January 19, 2005
In order to better protect University computing resources, all
protocols that pass passwords in plaintext
will be blocked at
the firewall beginning September 1, 2005. We will also no longer
open any new ports
through the firewall for the services listed
below.
Texas A&M Computing and Information Services maintains a
campus network firewall between
the
University and the Internet. Its purpose is to shield campus
computers from outside attack and/or
disruption. This shield does
not stop all network traffic, as, consistent with our missions as
a major
university, we encourage many types of information
exchange.
Protocols that pass passwords in plain text through the
campus firewall include telnet,
ftp, pop
and imap. This incoming traffic will no longer be allowed
through the firewall beginning next
September. Any protocol that does
pass passwords will need to be encrypted.
CIS has allowed these protocols in the past, but have
discouraged individuals from using these
programs due to the
vulnerability associated with passing traffic in clear text. It is
possible for your
password to be captured if someone is sniffing.
There is software available that will encrypt the traffic.
Note: This change affects incoming traffic only. You
may continue to use these protocols to
connect to machines
off campus, but you do so at your own risk. Be aware that
your password
can be captured.
Update - 07/19/2005
- Anonymous FTP will continue to be allowed. However, if you are found to be running authenticated FTP services (ie... non-anonymous, non-encrypted), we will block the port for this service.
- Encrypted versions of protocol will be allowed on standard port interfaces and their encrypted equivalents. Questions on this should be directed to security@tamu.edu
If you currently are using one of the listed protocols above,
and you have it open through the campus
firewall
(you can check firewall settings for any host you own at
https://firewall.tamu.edu),
you will
need to move to a different protocol, and have a different port
opened for that protocol through
the firewall. Possible replacements
and the port openings needed are listed below.
| Current | Replacement | |||
| Protocol | Port | Protocol | Port | |
| Telnet | 23 | SSH | 22 | |
| FTP | 21 | Secure FTP, Winscp | 22 | |
| pop | 110 | Secure Pop (pop over SSL) | 995 | |
| imap | 143 | Secure IMAP (imap over SSL) | 993 | |
One last note.. if you have a web site open through the firewall
which requires authorization,
it is strongly recommended
that you use SSL. Any ID/password combination that is passed
over
port 80 without SSL is passed in plaintext and could be
captured. You should use SSL to encrypt
the traffic and pass it
over port 443.
If the suggested solutions found above, or on the web page, will not work, consider VPN as the solution. There is more information on the VPN solution at the Virtual Private Networks.
We recommend that you begin transitioning your hosts as soon as possible.
Any questions
concerning this change should be directed to security@net.tamu.edu.