For the past few years, Colorado State University has increased security by blocking traffic into campus for a number of specific services unless exceptions were requested. Analysis of recent system compromise incidents indicate the time has come to raise the bar.
Following recommendations from the campus IT security technical advisory committee as well as support from IT coordinators and subnet managers, ACNS implemented a new "default deny unless explicitly permitted" policy effective February 21, 2005.
Thus, all traffic into campus is blocked excluding specific exceptions requested by subnet managers and the following global exceptions:
- Echo-replies- Permitting inbound echo-replies will allow on-campus machines to ping off-campus machines and receive their reply.
- UDP port 500 and IP protocol 50- Permitting this inbound traffic will allow for IPSec VPN connections. Please keep in mind that this only applies to straightforward IPSec tunnels. It is possible that, mostly to get around NATs, the VPN session may be tunneled over TCP or UDP. In this case, the exact TCP or UDP port is configurable on the VPN server, and we still need to negotiate firewall exceptions on a case-by-case basis.
As one might imagine with such a large endeavor, a few problems may arise. If you use or maintain a network application that is experiencing problems as a result of this change, please coordinate with the subnet manager for your network as soon as possible so that ACNS may make an exception and solve the problem. Subnet managers may request specific exceptions for applications critical to the educational and business functions in their area. Such requests should be directed to firstname.lastname@example.org.
If you are experiencing problems using FTP to an off-campus server, you may be able to solve the problem yourself. There are two types of FTP: passive and active. Your FTP client needs to be configured to use passive mode in order to work with the new security the campus has at its border. Some older ftp clients don't support passive ftp, most notably the Windows ftp.exe ftp client. However, Firefox and Internet Explorer support passive ftp, generally by default. If you are having problems with Internet Explorer and FTP, click 'Tools' then 'Options', find the 'Advanced' tab. Look for the "Use Passive FTP" option and select it. For other clients, in general, finding the option to switch to passive mode should fix active/passive FTP issues.