Overview
The campus firewall restricts access to the campus network from the Internet. It protects university resources from abuse or attack by Internet users, who may take advantage of the many vulnerabilities on modern computer systems.
By default, all inbound IP protocols are blocked and the resource owner must request any desired openings. To learn more about requesting a port opening see the Request section.
Getting Started
Before requesting ports to be opened, you should verify if any ports are already open for your system. To view current firewall settings for systems you own, visit the Get System Information section on our csi.itsec.tamu.edu website. Ownership is determined by the group ownership information in Infoblox.
To request a port opening in the campus firewall, go to csi.itsec.tamu.edu or submit a request to firewall@tamu.edu. Computers with services available through the campus firewall must be scanned for vulnerabilities.
Help and Support
Please see the Guidelines and FAQ section for additional information. If you have any questions or concerns, send an email to firewall@tamu.edu.
Contact Information
- firewall@tamu.edu
Request
Firewall Port Opening
The Texas A&M Campus Firewall blocks all service ports by default. Requests to have a service available outside the campus firewall can be made by sending an email to firewall@tamu.edu or visiting csi.itsec.tamu.edu.
Requests may take up to two business days to be completed. If the request is urgent, and the two-day timeline is not sufficient, please state that the request is URGENT and include the reason for this urgency. If you do not receive a response to your mail, please call Help Desk Central at 979.845.8300, and ask them to contact System and Application Security concerning your request.
Firewall configurations are applied to IP addresses, but referenced by the host name. All initial firewall change requests should be made for the machine hostname and not the IP address. If the name or IP address of a machine changes, you will need to email firewall@tamu.edu regarding the change to ensure that firewall settings for that machine continue to work.
Not all ports are allowed to be opened through the campus firewall. For a listing and explanation of exceptions allowed through the firewall, please see the Guidelines section.
Authorization to Request Port Openings
All information resources that have services allowed through the firewall must have valid ownership information, and firewall change requests must be received from a member of an ownership group as listed in Infoblox. Infoblox manages IP addresses and domain name assignments for the campus network.
Requests for changes to the firewall must come from the resource owner or custodian of the machine as recorded in Infoblox. Requests received from anyone else will be forwarded to the information resource owner for approval. Because of the high turnover rate of student administrators, we do not accept firewall change requests from students unless approved by a full-time staff member in the department hosting the machine.
Configuration and Security of Port Openings
Information resources must be secured before their services can be allowed through the campus firewall. The endpoint will be required to have the vulnerability scanning agent installed, and it will be scanned for vulnerabilities. Any detected problems, with a severity of Medium or higher, must be remediated before the requested ports can be opened. Systems hosting services already open through the firewall are also required to have the vulnerability scanning agent installed and will be scanned periodically to ensure the system remains free of vulnerabilities. If problems are found during these scans, the owner will be notified, and we will work with you to help secure the service. For more details on our vulnerability scanning program, see https://it.tamu.edu/services/security/security-services/network-vulnerability-scanning/
Request This Service
Guidelines
Firewall Port Restrictions
-
The campus firewall is in place to protect the campus network. Therefore, not all requested ports can be opened. Remember it is a security violation to run a service on any port other than the IANA assigned port for that service.
-
When any port is opened through the campus firewall, the system operator is responsible for its integrity. The port will be blocked if the machine is considered a security risk to the campus network.
-
Insecure protocols (protocols that provide no encryption and pass traffic in clear text) may not be allowed through the campus firewall. Example insecure services include telnet, ftp, imap, and pop.
-
All new firewall open requests, which use credentials to access, will be required to use multi-factor authentication. Owners will need to verify that multi-factor authentication is enabled before a firewall exception is permitted.
-
Anonymous FTP is allowed. However, if you are found to be running authenticated FTP services (ie.. non-anonymous, non-encrypted), we will block the port for this service.
-
An alternative solution to connect to the campus network that does not require exceptions in the campus firewall is the campus VPN Service.
-
Services should run on standard ports. This means port 80 (for unencrypted) and port 443 (for SSL-enabled) for web services. We do allow alternate servers on 8000 or 8080 (unencrypted) and 8443 (encrypted). For SSL encrypted sites, self-signed certificates will NOT be allowed for hosts open through the campus firewall. The certificate must be signed by a trusted Certificate Authority. To request a certificate visit the Certificates website.
-
The smtp (port 25) port for all hosts is closed both inbound and outbound by default. To learn more, visit the Knowledge Base article. If you need the smtp port opened, you must provide detailed documentation on the reasons the Texas A&M configuration is not sufficient, and your machine will be checked to verify that it is not relaying mail. To request an exception, please email security@tamu.edu.
-
Students in the Residence Halls are not allowed to request a port opening for computers on ResNet. This means that no computer on ResNet can be accessible from off campus.
-
For resource protection, only IT Security and resource owners are permitted to monitor network traffic, and only in the course of investigation of a network problem or security incident.
-
IT Security will regularly audit and test the firewall rule set to verify accuracy and effectiveness. If a system is found to be a security risk during this audit, the port(s) for that host may be blocked, and the owners will be contacted concerning the issue.