Security enhancements to the UW Network
The University is making important security enhancements to protect the UW network against an increasing number of malicious attacks that put personal and University data, devices and systems at risk. These network security changes include blocking traffic from the Internet into the UW network over specific network ports. If you have questions, concerns or recommendations about port blocking, please provide input to firstname.lastname@example.org. Please include “Network port blocking” in the subject line.
Note: Port 0 was blocked on April 10, 2019. After investigating reported issues, the block was removed April 16, 2019.
|Port||Protocol||Reason for Block||Date Blocked|
|19||CHARGEN||Character Generator Protocol or chargen is a tiny network service often installed by default on servers that generates a stream of characters for testing network connectivity. It is often abused for amplification attacks and does not serve any useful purpose.||Oct 16, 2018|
|21||FTP||Unsecured File Transfer Protocol or FTP is an insecure network protocol used for remote file transfer with passwords transmitted in clear-text. In general where possible access using secure copy over Secure Shell (SSH — port 22) to provide access. There are some legitimate uses of FTP for sharing data sets, but many of these resources have moved to HTTP and this service may only be being offered for legacy reasons.
More Information: https://en.wikipedia.org/wiki/File_Transfer_Protocol
|Oct 16, 2018|
|23||Telnet||Unsecured version of Secure Shell or telnet is an insecure network protocol used for remote access with passwords transmitted in clear-text. In general where possible access using secure shell (SSH — port 22) to provide access.
There are some legitimate uses of telnet on-campus for sharing data sets with external users
|Oct 16, 2018|
|37||Time Protocol||Time protocol use of this port is obsolete; this port gets 200GB+ of unsolicited, inbound traffic per day.||Apr 10, 2019|
|88||Kerberos||An authentication protocol. In addition, these are frequently the subject of a ‘dictionary attack’ where many different passwords are attempted. Some cloud-based services require access to this port in order to authenticate customers. This may require a cloud VPN solution as mitigation.||Apr 10, 2019|
|111||ONC/Sun RPC||The Open Network Computing / Sun Remote Procedure Call protocol is often installed on Unix systems providing NFS services, commonly known as the port mapper service. This service should not be exposed to the Internet, as it provides a way for an attacker to consume resources, access disk, and other resources potentially with very little authentication.||Oct 16, 2018|
|Network Basic Input/Output System (NetBIOS) and Server Message Block (SMB) services provide file sharing and related services over the network. These services are constantly under attack from off-campus, are frequently vulnerable to attacks, exploits and malware, and can expose confidential or restricted data when improperly configured.||Apr 24, 2018|
|SNMP||Simple Network Management Protocol or SNMP are network management protocols, and are commonly used to discover networks and expose information.
Campus network equipment is protected but there may be other legitimate users of this on-campus that could be impacted (e.g., printers). However, printers should be on private IP addresses.
|Oct 16, 2018|
|LDAP||Light Directory Access Protocol or LDAP services are used for directory and authentication services, including Microsoft Active Directory. In some cases, these protocols will send your password in the clear. In addition these are frequently the subject of “brute-force” or “dictionary” attacks (password guessing).
LDAP is discouraged for authentication as your credentials are exposed to the application using to authenticate (even if SSL or TLS is used). There are other legitimate uses of LDAP that might be impacted, however, especially cloud services.
|Oct 16, 2018|
|593||RPC over HTTP||Remote Procedure Call or RPC over HTTP. This protocol is typically installed on Microsoft servers running Exchange. It should not be exposed to the Internet for the same reasons as the ONC – Sun RPC mapper above.||Oct 16, 2018|
|1900||SSDP/Universal Plug and Play||Simple Service Discovery Protocol, discovery of universal plug and play (UPnP) devices. This port is being used for amplification attacks.||Apr 10, 2019|
|3389||RDP||This is used for remote desktop connections to Windows computers. It is one of the most common ports used for “brute-force” or “dictionary” attacks (password guessing).||Apr 24, 2018|
|5900||VNC||This is used by the Virtual Network Computing (VNC) protocol, which is used for remote desktop connections to computers running a VNC||Apr 24, 2018|
|WinRM||Remote Management for Windows or WinRM is a protocol that can be used to remotely execute commands on Windows computers and is frequently misconfigured.||Oct 16, 2018|
|9100||PDL data stream||Page Description Language (PDL) is used by some network printers. This port is often used to perform DDOS attacks or send malicious print jobs to the printer.||Oct 16, 2018|
If alternative solutions for service impacts due to port blocking are not available or will take more time to develop, a request for an exemption may be made. For more information on exemptions, including recommendations for other important security measures, please contact UW-IT’s Service Center at email@example.com with the subject line: “Network Port Blocking.”
UW unit exemptions will require the approval of your unit’s dean, director, or chair. All requests for exemptions within UW Medicine will be forwarded to UW Medicine ITS for approval.
Detailed information related to blocks affecting rdp and smb: UW Network Port Blocking Phase 1: Remote Desktop and File-Sharing Applications
If you need help or have any questions or concerns, please contact firstname.lastname@example.org with the subject line: “Network port blocking.”