Networking, Firewall, Vulnerable Networking Ports Blocked

For IT Pros: This page contains information about ports that are blocked at the campus firewall.


Introduction

The Chief Information Officer of the University of Illinois has approved blocking specific vulnerable ports at the entrance and/or exit to the campus network. These blocks are due to an increase in the number of network-based security vulnerabilities seen on campus, and follow a recommendation by the Department of Homeland Security.

In an effort to provide a stable networking environment and deter certain classes of security breaches on campus, a limited number of networking ports will be blocked at the campus entrance and/or exit.

Internal, on-campus traffic not affected

Please note that traffic that remains internal to the UIUC campus will not be affected by these blocks. If you are using one of these ports to communicate with another system inside the UIUC campus network, the campus-perimeter firewall blocks will not interrupt that communication. Only units wishing to share files with off-campus users may encounter problems with these blocks.

Affected ports and services

The following ports will be blocked at the campus firewall to prevent assault on the UIUC network from external sources through known exploits:

Ports restricted even from UI networks

  • Port 19: Chargen TCP/UDP
    Blocked: Inbound.
    Because chargen is used as an amplifier in DDoS attacks, this port is blocked coming in to campus.
  • Port 123: NTP UDP
    Blocked: In to unapproved servers.
    This port is associated with NTP, the network time protocol. Due to ongoing security vulnerabilities, incoming connections are only permitted to connect to approved campus NTP servers. (Outgoing requests from on-campus machines to off-campus NTP servers will not be blocked.)
  • Ports 161 UDP-162 TCP/UDP: SNMP
    Blocked: Inbound.
    These ports are most frequently associated with SNMP, a network monitoring protocol. Due to ongoing security vulnerabilities, these ports are blocked from entering the campus network, but are allowed to exit.
  • Ports 1434 UDP and 41170 UDP: Denial of service file sharing
    Blocked: Both in and out.
    The file sharing programs that used these ports were known to cause denial of service (DOS) attacks on certain hardware. Note that exceptions will not be made to permit traffic to pass on these two ports except in extraordinary circumstances. If you believe these blocks may be causing problems for a particular application, please contact the Help Desk .

Special request ports

These ports currently are not enabled even with Fully Open or +UI policies, but can be requested as an add-on using policy Group_135exempt or Group_135exempt_UI respectively.

  • Ports 135,136, 137, 138, and 139 TCP and UDP Microsoft NetBIOS.
    Blocked: Both in and out.
    These ports are primarily involved with Windows file and print sharing for Windows 95/98/ME/NT, including Microsoft Exchange servers and Microsoft Outlook clients.
  • Port 445 SMB TCP/UDP 
    Blocked: Both in and out.
    This port is used for SMB file sharing, typically MS Windows servers.

Ports always allowed from UI networks, but blocked elsewhere

  • Port 23: Telnet TCP/UDP
    Blocked: Inbound.
    Due to security vulnerabilities, incoming connections are only permitted through approved entry points such as the campus VPN.
  • Port 5900 VNC TCP
    Blocked: Inbound
    Most commonly used with Apple remote desktop. Incoming connections are only permitted through approved entry points such as the campus VPN.
  • Port 3389 TCP and UDP Microsoft Remote Desktop Protocol
    Blocked: Inbound.
    This port is primarily involved with RDP access to Microsoft Windows Windows computers. Aside from VPN access, there also exists an RDP Gateway Networking, Remote Desktop Gateway Service

SSH Block

  • Port 22: SSH TCP/UDP   ( Effective May 30, 2017)
    Blocked: Inbound.
    Due to security vulnerabilities, incoming connections are only permitted through approved entry points such as the campus VPN and by special exemption.
    • SSH Port 22 is allowed from UI-SYSTEM addresses for all firewall policy groups which previously allowed SSH from everywhere except as stated here.  SSH Port 22 is allowed in from UI-SYSTEM for all policy groups except for Fully Closed and Mostly Closed.

Although this should not affect the overwhelming majority of campus network traffic, this may cause some communication issues for some particular campus units. The VPN, Off-Campus Customers can be used to re-establish this connectivity safely and securely.

If your department needs an exception from these blocks

If the blocks will negatively impact the functioning of your unit, and you have not already requested an exception, please have the network administrator contact the Help Desk and request that your unit be provided exception criteria.

Note that ports 1434 and 41170 will not be unblocked in the majority of cases. All the other ports on the blocking list can have exceptions made when necessary for academic and research purposes.

For firewall groups without the +UI description

If your machines belong to groups that do not contain the +UI description in their names, then machines located at the University of Illinois at Chicago and at Springfield are not treated as on-campus systems in relation to the placement of the UIUC firewalls, and the other campuses cannot be exempted from the UIUC campus-perimeter firewall blocks. Networking traffic from UIC and UIS on these ports are blocked just as any other off-campus traffic would be.

For firewall groups with the +UI description

If your machines belong to groups that do contain the +UI description in their names, then machines located at the University of Illinois at Chicago and at Springfield are treated as on-campus systems in relation to the placement of the UIUC firewalls, and the other campuses are exempted from the UIUC campus-perimeter firewall blocks. Networking traffic from UIC and UIS on these ports are permitted just as network traffic from UIUC would be except for those ports explicitly called out above.

IP ranges that are treated as on-campus in the +UI groups

For a description of the IP ranges that will be viewed as inside the firewalls in the +UI groups, see Networking, Guide to University of Illinois IP Spaces .