CU-Boulder is "closed" network meaning that, by default, traffic is not allowed into the campus network with the following exceptions:
*NOTE: None of these changes impact outgoing Internet traffic (for example, web browsing, connecting to external mail servers, etc) only traffic from the Internet attempting to connect to campus systems is affected.
If you manage a computer system which is accessed from the Internet, the following is important information that may require you take action.
Campus units that need to provide access from the Internet for those services can use an online form to request an exception; however, departments are strongly encouraged to use the VPN service as an alternative to seeking a border firewall exception. The exceptions process is the same as is followed for all other types of traffic from the Internet.
Visit the Firewall Frequently Asked Questions web page for more information.
Other ports can be opened for specific systems where there is a legitimate academic or business need for the traffic and there are not any inherent risks to the request (e.g., insecure protocols, known vulnerabilities, etc.). Exceptions can also be made for research networks that have specialized academic needs.
To facilitate a smooth transition those with Internet servers should examine each of their servers to determine the following:
If you're not sure whether traffic on your system requires an exception, a good starting point is to run netstat, and note which ports are in a LISTENING state. On a Windows system "netstat -anob" will list the process ID (PID) and process name so that you can observe which applications are in a listening state. Lines which list ESTABLISHED show you the systems which are currently communicating with your server. An example is below:
|Proto||Local Address||Foreign Address||State||PID||Name|
In the third line above you will see that SSH is running on this service. In this case no further action is required since SSH is allowed in from the Internet by default. However, the fourth line shows that "Myservice.exe" is listening on port 1234. The next question you need to answer is if that service needs to be accessible from the Internet. The next two lines show that the service is in fact currently being accessed both from an address on campus (18.104.22.168) and an address on the Internet (but then perhaps you don't want 22.214.171.124 accessing "Myservice.exe").
Campus IT Security Office