Office of Information Technology

Network - Firewall Information
online resources for network and voice services
 

Technical Information

The campus border firewall is part of a comprehensive and broad-based information technology security program for the Boulder campus. If you need access to an on-campus service like Windows Remote Desktop, use of a VPN client is necessary to connect to your computer or other campus resource. To learn more about using the campus's VPN client, and download the client at no-cost, go to www.colorado.edu/its/vpn.

CU-Boulder is "closed" network meaning that, by default, traffic is not allowed into the campus network with the following exceptions:

• Web traffic (HTTP on tcp port 80 and HTTPS on tcp port 443)
• POP and IMAP ( pops3 on tcp port 995 and IMAPS on tcp port 993)
• Secure Shell (SSH on tcp port 22)
• Secure FTP (ftps tcp & udp port 990, ftps-data tcp & udp port 989)
• IP Security Protocol (IP protocol ID 50, IP protocol ID 51, UDP port 500)

PLEASE NOTE: None of these changes impact outgoing Internet traffic (for example, web browsing, connecting to external mail servers, etc) only traffic from the Internet attempting to connect to campus systems is affected.

If you manage a computer system which is accessed from the Internet, the following is important information that may require you take action.

Other ports can be opened for specific systems where there is a legitimate academic or business need for the traffic and there are not any inherent risks to the request (e.g., insecure protocols, known vulnerabilities, etc.). Exceptions can also be made for research networks that have specialized academic needs.

To facilitate a smooth transition those with Internet servers should examine each of their servers to determine the following:

• Does the server need to be accessible to the whole Internet or is VPN an alternative
• Current IP address of the device
• Which TCP/IP ports need to be open
• Does the traffic require a policy exception

If you're not sure whether traffic on your system requires an exception, a good starting point is to run netstat, and note which ports are in a LISTENING state. On a Windows system "netstat -anob" will list the process ID (PID) and process name so that you can observe which applications are in a listening state. Lines which list ESTABLISHED show you the systems which are currently communicating with your server. An example is below:

In the fourth line above you will see that SSH is running on this service. In this case no further action is required since SSH is allowed in from the Internet by default. However, the fifth line shows that "Myservice.exe" is listening on port 1234. The next question you need to answer is if that service needs to be accessible from the Internet. The next two lines show that the service is in fact currently being accessed both from an address on campus (128.138.1.2) and an address on the Internet (but then perhaps you don't want 61.32.0.129 accessing "Myservice.exe"). If you decide that "Myservice.exe" does need to be accessible from the Internet you will need to provide the following information to the IT Service Center:

The port used by your application (in this case tcp 1234)

A description of the service and the data accessed by the service (e.g., custom web application, specialized data acquisition software, etc)

What academic or business need the application fulfills (e.g., research data shared with other partner institutions)

Get Help

IT Service Center
303-735-4357 (5-HELP)
help@colorado.edu