Vulnerable Networking Ports Blocked

Introduction

The Chief Information Officer of the University of Illinois has approved blocking specific vulnerable ports at the entrance and/or exit to the campus network. These blocks are due to an increase in the number of network-based security vulnerabilities seen on campus, and follow a recommendation by the Department of Homeland Security.

In an effort to provide a stable networking environment and deter certain classes of security breaches on campus, a limited number of networking ports will be blocked at the campus entrance and/or exit.

Internal, on-campus traffic not affected

Please note that traffic that remains internal to the UIUC campus will not be affected by these blocks. If you are using one of these ports to communicate with another system inside the UIUC campus network, the campus-perimeter firewall blocks will not interrupt that communication. Only units wishing to share files with off-campus users may encounter problems with these blocks.

Affected ports and services

The following ports will be blocked at the campus firewall to prevent assault on the UIUC network from external sources through known exploits:

• Ports 135, 137, 138, and 139 TCP and UDP Microsoft NetBIOS.
  Blocked: Both in and out.
  These ports are primarily involved with Windows file and print sharing for Windows 95/98/ME/NT, including Microsoft Exchange servers and Microsoft Outlook clients.

• Ports 161-162: SNMP
  Blocked: In only.
  These ports are most frequently associated with SNMP, a network monitoring protocol. Due to ongoing security vulnerabilities, these ports are blocked from entering the campus network, but are allowed to exit.

• Port 445 TCP and UDP
  Blocked: Both in and out.
  This port is involved with file sharing for Windows 2000/XP and 2003 machines.

• Ports 1434 and 41170: Denial of service file sharing
  Blocked: Both in and out.
  The file sharing programs that used these ports were known to cause denial of service (DOS) attacks on certain hardware. Note that exceptions will not be made to permit traffic to pass on these two ports except in extraordinary circumstances. If you believe these blocks may be causing problems for a particular application, please contact the CITES Operations Center.
  

Although this should not affect the overwhelming majority of campus network traffic, this may cause some communication issues for some particular campus units. The campus VPN service can be used to re-establish this connectivity safely and securely.

If your department needs an exemption from these blocks

If the blocks will negatively impact the functioning of your unit, and you have not already requested an exemption, please have the network administrator contact the CITES Operations Center and request that your unit also be exempted.

Note that ports 1434 and 41170 will not be unblocked in the majority of cases. All the other ports on the blocking list can have exceptions made when necessary for academic and research purposes.

Note also that machines located at the University of Illinois at Chicago and at Springfield are not on-campus systems in relation to the placement of the UIUC firewalls, and the other campuses cannot be exempted from the UIUC campus-perimeter firewall blocks. Networking traffic from UIC and UIS on these ports are blocked just as any other off-campus traffic would be.