CITES Networking: UIUCnet QuickConnect and Security

QuickConnect and security

UIUCnet QuickConnect is designed for simple access to common services which do not distribute passwords in unencrypted form. It does not provide inherent security of its own, unlike the VPN server's client-to-server encryption.

UIUCnet QuickConnect is designed to provide security at one point -- the login process, when you provide your Network ID and Active Directory password. Then it steps aside and lets the communication take place directly.

After you've logged in, an authentication cookie is stored on your system, and the servers check to make sure you're still connected once in a while. QuickConnect doesn't place an additional layer of encryption around your network communications the way the VPN does. This is good for connection speed and for simplicity of use: you can securely authenticate through any SSL-capable browser and then continue as usual.

However, for UIUCnet Wireless users, this also means that QuickConnect does not provide the constant networking security between your wireless card and an on-campus server that VPN users receive. After the initial authentication, all wireless communication through a QuickConnect network session can be "sniffed" like any other unencrypted wireless networking. (More information about the VPN security model is also available.)

UIUCnet Walkup users aren't quite as vulnerable to sniffing. It's more difficult for a hacker to intercept communication traveling across a series of wires than to intercept everything passing through the air around an access point. However, it's still possible.

So, in order to keep critical password information as secure as possible, UIUCnet QuickConnect access is restricted. When you use QuickConnect, you can only perform network communication that shouldn't require a password or that is already secured by other means. Some types of networking connections will be blocked by QuickConnect. More details are given below.

Permitted connections

Network communications which have been approved for use through UIUCnet QuickConnect include:

Regular web pages (beginning with http://)
If a web page begins with http:// rather than https://, it should never ask you for any kind of password. If you provide a password to a plain http:// web page, that password may be compromised.

Secure web pages (beginning with https://)
Web pages which are designed to receive passwords, such CITES Express Email, CITES NetFiles, and the UIUCnet QuickConnect authentication page itself, should always begin with https://. Your browser will show a little closed lock somewhere on the edge of the window to indicate that the web page is being secured by SSL encryption.

Some instant messaging clients (AIM, MSN Messenger)
UIUCnet QuickConnect will permit some instant messaging clients to communicate. AIM and MSN Messenger will work correctly. Note that Yahoo Messenger may or may not work, because it connects on several ports, including the telnet and FTP ports that have been specifically prohibited.

SSH and SFTP (Secured shell and file transfer protocols)
SSH is an encrypted, secure replacement for the insecure telnet protocol, and SFTP is an encrypted, secure replacement for the insecure FTP protocol. All UIUC students, faculty, and staff are eligible to download free SSH and SFTP clients for their operating system from the Software WebStore. Instructions for installation and use are also provided.

Secured POP and IMAP (email access)
Recognizing the need for secure alternatives to the original, insecure POP and IMAP protocols, many email clients now include support for SSL-secured POP and IMAP. In order to send and receive mail securely, both your mail client (what you see on your computer) and your mail server (where you get your email from) must be able to communicate through either a SSL-secured web interface or through SSL-secured POP or IMAP.

CITES Express Email supports all three secure options with a variety of clients. (More configuration information is available.) Many third-party email providers also support the secured email options. However, if you encounter problems sending or receiving mail while using UIUCnet QuickConnect, either your system or the third-party email provider may be using an insecure POP or IMAP connection. In these cases, you'll need to use the VPN client in order to access your email.

For a list of specific ports which are permitted through QuickConnect, see the port list.

Denied connections

If a networking type is not specifically listed as "permitted" above, then it is denied in order to protect network security. This "allow some, deny the rest" approach is designed to protect both you and your network neighbors: if a virus is attempting to spread itself on random ports, and most of the ports are blocked on UIUCnet QuickConnect, then your chances of being infected drop drastically. In addition, if passwords are only communicated over channels which are encrypted from end to end, then there is a much lower chance of someone else intercepting your password and using it to impersonate you.

Some common types of networking have been specifically denied on the UIUCnet QuickConnect network, including:

Known insecure services (telnet, FTP, and others)
Certain common network services were never designed for security and have secure replacements available. Therefore, the insecure services are blocked on UIUCnet QuickConnect.

Some affected software and networking methods:

Yahoo Messenger

Telnet

FTP

Insecure POP (email)

Insecure IMAP (email)

Web pages on unusual ports

Workarounds:

Secure replacements for insecure services: Many of the services mentioned above have secure replacements on standard ports. For example, telnet and FTP users can use SSH and SFTP instead. Site-licensed versions of SSH and SFTP software are available to UIUC students, staff, and faculty from the Software WebStore.

In general: If you need to use one of the services that are blocked by UIUCnet QuickConnect, you can use the VPN server. VPN users are treated as a fully authenticated member of the campus network and can communicate as though they were located within the campus firewalls.

Microsoft-specific networking
Microsoft uses port 135 and several others for networking among Windows machines. However, because of ongoing problems with the Blaster worm and others, most entry points to the campus network have blocked the Microsoft-specific ports.

Some affected software and networking methods:

Microsoft Outlook

Microsoft Exchange

Windows Network Neighborhood

Windows printer sharing

Workarounds:

Outlook: You can use an Outlook web interface to communicate with Outlook even through QuickConnect, dialup, and other connection methods where the Microsoft ports are blocked.

In general: When you connect through the VPN server, you are treated as a fully authenticated member of the campus network. Microsoft ports on campus systems are not blocked to users connecting through the VPN server. However, like any other on-campus user, you will not be able to use Microsoft networking with other systems located outside the campus firewalls whether or not you use the VPN server.

File-sharing protocols
Most file-sharing protocols communicate on a variety of ports, making it difficult if not impossible to predict which ports would need to be open at which times in order for communication to succeed. In addition, none of them were designed with security in mind.

Some affected software and networking methods:

Kazaa

Morpheus

Some implementations of BitTorrent

IRC

Any network-based applications which operate on ports which have not been specifically approved in the list above

Workarounds:

In general: If you need to use one of the services that are blocked by UIUCnet QuickConnect, you can use the VPN server. VPN users are treated as a fully authenticated member of the campus network and can communicate as though they were located within the campus firewalls. Since many of these ports are blocked or rate-limited at the campus firewalls, using the VPN server to connect will also subject you to the campus firewall restrictions on these services.

QuickConnect vs VPN summary table

Use QuickConnect when: Use the VPN when:

You're using common network protocols through UIUCnet Wireless or UIUCnet Walkup

You're Web browsing:

http:// web pages
(for example, the UIUC home page)

https:// web pages on port 443
(for example, NetFiles and Express Email)

You're using any CITES EdTech class courseware servers

You're using certain Instant Messaging clients (including AIM and MSN Messenger)

You're using secure methods to check your email (including the Express Email web interface)

You're using WebDAV (for example, NetFiles' WebDAV interface or Dreamweaver file management)

You're using secure protocols:

SSH for shell sessions

SFTP for file transfer

Secure POP/IMAP for email

You're printing to a printer which accepts QuickConnect connections and uses the LPD port (515) or the Internet Printing Protocol port (631).

You're connected to a wireless or wired network which is not UIUCnet, and you need to use UIUCnet-restricted resources.

You need to use Microsoft networking, including:

Printers shared on a Microsoft network

Microsoft Outlook or Exchange

Network Neighborhood

You're using an Instant Messaging client that uses a blocked port such as telnet or FTP (including Yahoo Messenger)

You're watching a video stream or listening to an audio stream over the Internet.

You need to use non-secure POP or IMAP to check your email.

You need to use a website that's running on a nonstandard port (a port other than 80, 8080, or 443).

You need to use telnet, FTP, or any other insecure protocol which is not supported by QuickConnect.

You're printing to a printer which does not accept QuickConnect connections or is only available through Microsoft networking.