Security & Architecture
ResNet connects all of Housing's residence halls, cooperative houses and The Gem to the the Internet. One of ResNet's goals is to provide a secure and reliable network for residents. To accomplish this on such a large scale we have a fairly complicated network structure and policies.
All residence hall rooms have wired network connections of 100Mb/s and cooperative houses are 10Mb/s. The room ports connect to floor switches which then connect to a building switch. The building switches connect to ResNet's backbone switch in Kerr Administration. Network traffic is then prioritized before being sent to OSU's border router which is connected to the Internet and Internet2. See the diagram for each building's configuration.
For the protection of the network and ResNet users, certain ports are blocked by the ResNet firewall. Blocking of these ports protects against common viruses and worms, malicious intruders, and other security exploits. ResNet strongly suggests continued use of your computer's firewall.
Below is a list of the ports ResNet blocks, and a short explanation of the reason behind the decision to block each port.
- TCP port 25 (SMTP) outbound: SMTP over port 25 is designated for server to server communication when sending email. Email programs should be configured to use port 587, which is known as the mail submission port, to send email. Because port 587 is now used for mail submission by clients, and port 25 is no longer used for that purpose, and because port 25 is so commonly used by compromised hosts to send spam, we have chosen to block this port in order to cut down on the amount of noise and spam introduced to campus and the rest of the internet by our network. Check the program that you use to send mail (e.g. Outlook), and if you are not using Oregon State University's mail server, ensure that the mail server you are using is configured to use port 587. Check with the provider of the mail server if you have problems sending mail. If you are using OSU's mail server, contact the OSU Computer Helpdesk.
- TCP/UDP port 53 (DNS) inbound: Some users choose to set up their own authorititative name servers and/or resolvers. Unforunately, these devices may be used in, for example, a DNS amplification attack (pdf). Because of the poor ratio of properly secured resolvers to open (insecure) resolvers, we have chosen to block queries originating from outside our firewall. If you would like (for a class, for fun, ...) you may still set up a resolver/nameserver on ResNet, but note that it will not be accessible from outside ResNet.
- UDP port 68 (BOOTP / DHCP) inbound: DHCP is used so that devices can automatically obtain network information from our system once the device is plugged in to the network. In order to reduce the chance of interference from outside, and because we need to be able to control the addresses we assign on our network, we have blocked inbound DHCP traffic from the outside.
- TCP port 80 (HTTP) inbound: Many computers and devices are inadvertently running or have unmaintained web servers which can leave the device open to vulnerabilities. Allowing inbound access to this port, which is the default in most web server configurations, can be a risk to the security of the network and its users. If you would like to host a website, ONID provides personal web sites for all ONID users. Central Web Services provides hosting services for class, organization, and group websites.
- TCP/UDP ports 135, 137 through 139, and 445 (NetBIOS) inbound: NetBIOS services allow file sharing over networks. When improperly configured, they can expose a computer to attacks, exploits, worms, and critical system files.
- UDP port 520 (RIP) inbound/outbound: RIP (Routing Information Protocol) is used to communicate routing information within a network and can be vulnerable to malicious route updates which provide several attack possibilities.
- TCP port 1080 (SOCKS) inbound: Servers on the network running SOCKS proxies are known to have vulnerabilities that can lead to compromised hosts. Because more secure alternatives exist and few people currently make use of SOCKS proxies, we have decided to block inbound connections on this port.
- TCP port 3128 inbound: Similar to SOCKS, hosts running HTTP proxy services on this port are prone to abuse. Additionally, proxy server alternatives exist on campus. For these combined reasons, we have decided to block inbound connections on this port.
ResNet and OSU have a limited amount of bandwidth available for internet use. ResNet employs a traffic control device (the Cisco SCE 2000) in order to ensure that all users are able to use the network in the most fair manner possible. There are no bandwidth quotas in place on the network at this time. However, if we begin to notice that the network is regularly congested and a small number of users are using a disproportionately high amount of bandwidth, we may ask them to cut back a bit on their network usage during peak hours.
Our philosophy is to avoid assigning explicit priority to every piece of traffic that crosses our network. Maintaining such a policy would be incredibly time intensive and have very little return in terms of network speed for all users.
That said, we do assign priorities to certain classes of traffic where the traffic requirements are significantly different from browsing, regular downloading, IMing, etc. The priorities we assign and our rationale are below:
- Lower priority traffic: file sharing software. If we do not assign this a low priority, a small number of users would quickly consume all available bandwidth. Note that we do not block file sharing software at this time, we simply assign it a lower priority.
- Higher priority traffic: Web browsing, Voice over IP (Skype, etc.), gaming and streaming (e.g. NetFlix, YouTube). Because we give these protocols a higher priority, we need to assign a maximum cap in order to mitigate abuse. We monitor the protocol requirements for certain protocols in this category to ensure that our cap is at or above the recommended requirements for the protocols. This ensures that users get a smooth connection when using, for example, voice and video chat, even when the network is otherwise congested. We keep up with the latest protocol detection information released by Cisco to ensure as many games and other protocols are placed into this category as possible.
- All other traffic receives a medium priority. We monitor our network usage to ensure that we buy enough bandwidth from year to year to accommodate the number of users we have and their usage habits. If bandwidth was free, we would not need to do any of this!
ResNet does not monitor the content of network traffic except to determine if it poses a threat to the network or a resident's computer or privacy. We are concerned with network performance and which applications are running on the network, not the content of what residents are transferring, reading or which web sites are visited.
We work daily to keep ResNet tuned and performing at peak. We monitor performance, update hardware and software, and analyze network traffic to make sure no single program that is non-educational in nature interferes with the educational use of ResNet. Please remember that we strive to maintain a fair and equitable use of bandwidth. If you are have any questions or concerns please feel free to contact the OSU Computer Helpdesk.