Security & Architecture

ResNet connects the residence hall to the Internet. One of ResNet's goals is to provide a secure and reliable network for residents. To accomplish this on such a large scale we have a fairly complicated network structure and policies.

ResNet's Architecture

All residence hall rooms have wired network connections of at least 100 Mb/s. The room network jacks connect to floor switches at which then connect to a building switch at 1 Gb/s. The building switches connect to ResNet's backbone switch in Kerr Administration at 1 Gb/s or 10 Gb/s. The ResNet backbone switch connects to OSU's border router at 10 Gb/s which is connected to the Internet and Internet2.

There is an Aruba wireless access point (WAP) in every third room or suite (at minimum). The WAPs are dual band (2.4 GHz and 5 GHz radio frequencies) and 802.11a/g/n. The dining halls and some common areas have 802.11ac, as do many academic buildings. The WAPs are all connected to the wired network at 1 Gb/s.

Firewall

For the protection of the network and ResNet users, certain ports are blocked by the OSU firewall. Blocking of these ports protects against common viruses and worms, malicious intruders, and other security exploits. ResNet strongly suggests continued use of your computer's firewall.

Below is a list of the ports ResNet and OSU block and a short explanation of the reason behind the decision to block each port.

  • TCP port 25 (SMTP) outbound: SMTP over port 25 is designated for server to server communication when sending email. Email programs should be configured to use port 587, which is known as the mail submission port, to send email. Because port 587 is now used for mail submission by clients, and port 25 is no longer used for that purpose, and because port 25 is so commonly used by compromised hosts to send spam, we have chosen to block this port in order to cut down on the amount of noise and spam introduced to campus and the rest of the internet by our network. Check the program that you use to send mail (e.g. Outlook), and if you are not using Oregon State University's mail server, ensure that the mail server you are using is configured to use port 587. Check with the provider of the mail server if you have problems sending mail. If you are using OSU's mail server, contact the IS Service Desk.
  • TCP/UDP port 53 (DNS) inbound: Some users choose to set up their own authoritative name servers and/or resolvers. Unfortunately, these devices may be used in, for example, a DNS amplification attack. Because of the poor ratio of properly secured resolvers to open (insecure) resolvers, we have chosen to block queries originating from outside our firewall. If you would like (for a class, for fun, ...) you may still set up a resolver/nameserver on ResNet, but note that it will not be accessible from outside ResNet.
  • UDP port 68 (BOOTP / DHCP) inbound: DHCP is used so that devices can automatically obtain network information from our system once the device is plugged in to the network. In order to reduce the chance of interference from outside, and because we need to be able to control the addresses we assign on our network, we have blocked inbound DHCP traffic from the outside.
  • TCP port 80 (HTTP) inbound: Many computers and devices are inadvertently running or have unmaintained web servers which can leave the device open to vulnerabilities. Allowing inbound access to this port, which is the default in most web server configurations, can be a risk to the security of the network and its users. If you would like to host a website, ONID provides personal web sites for all ONID users.
  • TCP/UDP ports 135, 137 through 139, and 445 (NetBIOS) inbound: NetBIOS services allow file sharing over networks. When improperly configured, they can expose a computer to attacks, exploits, worms, and critical system files.
  • UDP port 520 (RIP) inbound/outbound: RIP (Routing Information Protocol) is used to communicate routing information within a network and can be vulnerable to malicious route updates which provide several attack possibilities.
  • TCP port 1080 (SOCKS) inbound: Servers on the network running SOCKS proxies are known to have vulnerabilities that can lead to compromised hosts. Because more secure alternatives exist and few people currently make use of SOCKS proxies, we have decided to block inbound connections on this port.
  • TCP port 3128 inbound: Similar to SOCKS, hosts running HTTP proxy services on this port are prone to abuse. Additionally, proxy server alternatives exist on campus. For these combined reasons, we have decided to block inbound connections on this port.