campus and related facilities, UW Bothell, UW Tacoma and at UW Medicine facilities), you should not be impacted by this change.

Video about UW VPNs and how to use one:

Learn what a VPN is, your options, and how to use a VPN in this brief video. Visit UW-IT’s YouTube channel for the audio described version of the video.

Not sure if you are connected to a UW network?

Use the Networks Portal tool from any computer you use to connect to UW resources to see if you are on a UW network, or see the Frequently Asked Questions section below for more information.

Examples of applications that require a VPN to connect include:

  • Remote desktop (but not the use of a Remote Desktop Gateway; see the Frequently Asked Questions section for more information)
  • Network file-sharing applications, such as those that allow you to transfer files to and from a UW-network-connected file server
  • Connections to devices on the UW Wi-Fi network, which includes any type of a wireless-connected device, such as printers, a remote camera, or a wireless-connected laptop

What’s not changing?

These changes will not affect web-based UW resources and services, such as uw.edu web pages, Canvas, Google Drive or Office 365. It will also not affect access to Dropbox, peer-to-peer (P2P) or secure file transfer (FTP) programs. Access to UW Medicine resources via Citrix also will not be affected.

Why are these changes necessary?

In recent years, the number of malicious attacks on the UW network have increased substantially, presenting a serious security risk to the University. A large volume of this hostile traffic comes through specific network “channels” or “ports.”

The most frequently attacked network ports are those related to file-sharing and remote desktop applications, and therefore, those will be blocked first. Other ports may be blocked in the future; you will be notified before any additional ports are blocked.

Blocking ports will reduce the security risks associated with the growing number of network-based vulnerabilities and the increased sophistication of network-based attacks against on-campus computers. Additionally, this action aligns UW with network security guidance and best practices and encourages everyone who uses the UW network to follow best practices for network and computer security.

These security enhancements are a common practice used by many large organizations, including numerous higher education institutions. They will apply to the entire UW network, including in Seattle and at UW Tacoma, UW Bothell and UW Medicine facilities.

See a list of network ports to be blocked on April 24, 2018.

UW college/division/department/unit

In advance of April 24, 2018, please take the following steps:

  • Assess the services and applications on the UW network that you make available to users.
  • Assess how authorized users currently access these services and applications to identify whether or not there will be an impact from these network changes.
  • If the use of a campus VPN is not feasible for your users, design and implement an alternative secure approach for systems and processes that currently use network ports that will be blocked. Options include:
    • Department/unit-managed VPN service: Some departments may choose to implement their own VPN service.
    • Husky OnNet – Department (HON-D) service: HON-D allows departments to establish their own authorized list of valid UW NetIDs using a departmentally managed UW Group. The department’s service will have a unique set of IP addresses associated with it so that these addresses may be allowed, as required, through a department firewall.
    • Alternative port: Design and implement an alternative secure approach for systems and processes that currently use network ports that will be blocked. The affected unit will need to communicate to users about the alternative port.
    • UW-IT consultation: UW-IT’s Port Blocking group members will work with UW groups to help advise on recommended solutions to systems/services affected by the blocked ports.
    • Exemptions Listing: Those who need more time to develop a solution can request a temporary exemption. This allows the group to keep their systems/services operational while alternative configurations/constructs can be designed and implemented to work around the blocked ports. See Exemptions below.

UW Medicine and clinical departments

  • Pulse Secure: Most users with AMC accounts will continue to be required to use Pulse Secure, the UW Medicine Remote Access SSL VPN service, to access UW Medicine network resources.
  • Critical services: UW Medicine IT Services is working with their IT staff to identify any critical patient services that rely on the affected ports.
  • UW Medicine IT Services consultation: UW Medicine IT Services will work with groups to help advise on recommended solutions to systems/services affected by the blocked ports. Please contact UW Medicine IT Services.
  • Alternative port: Design and implement an alternative secure approach for systems and processes that currently use network ports that will blocked. The impacted unit will need to communicate to users about the alternative port.
  • Exemptions Listing: Those who need more time to develop a solution can request a temporary exemption. This allows the group to keep their systems/services operational while alternative configurations/constructs can be designed and implemented to work around the blocked ports. UW Medicine will establish an approvals process for exemptions. See Exemptions below.

Exemptions

If alternative solutions are not available or will take more time to develop, a request for an exemption may be made. For more information on exemptions, including recommendations for other important security measures, please contact UW-IT’s Service Center at help@uw.edu with the subject line: “Network Port Blocking.”

UW unit exemptions will require the approval of your unit’s dean, director, or chair. All requests for exemptions within UW Medicine will be forwarded to UW Medicine ITS for approval.

Frequently Asked Questions

What is a virtual private network (VPN)?

A VPN is an application on your computer that establishes a secure connection to a network. You must first connect to a UW department/unit VPN before accessing UW resources from off-campus with a remote desktop or file-sharing application. The UW offers a free VPN service for all current students, faculty and staff, called Husky OnNet. UW Medicine employees with AMC credentials should use the UW Medicine SSL VPN called Pulse Secure. Individual UW departments may offer additional VPN services.

What is a network file-sharing application?

A network file-sharing application allows you to access and transfer files to and from a remote location, such as files on a departmental or unit server. For example, you may be accessing an I: or H: drive where your department stores shared files. The drive letter may change, depending on configuration. Accessing that shared drive from an off-campus location will require the use of a UW VPN.

What is a remote desktop application?

A remote desktop application on your computer allows you to connect from one computer to another. For example, you may use a remote desktop application to connect from your laptop at home to your workstation on the UW network, and it will appear as if you are logged directly into your UW workstation. Windows computers call this a Remote Desktop Connection and Apple calls this Apple Remote Desktop or Virtual Network Computing (VNC).

How do I know if I’m using a Remote Desktop Connection vs a Remote Desktop Gateway?

Some UW departments offer a Remote Desktop Gateway. Users connect to it the same way they would via standard Remote Desktop Connection but there is an additional setting in the application that is configured to specify the Gateway server. If a Remote Desktop Gateway server is used, the use of a VPN may not be required.  Check with your department to see if they offer a Remote Desktop Gateway and how to configure your computer for its use.

My college/division/department/unit operates a Microsoft RDP (MSRDP) Gateway server. If I connect via this gateway will I need an exemption?

No. Those connecting via a standard MSRDP Gateway server will not be affected and no exemption will be required.

My college/division/department/unit operates a Microsoft RDP (MSRDP) gateway server. Will this require an exemption?

Unlikely: In the standard installation and configuration, the MSRDP Gateway servers will not be impacted by the blocking of port 3389/tcp (native RDP) as it uses ports 443/tcp and 3391/udp.

Standard MSRDP Gateway server installation:

  • User on internet -> port 443/tcp -> MSRDP Gateway -> 3389/tcp -> user desktop on campus

The RDP port block will be implemented at the point where the MSRDP Gateway traffic is 443/tcp. Once the session has reached the gateway server and been converted to 3389/tcp, it’s already past the block. The gateway effectively tunnels the traffic through the block. If you operate an MSRDP Gateway server, confirm that you’re using the default ports for your installation, and if so, you will not need an exemption.

How do I know if I connect to the UW network from on-campus or off-campus?

Use the Network Portal tool

The Network Portal (networks.uw.edu) tool will report if you are connected to a UW-managed network on-campus or not.

To find out if you are on the UW network, follow these instructions:

  1. Go to: https://networks.uw.edu/ You may be asked to login with your UW NetID.
  2. If you are on-campus, then you will see “Your subnet is [ip subnet] on the uw network” displayed.
  3. If you  are off-campus, you will see “You do not appear to be connected to a network managed by the University of Washington” displayed.

Indicators you are off-campus

  • You are using a third party Internet Service Provider (e.g., Comcast, Centurylink, Wave, Verizon, etc.) to connect to the internet
  • Your network connection is via a third-party wireless service (e.g., at an airport, cafe, cell service provider, or other retail location)

Indicators you are on-campus

You are physically using a computer at one of these locations:

  • UW Seattle campus, including Health Sciences
  • UW Bothell campus
  • UW Tacoma campus
  • Various UW research facilities, offices, research stations and laboratories throughout the region
  • UW Medical Center (UWMC), including UW Medicine Neighborhood Clinics (UWMNC)
  • UW Medicine support facilities, for example the Consolidated Laundry, Northgate Call Center,  and the IBM building
  • Harborview Medical Center (HMC), including the Ninth and Jefferson Building (NJB)
  • Northwest Hospital (NWH), including NWH clinics
  • Airlift NW

 

Will these changes affect how I access my UW email?

No. Whatever method you currently use to access your UW email should continue to work.

Will these changes affect my ability to access UW Library resources?

No. Whatever method you currently use to access UW Library resources (including restricted access resources for those who are eligible) should continue to work. For more information see UW Libraries Off-Campus Access information.

Will these changes affect my ability to access UW Medicine resources via Citrix?

No. Your access to UW Medicine resources via Citrix should not be affected.

How do I know if I should use the SSL VPN Pulse Secure?

Only people in UW Medicine with AMC credentials can use the SSL VPN Pulse Secure. Everyone else, including members of School of Medicine, should use Husky OnNet or a UW departmental VPN.

List of blocked ports

As of April 24, 2018, the following inbound ports are being blocked:

Port Protocol Reason for Block
135
137
138
139
445
NetBIOS
RPCMS-DS SMB
Network Basic Input/Output System (NetBIOS) and Server Message Block (SMB) services provide file sharing and related services over the network. These services are constantly under attack from off-campus, are frequently vulnerable to attacks, exploits and malware, and can expose confidential or restricted data when improperly configured.
3389 RDP This is used for remote desktop connections to Windows computers.  It is one of the most common ports used for “brute-force” or “dictionary” attacks (password guessing).
5900 VNC This is used by the Virtual Network Computing (VNC) protocol, which is used for remote desktop connections to computers running a VNC client.

Potential future blocked ports

The following ports are being considered for future blocking. Before these or other ports are blocked, significant advance notice will be provided to the UW community.

If you have questions, concerns or recommendations about port blocking, please provide input to help@uw.edu. Please include“Network port blocking” in the subject line.

Port Protocol Reason for Block
0 N/A This is a reserved port, and should not be used by applications.
19 chargen This is a tiny network service often installed by default on servers that generates a stream of characters for testing network connectivity. It is often abused for amplification attacks and does not serve any useful purpose.
21 FTP This is an insecure network protocol used for remote file transfer with passwords transmitted in clear-text. In general where possible access using secure copy over Secure Shell (SSH — port 22) to provide access. There are some legitimate uses of FTP for sharing data sets, but many of these resources have moved to HTTP and this service may only be being offered for legacy reasons.

More Information: https://en.wikipedia.org/wiki/File_Transfer_Protocol

23 Telnet This is an insecure network protocol used for remote access with passwords transmitted in clear-text. In general where possible access using secure shell (SSH — port 22) to provide access.

There are some legitimate uses of telnet on-campus for sharing data sets with external users

88 Kerberos An authentication protocol. In addition these are frequently the subject of a ‘dictionary attack’ where many different passwords are attempted.

Some cloud-based services require access to this port in order to authenticate customers. This may require a cloud VPN solution as mitigation.

111 ONC/Sun RPC The Open Network Computing / Sun Remote Procedure Call protocol is often installed on Unix systems providing NFS services, commonly known as the port mapper service. This service should not be exposed to the Internet, as it provides a way for an attacker to consume resources, access disk, and other resources potentially with very little authentication.

More information: https://en.wikipedia.org/wiki/Open_Network_Computing_Remote_Procedure_Call

161
162
SNMP Network management protocols; commonly used to discover networks and expose information.

Campus network equipment is protected but there may be other legitimate users of this on-campus that could be impacted (e.g. printers), however printers should be on private IP addresses.

389
636
3268
3269
LDAP LDAP services are used for directory and authentication services, including Microsoft Active Directory.  In some cases, these protocols will send your password in the clear. In addition these are frequently the subject of ‘brute-force’ or ‘dictionary’ attacks (password guessing).

LDAP is discouraged for authentication as your credentials are exposed to the application using to authenticate (even if SSL or TLS is used). There are other legitimate uses of LDAP that might be impacted especially cloud services.

593 RPC over HTTP This provides the endpoint mapper (like port 111), except for RPC over HTTP; This protocol is typically installed on Microsoft servers running exchange. It should not be exposed to the Internet for the same reasons as the ONC-RPC mapper.
5985

5986

WinRM Windows remote management; this protocol can be used to remotely execute commands on Windows computers and is frequently misconfigured.
9100 PDL data stream Used by some network printers; this port is often used to perform DDOS attacks or send malicious print jobs to the printer.

These ports are unlikely to be blocked due to significant operational challenges

Port Protocol Reason for Block
123 NTP NTP is commonly used for reflection Denial of Service Attacks; the campus NTP servers will be whitelisted so they can be used on and off-campus, but within the campus you should peer with time.u.washington.edu.

Blocking this port will be extremely complicated for little gain.

Get Help/Questions

If you need help or have any questions or concerns, please contact help@uw.edu with the subject line: “Network port blocking.”

References