Introduction
The TAMU campus network firewall is a device that restricts access to the TAMU campus network from the Internet. Its purpose is to protect campus resources from abuse/attack by Internet users who may take advantage of the many vulnerabilities on modern computer systems.
Before requesting a change to the firewall, check to see if the VPN service will meet your needs.
How it works
The campus firewall runs the Drawbridge software. This firewall works by restricting access to individual services on a specific machine. Each of these services has one or more associated TCP/IP ports that must be allowed through the firewall before the service will be accessible from the Internet. By default, we automatically allow certain services through the firewall. However, in most cases, specific services can only be cleared at the request of an administrator. NOTE: Effective beginning of Fall semester, 2001, the new campus firewall default will have all TCP ports closed. A copy of the announcement can be found here.
Firewalls are also available for departments. For more information on this service, please see Departmental Firewalls.
How to view current firewall settings
Current firewall settings for an individual machine can be viewed at https://firewall.tamu.edu. You must enter your Net ID and password in order to enter the site. Once this information is entered, all hosts owned by you will be returned. Ownership is based on the ownership information in NIM. If you have any questions on concerns about this information, send mail to firewall@tamu.edu.
How to get a service cleared
Requests should be made through e-mail to security@net.tamu.edu and must follow these guidelines. Depending on the request, it may take up to 2 business days for the request to be completed. If the request is considered urgent, and the 2 day timeline is not sufficient, please state that the request is 'URGENT'. Included in the email message should also be the reasons why the request is time critical. If you do not receive a response to your mail, please call the Operations Center at (979) 845-8300, and ask them to contact the Network Security Team concerning your request.
Firewall configuration for a host is based on the DNS host name of that machine (ie.. machinename.tamu.edu) and not ip address. If the name of a machine changes, you will need to email security@net.tamu.edu to inform us of the change. Otherwise, the firewall settings for that machine will no longer work. If the ip address for a machine changes, but the hostname remains the same, no firewall changes need to be made. All initial firewall change requests should be made for the machine hostname and not the ip address.
Not all ports are allowed to be opened through the campus firewall. For a listing and explanation of exceptions allowed through the firewall, please see Firewall Port Restrictions .
Authorization
All machines that have services visible through the firewall must have valid "owner" information, and firewall change requests must be received from the "owner" of the machine, according to our Network Information Manager (NIM) , TAMU's interface to DNS.
Requests for changes to the firewall must come from the administrator of the machine as recorded in NIM. Requests received from anyone else will be forwarded to the machine's administrator for approval. Because of the high turnover rate of student administrators, we do not accept firewall change requests from students unless approved by a full-time staff member in the department hosting the machine.
Configuration and Security
By default, computer systems with Internet capability are often configured with a focus on ease of use instead of strict security. They also may have security related software bugs that require software patches. This situation tends to leave computers vulnerable to known attacks from over the network. If the security of a TAMU computer system is compromised, it may be possible for that system to be used to attack other computers from within the firewall effectively bypassing the firewall protection.
For these reasons, computers must be secured before their services can be allowed through the firewall. Below is a list of issues that need to be addressed before a service can be cleared through the firewall. (Note that this list is incomplete. Each request will be handled in a manner appropriate to the service.)
Each service open through the firewall will be scanned periodically to verify the software and configuration are relatively free of vulnerabilities. If vulnerabilities are found, the owner will be notified. We will work with you to help secure the service.
Insecure Protocols
Beginning September 1, 2005, all insecure protocols (protocols that provide no encryption and pass traffic in clear text) will no longer be allowed to pass through the campus firewall. Services this will affect include telnet, ftp, imap, and pop. Replacements for these services include ssh, scp, secure imap and secure pop. Further information on this change can be found here.
HTTP (World Wide Web) Service
Beginning in the Fall 2001 semester, this service is no longer open by default through the firewall. To see the announcement concerning this change, click here. We have seen many sercurity problems reported for many of the popular software packages. You should research the software you are using to learn how to configure it properly and stay informed about any security related software bugs that may be discovered. Before this service can be opened for a host, the host will be scanned for any web vulnerabilities, and the owner of the host will be notified about them. Once the vulnerabilities are removed, web services through the firewall will be opened for that host.
We now offer a Self Service Scanner which will allow you to scan your host to check for http vulnerabilities and request to open port 80. You must be the NIM owner of the host in order to use this tool.
SMTP - E-mail Forwarding Service
A change was implemented on April 14, 1999 in the way email was delivered from e-mail servers off campus to e-mail servers on the TAMU campus. This change was implemented to prevent third-party e-mail relaying. More information about this change can be found here. As a result of this change, the SMTP port (port 25) on all hosts is closed by default. In order to have it opened, your host will be checked to verify that it is not relaying mail. If it is not found to be relaying, the SMTP port will be opened.
Security Risks
As explained above, the firewall was put in place to protect the campus network. Machines that become compromised or users that take it upon themselves to circumvent the firewall will be considered a security risk to the campus network and one or all of the actions listed below will be taken to eliminate that risk.
- The incident will be reported to the CIS Security Officer.
- The device will be blocked from the Internet.
- If possible, the device's access to the Campus Network will be disabled.
- If the host is on the ResNet network, the incident will be referred to Student Conflict Resolution and the Department of Residence Life will be notified by the CIS Security Officer.
- Otherwise the department responsible for the machine will be notified by the CIS Security Officer
If your device is blocked from the internet or the device's access to the campus network is disabled, it will be returned to active status by the CIS Network Group by the end of the following business day after notification that the issue has been resolved.
ResNet Network Restrictions
At the beginning of the Fall 96-97 semester, the Texas A&M Computer Security Committee looked at the security issues of allowing students to provide TCP/IP services to the Internet. One of the main concerns was that there is no practical way to enforce security policies on student owned and operated computers. Situations can occur where access to the campus network is granted (possibly inadvertently) to a person not associated with the University. Once inside the firewall, this person can attack any computer on campus.
After getting input from the campus computing community, including student and Department of Residence Life representatives, the Security Committee made the recommendation that World Wide Web service should be the only TCP/IP service allowed in to the dormitory network from the Internet. SMTP (Simple Mail Transport Protocol) will be handled transparently through a mail forwarder. On December 5th, 1996, the recommendation was signed by the Associate Provost for Information Technology.
Beginning in the Fall Semester, 2001, port 80 (http) will no longer be open by default through the firewall. To see the announcement concerning this change, click here. This means a machine on the ResNet network running a web server will only be visible to the campus network, not the internet. If you would like to have port 80 opened on your host, please use the form found here. You will need to provide your NetID and password.
Note: If you are on the ResNet Network, you may have a FTP or Telnet server on your machine, but it will not be accessible from off campus.
WARNING: As mentioned above, it is a security violation to put a TCP/IP service on any port other than the one assigned to the service.