Measures - Port locks, access protection

Based on the security concept of BelW├╝, opens an external URL in a new window, a list of services was compiled at the end of 2001 that represent a security risk and were therefore blocked on the firewall. These are services, which in addition either

  1. should not be offered beyond the boundaries of an organisation, or
  2. can be replaced by more secure services, or
  3. can be further used by modification (e.g. tunneling).

List of basic port bans between TUnet and Internet

As a security measure, TU.it offers the option of protecting workstations and internal servers against access from the Internet. In this context, dial-up line access, TU-ADSL, xDSL@student and VPN are considered internal. Reasons to make use of this protection include, but are not limited to:

  • "Denial of Service" attacks, i.e. the computer is paralyzed by malicious access.
  • Accidentally activated services. These can be started by the standard installation of the operating system or by Trojans.
  • Insecurely configured services. This is unfortunately often the case with standard installations.

It should be noted that this lock is only to be seen as an additional precaution. It can only supplement, not replace, the responsible management of individual computers.

Preferably, the entire IP address range of the institute is protected and only access to the server or servers is allowed. If more than about four servers are in operation, the address range can alternatively be divided into a zone for protected computers and one for servers accessible from the Internet.

However, only address ranges reserved for host numbers can be enabled:

For entire networks 

2-247

For split networks

2-119 (lower part)
130-247 (upper part)

With simple servers, only one port group can be opened instead of a general activation (e.g. HTTP/HTTPS or POP3/SPOP3/IMAP/SIMAP).
As has recently been shown, each individual computer is responsible for the functioning of the entire network. Particularly with servers that can be accessed from the Internet, particularly careful management is essential.

It would be worth considering whether it is necessary or useful to open SSH access worldwide.

It would be better to allow access only from dedicated IP addresses or, if this is not possible, to switch to SSH key authentication and block access by password altogether. So it is no longer possible to crack passwords by brute force attacks!

Service Center

Logo service center

© TU Wien

Ticketsystem Online Portal, opens an external URL in a new window
Hotline 01 588 01 42002

help@it.tuwien.ac.at
1040 Wien, Operngasse 11, EG

 

As a result of the coronavirus epidemic, the service center is now closed.