Firewall - Technical Information & Server Registration

Last Updated: 02/11/2014

CU-Boulder is "closed" network meaning that, by default, traffic is not allowed into the campus network with the following exceptions:

  • IP Security Protocol (IP protocol ID 50, IP protocol ID 51, UDP port 500)

*NOTE: None of these changes impact outgoing Internet traffic (for example, web browsing, connecting to external mail servers, etc) only traffic from the Internet attempting to connect to campus systems is affected.

Server Registration Details

If you manage a computer system which is accessed from the Internet, the following is important information that may require you take action.

Campus units that need to provide access from the Internet for those services can use an online form to request an exception; however, departments are strongly encouraged to use the VPN service as an alternative to seeking a border firewall exception.  The exceptions process is the same as is followed for all other types of traffic from the Internet. 

Visit the Firewall Frequently Asked Questions web page for more information.

Other ports can be opened for specific systems where there is a legitimate academic or business need for the traffic and there are not any inherent risks to the request (e.g., insecure protocols, known vulnerabilities, etc.). Exceptions can also be made for research networks that have specialized academic needs.
To facilitate a smooth transition those with Internet servers should examine each of their servers to determine the following:

  • Does the server need to be accessible to the whole Internet or is VPN an alternative
  • Current IP address of the device
  • Which TCP/IP or UDP/IP ports need to be open
  • Does the traffic require a policy exception

If you're not sure whether traffic on your system requires an exception, a good starting point is to run netstat, and note which ports are in a LISTENING state. On a Windows system "netstat -anob" will list the process ID (PID) and process name so that you can observe which applications are in a listening state. Lines which list ESTABLISHED show you the systems which are currently communicating with your server. An example is below:

Proto Local Address Foreign Address State PID Name
TCP 128.138.1.1:135 0.0.0.0:0 Listening 1760 [svchost.exe]
TCP 128.138.1.1:445 0.0.0.0:0 Listening 4 [System]
TCP 128.138.1.1:22 0.0.0.0:0 Listening 1736 [sshd.exe]
TCP 128.138.1.1:1234 0.0.0.0:0 Listening 1834 [myservice.exe]
TCP 128.138.1.1:1234 128.138.1.2:7777 Listening 1834 [myservice.exe]
TCP 128.138.1.1:1234 61.32.0.129:7777 Listening 1834 [myservice.exe]

In the third line above you will see that SSH is running on this service. In this case no further action is required since SSH is allowed in from the Internet by default. However, the fourth line shows that "Myservice.exe" is listening on port 1234. The next question you need to answer is if that service needs to be accessible from the Internet. The next two lines show that the service is in fact currently being accessed both from an address on campus (128.138.1.2) and an address on the Internet (but then perhaps you don't want 61.32.0.129 accessing "Myservice.exe").

You can reach the IT Service Center at help@colorado.edu or (303) 735-HELP (5-4357 from a campus phone).

Contact Information
Campus IT Security Office
(303) 735-HELP
security@colorado.edu