Description of the Networks in the bwCloud SCOPE
Generel information about the bwCloud Regions[scope_network_1]
The data centers of the universities of Mannheim, Ulm, Karlsruhe and Freiburg are blocking some ports in their respective own networks for security reasons. The bwCloud region is also affected by this, as the bwCloud hardware is connected to the central network infrastructure.
Open and closed ports in the bwCloud Mannheim[scope_network_2]
To ensure a certain basic protection in the network of the University of Mannheim, certain applications have been blocked at the borders of the university network to BelWü since October 1999. However, this is not intended to be a central firewall for the university, but rather to filter out the worst nonsense at the external borders of the University of Mannheim according to the "onion-skin principle".
In the range - (wellknown ports) the following ports are open in server networks:
| Transport | Port | Protocol | Description | Blocking |
|---|---|---|---|---|
| TCP (open) | 22 | ssh | SSH-Server | in/ outbound |
| TCP (open) | 80 | http | Web-Server | in/ outbound |
| UDP,TCP (open) | 443 | https | Web-Server over SSL | in/ outbound |
| TCP (open) | 465 | smtps | SMTP over SSL | in/ outbound |
| TCP (open) | 587 | submission | Message Submission | in/ outbound |
| TCP (open) | 990 | FTPs | ftp protocol, control, over TLS/SSL | in/ outbound |
| TCP (open) | 993 | IMAPs | IMAP Mail over SSL | in/ outbound |
| TCP (open) | 995 | POPs | POP Mail over SSL | in/ outbound |
The following ports are blocked in the range above 1023:
| Transport | Port | Protocol | Description | Blocking |
|---|---|---|---|---|
| TCP | 1433,1434 | MS-SQL | MS-Office | inbound |
| TCP | 1501 | TSM | Backup | inbound |
| TCP | 1900 | SSDP | Service Discovery | inbound |
| UDP,TCP | 2049 | NFS | Filesystem | inbound |
| TCP | 2967 | Symantec | Symantec | inbound |
| UDP | 3283 | Apple | Apple Remote Desktop | inbound |
| TCP | 3306 | mysql | mysql | inbound |
| UDP,TCP | 3389 | RDP | Remote Desktop | inbound |
| UDP | 3702 | Printer | WS-Discovery | inbound |
| UDP,TCP | 4045 | lockd | Filesystem | inbound |
| TCP | 4369 | EPMD | PortMapper | inbound |
| TCP | 5000 | UPnP | Universal Plug and Play | inbound |
| UDP | 5353 | mdns | Multicast DNS | inbound |
| TCP | 5432 | PostgreSQL | PostgreSQL | inbound |
| TCP | 5985 | WinRM | WinRM | inbound |
| TCP | 8333 | Bitcoin | Bitcoin Full Bode | inbound |
| TCP | 8080 | www-alt | Alternativer www Port | inbound |
| TCP | 9075 | nx-os | Cisco Nexus | inbound |
| UDP | 11211 | memcached | inbound | |
| TCP | 27017 | MongoDB | MongoDB | inbound |
| UDP | 32100 | IoT | IoT | outbound |
| UDP | 32414 | open-SSDP | Plex Media Servers | inbound |
Consequences of the packet firewall for the users:
The most important effect for users is that the data network runs more reliably and securely. To a large extent, hacker attacks are already blocked at the packet firewall and no longer reach the campus and end systems. The importance of this protection can be seen in the fact that attack attempts now occur almost daily.
In addition, however, there are a number of restrictions that need to be considered: If services other than those listed above and generally enabled are to be accessible from the outside, this must be reported to the university IT. The corresponding service will then be enabled on the packet firewall.
It can also happen that connections to certain services that were supposedly established from Mannheim do not work. This is always the case if the external server wants to establish a connection back to Mannheim to provide the service, which is often not easy for the user to verify.
Résumé:
The Packet Firewall has proven itself very well so far. Nevertheless, every operator and user of a computer connected to the network must be aware of two things: the Packet Firewall only protects against attacks launched outside the Mannheim data network and it only provides partial, not absolute protection.
