Description of the Networks in the bwCloud Regions
Generel[scope_network_1]
The data centers of the universities of Mannheim, Ulm, Karlsruhe and Freiburg are blocking some ports in their respective own networks for security reasons. The bwCloud region is also affected by this, as the bwCloud hardware is connected to the central network infrastructure.
The public IP ranges of the bwCloud regions are from the BelWü address range. This address is logically located outside the respective network areas of the hosting universities (= locations of the bwCloud). They are treated as external addresses from the perspective of the respective firewalls of the institutions.
Consequences of the packet firewall for users[scope_network_2]
The most important effect for users is that the data network runs more reliably and securely. Hacker attacks are largely blocked at the packet firewall and no longer reach the campus and end systems. The importance of this protection can be seen from the fact that attack attempts now occur almost daily.
However, there are also a number of restrictions that need to be considered: If services other than those listed above, which are generally enabled, are to be accessible from outside, this must be reported to the university IT department. The corresponding service will then be activated on the packet firewall.
It can also happen that connections to certain services supposedly established from the instance do not work. This is always the case if the external server wants to establish a connection back to the instance to provide the service, which is often not easy for the user to verify.
bwCloud Mannheim: Open and closed ports
To ensure a certain basic protection in the network of the University of Mannheim, certain applications have been blocked at the borders of the university network to BelWü since October 1999. However, this is not intended to be a central firewall for the university, but rather to filter out the worst nonsense at the external borders of the University of Mannheim according to the "onion-skin principle".
In the range - (wellknown ports) the following ports are open in server networks:
| Transport | Port | Protocol | Description | Blocking |
|---|---|---|---|---|
| TCP (open) | 22 | ssh | SSH-Server | in/ outbound |
| TCP (open) | 80 | http | Web-Server | in/ outbound |
| UDP,TCP (open) | 443 | https | Web-Server over SSL | in/ outbound |
| TCP (open) | 465 | smtps | SMTP over SSL | in/ outbound |
| TCP (open) | 587 | submission | Message Submission | in/ outbound |
| TCP (open) | 990 | FTPs | ftp protocol, control, over TLS/SSL | in/ outbound |
| TCP (open) | 993 | IMAPs | IMAP Mail over SSL | in/ outbound |
| TCP (open) | 995 | POPs | POP Mail over SSL | in/ outbound |
The following ports are blocked in the range above 1023:
| Transport | Port | Protocol | Description | Blocking |
|---|---|---|---|---|
| TCP | 1433,1434 | MS-SQL | MS-Office | inbound |
| TCP | 1501 | TSM | Backup | inbound |
| TCP | 1900 | SSDP | Service Discovery | inbound |
| UDP,TCP | 2049 | NFS | Filesystem | inbound |
| TCP | 2967 | Symantec | Symantec | inbound |
| UDP | 3283 | Apple | Apple Remote Desktop | inbound |
| TCP | 3306 | mysql | mysql | inbound |
| UDP,TCP | 3389 | RDP | Remote Desktop | inbound |
| UDP | 3702 | Printer | WS-Discovery | inbound |
| UDP,TCP | 4045 | lockd | Filesystem | inbound |
| TCP | 4369 | EPMD | PortMapper | inbound |
| TCP | 5000 | UPnP | Universal Plug and Play | inbound |
| UDP | 5353 | mdns | Multicast DNS | inbound |
| TCP | 5432 | PostgreSQL | PostgreSQL | inbound |
| TCP | 5985 | WinRM | WinRM | inbound |
| TCP | 8333 | Bitcoin | Bitcoin Full Bode | inbound |
| TCP | 8080 | www-alt | Alternativer www Port | inbound |
| TCP | 9075 | nx-os | Cisco Nexus | inbound |
| UDP | 11211 | memcached | inbound | |
| TCP | 27017 | MongoDB | MongoDB | inbound |
| UDP | 32100 | IoT | IoT | outbound |
| UDP | 32414 | open-SSDP | Plex Media Servers | inbound |
bwCloud Karlsruhe: Closed ports
The following ports are blocked in the network range in Karlsruhe
| Transport | Port | Protocol | Description | Blocking |
|---|---|---|---|---|
| UDP, TCP | 111 | RPC-Portmapper | Portmapper Security | inbound/outbound |
Network range[scope_network_3]
bwCloud Freiburg
Please inform yourself about the operating concept of bwCloud Region Freiburg. In the following table, the designations refer to the bwCloud versions described in the operating concept. The separation of the networks between the bwCloud versions cannot be removed.
| Name | Network | Subnet Mask |
|---|---|---|
| public (cloud01) | 192.52.32.0/21 | 255.255.248.0 |
| public (cloud02) | 192.52.40.0/21 | 255.255.248.0 |
| public-extended (cloud01) | 132.230.224.0/24 | 255.255.255.0 |
| public-extended (cloud02) | 132.230.223.0/24 | 255.255.255.0 |
| internal-extended (cloud01) | 10.20.56.0/21 | 255.255.248.0 |
| internal-extended (cloud02) | 10.20.48.0/21 | 255.255.248.0 |
