Because of the increasing level of hostile activity and security threats directed toward Penn State's computing resources, ITS blocks selected TCP/UDP ports from the campus border to the Internet.
As a teaching and research institution, Penn State has provided unrestricted access to the University’s internal network from the Internet for the convenience of remote users such as students living off campus, traveling faculty, and telecommuting employees, who connect to the University’s network using a third-party Internet Service Provider (ISP) connection such as DSL or a cable modem. Unfortunately, this open access has resulted in an ever increasing number of "attacks" that present serious risks for our large numbers of computers; even if no systems were vulnerable to password guessing and other exploits, these attacks sometimes result in congestion sufficient to slow local network and computer operations.
Records indicate that several thousand individual probes to computers attached to Penn State’s internal network occur on a daily basis, and hundreds of break-ins are being directly attributed to these hostile probes. The majority of these hostile probes are scanning computers for vulnerabilities in TCP/UDP ports that are uniquely associated with file and printer sharing applications running on a Microsoft operating system. Having Microsoft file and printer sharing ports available to the Internet also exposes usernames and passwords, subjecting the University to the threat of brute-force password guessing.
The probes against Penn State are due in part to deliberate, non-automated attacks, as well as the advent of some very prolific hacking tools. Some of these tools attempt to guess username/password combinations, or even enumerate local account names and then attempt to guess passwords for accounts identified this way. The result is that in addition to the annoyance and inconvenience these attacks cause system administrators and the owners of vulnerable systems, they can also have the effect of locking out legitimate logins after repeated incorrect password guesses. These attacks consume a large portion of network traffic and affect all computers at Penn State, even those systems not vulnerable to password guessing and other exploits, by making Penn State internal networks and computers run slowly.
Numerous hacking tools now available can allow an attacker to gain full control over a Windows system with a weak password. Once attackers gain control of a computer, they may add, remove, and modify data and applications on the system. They may also use it as part of massive distributed networks to store illegal, pirated files or they may use it to attack or disable other computers elsewhere on the Internet.
This has become a widespread problem and educational institutions, like Penn State, are particularly attractive targets due to our robust network and our open borders. As a result, traffic for Microsoft Networking, for both inbound and outbound traffic, for certain TCP and UDP ports will no longer be permitted to enter or exit campus through the border router.
Computer users who use a non-Penn State network connection to access Windows and Windows-like file services at Penn State, including the PASS space via the PASS gateway, the UDrive, or shared folders on college, departmental, and private computers, are affected by the protective measures. Traffic using the blocked ports, typically for Windows file and printer sharing, will no longer be permitted to pass through the border router in either direction. A "non-Penn State network connection" means that the computer is connecting outside the psu.edu domain with a network IP address other than 128.118.x.x, 146.186,x.x, 130.203.x.x, 150.231.x.x, or 66.71.1.x to 66.71.127.x. Such a connection is typically made through an Internet Service Provider (ISP) connection such as DSL or a cable modem.
For information on which ports are used by Windows NT, Terminal Server, and Microsoft Exchange Services, refer to http://support.microsoft.com/default.aspx?scid=kb;en-us;150543.
The following services are not affected:
- On-campus Windows file and printer sharing
- Dial-up through Penn State modems
- Most applications, such as Web servers, mail, remote desktop, FTP, and SSH
These services must now be accessed in combination with Penn State Anywhere Virtual Private Network (VPN), a free service that enables your remote computer to appear to be part of the Penn State network. Added benefits of VPN include encryption of all data between your computer and Penn State, as well as easier access to services that are restricted to Penn State IP addresses. Installation packages for the Windows and Macintosh OS X clients have been customized with the setup needs for Penn State users. A valid Access Account is needed to download the VPN client software and use the service.
Computer users who use a non-Penn State network connection to access Windows and Windows-like file services as described above must do so in combination with the Penn State Anywhere Virtual Private Network (VPN) service. This service is free of charge and enables your remote computer to appear to be part of the Penn State network. Two additional benefits include encryption of all data between your computer and Penn State and easier access to services that are restricted to Penn State IP addresses. A valid Access Account is needed to download the VPN client software and use the service. Installation packages for the Windows and Macintosh OS X clients have been customized with the setup needs for Penn State users.
When a connection is established over the Internet using the VPN client software, the VPN server on the Penn State side assigns a Penn State IP address to the remote client computer. The VPN client sends all network communications between the remote computer and Penn State out by way of the VPN server for the duration of the VPN session and encrypts the content. This allows the remote network connections to appear as though they originate from a Penn State campus system. (Please note that all traffic directed from the remote computer to another system outside of Penn State is unaffected and does not travel through the VPN; therefore, when using the VPN, navigation to a site outside of the Penn State domain will not be encrypted, and the traffic will not be re-routed to Penn State in the process of connecting to the site.)
If you encounter problems when attempting to connect to the VPN server, contact your Internet Service Provider (ISP) to inquire about VPN policies.
For more information, visit the Penn State Anywhere VPN Services Web site at http://aset.its.psu.edu/vpn/.
List of Blocked Ports
Because of the increasing level of hostile activity and security threats directed toward Penn State's computing resources, ITS now blocks (filters) selected TCP/UDP ports from the campus border to the Internet. Protective measures began July 28, 2003, and will continue as needed in order to help protect University resources. The following ports are blocked:
- 25 blocked outbound, but with exceptions for registered servers
- 42 (blocked due to vulnerability in the Microsoft Internet Name Service; see http://support.microsoft.com/kb/890710/EN-US/ -- and dramatically increased probes to port 1433 relating to MS SQL server vulnerabilities; see http://www.kb.cert.org/vuls/id/635463.)
- 69 (This port was blocked in order to help inhibit the threat of the RPC-DCOM Worm. For more information, please see the following Web sites: http://tms.symantec.com/ and http://isc.sans.org/ )
- 135 (This impacts Microsoft Exchange users from Internet Service Providers outside Penn State attempting to access Penn State Exchange servers. These users are required to use the Penn State Anywhere Virtual Private Network (VPN) service or a dial-up connection.)
- 1433 (blocked inbound and outbound)
- 3389 - See alert Serious Vulnerability in Microsoft Remote Desktop