IT Security Information—Server Registration Details

Server Registration Details

If you manage a computer system which is accessed from the Internet, the following is important information that may require you take action.

Currently web (tcp 80 and 443), ssh (tcp 22), imaps (tcp 993), and pop3s (tcp 995) traffic are allowed by default from the Internet to the campus. Effective September 23, 2008, the IT Security Office will implement changes to block this type of traffic by default. Campus units that need to provide access from the Internet for those services can contact the IT Service Center to request an exception; however, departments are strongly encouraged to use the VPN service as an alternative to seeking a border firewall exception.  The exceptions process is the same as is followed for all other types of traffic from the Internet. 

Visit the Firewall Frequently Asked Questions web page for more information.

To make a request for an exception the following information will be required:

• IP Address
• Service (e.g., SSH, HTTP, HTTPS, etc )
• Technical Contact Name
• Technical Contact Phone
• Technical Contact E-mail
• Organizational Unit Head Name
• Organizational Unit Head Phone
• Organizational Unit Head E-mail
• What academic or business need the application fulfills (e.g., research data shared with other partner institutions)
  

Providing the information above will help to ensure that requests can be completed on the same business day. The information can either be sent via e-mail to help@colorado.edu or by contacting the IT Service Center at (303) 735-4357 (5-HELP from a campus phone).

Other ports can be opened for specific systems where there is a legitimate academic or business need for the traffic and there are not any inherent risks to the request (e.g., insecure protocols, known vulnerabilities, etc.). Exceptions can also be made for research networks that have specialized academic needs.
To facilitate a smooth transition those with Internet servers should examine each of their servers to determine the following:

• Does the server need to be accessible to the whole Internet or is VPN an alternative
• Current IP address of the device
• Which TCP/IP ports need to be open
• Does the traffic require a policy exception

If you're not sure whether traffic on your system requires an exception, a good starting point is to run netstat, and note which ports are in a LISTENING state. On a Windows system "netstat -anob" will list the process ID (PID) and process name so that you can observe which applications are in a listening state. Lines which list ESTABLISHED show you the systems which are currently communicating with your server. An example is below:

In the fourth line above you will see that SSH is running on this service. In this case no further action is required since SSH is allowed in from the Internet by default. However, the fifth line shows that "Myservice.exe" is listening on port 1234. The next question you need to answer is if that service needs to be accessible from the Internet. The next two lines show that the service is in fact currently being accessed both from an address on campus (128.138.1.2) and an address on the Internet (but then perhaps you don't want 61.32.0.129 accessing "Myservice.exe").

You can reach the IT Service Center at help@colorado.edu or (303) 735-HELP (5-4357 from a campus phone).

Contact Information
Campus IT Security Office
(303) 735-HELP
security@colorado.edu