Security & Architecture
ResNet connects all of Housing's residence halls, cooperative houses and The Gem to the the Internet. One of ResNet's goals is to provide a secure and reliable network for residents. To accomplish this on such a large scale we have a fairly complicated network structure and policies.
All residence hall rooms have wired network connections of 100Mb/s and cooperative houses are 10Mb/s. The room ports connect to floor switches at which then connect to a building switch at 1Gb/s. The building switches connect to ResNet's backbone switch in Kerr Administration at 1Gb/s. The ResNet backbone switch connects to OSU's border router at 2Gb/s which is connected to the Internet and Internet2. See the diagram for each building's configuration.
For the protection of the network and ResNet users, certain ports are blocked by the ResNet firewall. Blocking of these ports protects against common viruses and worms, malicious intruders, and other security exploits. ResNet strongly suggests continued use of your computer's firewall.
Below is a list of the ports ResNet blocks, and a short explanation of the reason behind the decision to block each port.
- TCP port 25 (SMTP) outbound: SMTP over port 25 is designated for server to server communication when sending email. Email programs should be configured to use port 587, which is known as the mail submission port, to send email. Because port 587 is now used for mail submission by clients, and port 25 is no longer used for that purpose, and because port 25 is so commonly used by compromised hosts to send spam, we have chosen to block this port in order to cut down on the amount of noise and spam introduced to campus and the rest of the internet by our network. Check the program that you use to send mail (e.g. Outlook), and if you are not using Oregon State University's mail server, ensure that the mail server you are using is configured to use port 587. Check with the provider of the mail server if you have problems sending mail. If you are using OSU's mail server, contact the OSU Computer Helpdesk.
- TCP/UDP port 53 (DNS) inbound: Some users choose to set up their own authorititative name servers and/or resolvers. Unforunately, these devices may be used in, for example, a DNS amplification attack (pdf). Because of the poor ratio of properly secured resolvers to open (insecure) resolvers, we have chosen to block queries originating from outside our firewall. If you would like (for a class, for fun, ...) you may still set up a resolver/nameserver on ResNet, but note that it will not be accessible from outside ResNet.
- UDP port 68 (BOOTP / DHCP) inbound: DHCP is used so that devices can automatically obtain network information from our system once the device is plugged in to the network. In order to reduce the chance of interference from outside, and because we need to be able to control the addresses we assign on our network, we have blocked inbound DHCP traffic from the outside.
- TCP port 80 (HTTP) inbound: Many computers and devices are inadvertently running or have unmaintained web servers which can leave the device open to vulnerabilities. Allowing inbound access to this port, which is the default in most web server configurations, can be a risk to the security of the network and its users. If you would like to host a website, ONID provides personal web sites for all ONID users. Central Web Services provides hosting services for class, organization, and group websites.
- TCP/UDP ports 135, 137 through 139, and 445 (NetBIOS) inbound: NetBIOS services allow file sharing over networks. When improperly configured, they can expose a computer to attacks, exploits, worms, and critical system files.
- UDP port 520 (RIP) inbound/outbound: RIP (Routing Information Protocol) is used to communicate routing information within a network and can be vulnerable to malicious route updates which provide several attack possibilities.
- TCP port 1080 (SOCKS) inbound: Servers on the network running SOCKS proxies are known to have vulnerabilities that can lead to compromised hosts. Because more secure alternatives exist and few people currently make use of SOCKS proxies, we have decided to block inbound connections on this port.
- TCP port 3128 inbound: Similar to SOCKS, hosts running HTTP proxy services on this port are prone to abuse. Additionally, proxy server alternatives exist on campus. For these combined reasons, we have decided to block inbound connections on this port.
ResNet does not monitor the content of network traffic except to determine if it poses a threat to the network or a resident's computer or privacy. We are concerned with network performance and which applications are running on the network, not the content of what residents are transferring, reading or which web sites are visited.
We work daily to keep ResNet tuned and performing at peak. We monitor performance, update hardware and software, and analyze network traffic to make sure no single program that is non-educational in nature interferes with the educational use of ResNet. Please remember that we strive to maintain a fair and equitable use of bandwidth. If you are have any questions or concerns please feel free to contact the OSU Computer Helpdesk.