Click to return to CIT home page

Article 12-04-06; Updated 03-09-07

Starting in December 2006, and for the next several months, we will be making modifications to our Internet network connection in order to enhance our network security. In the past, we basically allowed most inbound network traffic and blocked only what we knew to be bad. Now, we're going to block everything and allow only what we know to be good and needed/desired. These days, there's just too much bad out there for us to track, and the impact of having problems has become increasingly difficult to deal with.

The changes will restrict connections made from the Internet (external to campus) to devices and services on our campus network, but not those from Oberlin out to the Internet. The changes will also not affect Oberlin College Cable Co-op users making connections to Oberlin College resources.

Our intent is to allow inbound traffic of the types listed below, and disallow all other types of inbound network traffic. These changes will not have a noticeable effect on most users, but people running games or servers may be impacted. If you have a game system or server that is affected, please contact the CIT Help Desk (x58197 or cit@oberlin.edu) and we will make the necessary adjustments for your system(s).

Changes will be made in accordance with the following schedule:

DATE	AFFECTS TRAFFIC TYPE:
Tuesday, 05 December 2006	Block UDP traffic for all campus administrative and academic buildings, except Skype.
Tuesday, 12 December 2006	Allow TCP traffic on ports numbered less than 1024 in accordance with the list below, and disallow all other TCP traffic, for all campus administrative and academic buildings.
Tuesday, 19 December 2006	Allow TCP traffic on ports in accordance with the list below, and disallow all other TCP traffic, for all administrative and academic buildings.
Tuesday, 09 January 2007	Block UDP traffic for all Resnet buildings, except for games and Skype.
Tuesday, 13 February 2007	Block inbound FTP traffic to all administrative and academic buildings, except for user-requested, CIT-approved exceptions.
Tuesday, 20 February 2007	Allow TCP traffic on ports numbered less than 1024 in accordance with the list below, and disallow all other TCP traffic, for all Resnet buildings.
Tuesday, 27 February 2007	Block inbound Windows Remote Desktop, Apple Remote Desktop, and VNC traffic to all administrative and academic buildings.
Tuesday, 06 March 2007	Block inbound FTP for systems with dynamic IPs that had not previously been blocked.
Tuesday, 13 March 2007	Block inbound SSH, except for exempted systems. (Systems currently using SSH will be exempted until alternate access mechanisms are verified.)
Tuesday, 03 April 2007	Allow TCP traffic on ports in accordance with the list below, and disallow all other TCP traffic, for all Resnet buildings.

Note: If you are unaware of the meaning of the port numbers listed below, do not be concerned. The numbers are provided for information purposes for people who may require that knowledge. The port numbers simply correspond to the network traffic types listed at the left.

You will note in the Comments column of the table below, some services will soon be available (by the start of the spring semester) only via VPN access. VPN, Virtual Private Networking, is a much more secure way to provide access to campus network resources. VPN is available for all Oberlin College personnel when using a VPN client application on their computers. This client application is available for downloading, from on-campus only, from our VPN web page.

NETWORK TRAFFIC BEING ALLOWED:

Network Traffic	Ports Used	Comment
Web	TCP Port 80
Secure web	TCP Port 443
E-Mail: SMTP	TCP Port 25
E-Mail: IMAP	TCP Port 143
E-Mail: POP3	TCP Port 110
E-Mail: SSL POP3	TCP Port 995
E-Mail: SSL IMAP	TCP Port 993
E-Mail: SSL SMTP	TCP Port 998
FTP	TCP Ports 20, 21	Available ONLY via VPN access.
Secure Shell (SSH)	TCP Port 22	Available ONLY via VPN except for exempted systems.
LDAP	TCP Port 389	Soon to be available ONLY via VPN access.
SSL LDAP	TCP Port 636
Meeting Maker	TCP Ports 417, 2271
RTSP	TCP Port 554
All traffic from hosted Blackboard servers	TCP Ports 80, 443
All traffic from OhioLINK	various
ARD	TCP Port 5900	Available ONLY via VPN access.
iChat	TCP Ports 5060, 5190, 5297, 5298 5678, 16384 through 16403
Windows Remote Desktop	TCP Port 3389	Available for Resnet. Available ONLY via VPN access for administrative and academic buildings.
VNC	TCP Ports 5800, 5900, 5901	Available ONLY via VPN access.
Skype	UDP Port 62437

Note: We have created a special service group for Skype, called ObieSkype, to maximize the performance of that service. Skype users should set their UDP port to 62437 to take advantage of this improvement for on-campus use.

Once again, if you have a system or server that seems to be affected by these changes (i.e., something that was working no longer works after the dates noted above), please contact the CIT Help Desk (x58197 or cit@oberlin.edu) and we will investigate and make the necessary changes.