Security

Campus Firewall

Overview

The campus firewall restricts access to the campus network from the Internet. It protects university resources from abuse or attack by Internet users, who may take advantage of the many vulnerabilities on modern computer systems.

By default, all IP protocols except ICMP are blocked and the administrator must request any desired openings. To learn more about requesting a port opening see the Request section.

Getting Started

Before requesting ports to be opened, you should verify if any ports are already open for your system. To view current firewall settings for systems you own, visit the View Firewall Openings section on our scan.tamu.edu website. Ownership is determined by the group ownership information in Infoblox

To request a port opening in the campus firewall, go to https://scan.tamu.edu or submit a request to firewall@tamu.edu. Computers with services available through the campus firewall must be scanned for vulnerabilities.

Instructions for requesting a departmental firewall can be found on the Departmental Firewall page.

Help and Support

Please see the Guidelines and FAQ section for additional information. If you have any questions or concerns, send an email to firewall@tamu.edu.

Request

Firewall Port Opening

The Texas A&M Campus Firewall blocks all service ports by default. Requests to have a service available outside the campus firewall can be made by sending an email to firewall@tamu.edu or completion of the request form.

Requests may take up to two business days to be completed. If the request is urgent, and the two-day timeline is not sufficient, please state that the request is URGENT and include the reason for this urgency. If you do not receive a response to your mail, please call Help Desk Central at 979.845.8300, and ask them to contact IT Security concerning your request.

Firewall configuration for a host is based on the DNS host name of that machine (i.e., machinename.tamu.edu) and not IP address. All initial firewall change requests should be made for the machine hostname and not the IP address. If the name of a machine changes, you will need to email firewall@tamu.edu regarding the change to ensure that firewall settings for that machine continue to work. If the IP address for a machine changes, but the hostname remains the same, no firewall changes are needed.

Not all ports are allowed to be opened through the campus firewall. For a listing and explanation of exceptions allowed through the firewall, please see the Guidelines section.

Authorization to Request Port Openings

All machines that have services visible through the firewall must have valid ownership information, and firewall change requests must be received from a member of an ownership group as listed in Infoblox. Infoblox manages IP addresses and domain name assignments for the campus network.

Requests for changes to the firewall must come from the administrator of the machine as recorded in Infoblox. Requests received from anyone else will be forwarded to the machine's administrator for approval. Because of the high turnover rate of student administrators, we do not accept firewall change requests from students unless approved by a full-time staff member in the department hosting the machine.

Configuration and Security of Port Openings

Computers must be secured before their services can be allowed through the campus firewall. The machine will be scanned for vulnerabilities, and any problems reported must be resolved before the requested ports can be opened. Also, any service open through the firewall will be scanned periodically to verify the software and configuration are relatively free of vulnerabilities. If problem are found during these scans, the owner will be notified, and we will work with you to help secure the service.

Guidelines

Firewall Port Restrictions

  • The campus firewall is in place to protect the campus network. Therefore, not all requested ports can be opened. Remember it is a security violation to run a service on any port other than the IANA assigned port for that service.

  • When any port is opened through the campus firewall, the system operator is responsible for its integrity. The port will be blocked if the machine is considered a security risk to the campus network.

  • All insecure protocols (protocols that provide no encryption and pass traffic in clear text) are not allowed to pass through the campus firewall. Services affected include telnet, ftp, imap, and pop. Replacements for these services include ssh, scp, security imap and secure pop.

  • As of March 28, 2018, all new firewall open requests, which use credentials to access, will be required to use multi-factor authentication. Owners will need to verify that multi-factor authentication is enabled before a firewall exception is permitted.  

  • Anonymous FTP is allowed. However, if you are found to be running authenticated FTP services (ie.. non-anonymous, non-encrypted), we will block the port for this service.

  • An alternative solution to connect to the campus network that does not require exceptions in the campus firewall is the campus VPN Service.

  • Services should run on standard ports. This means port 80 (for unencrypted) and port 443 (for SSL-enabled). We do allow alternate servers on 8000 or 8080 (unencrypted) and 8443 (encrypted). For SSL encrypted sites, self-signed certificates will NOT be allowed for hosts open through the campus firewall. The certificate must be signed by a trusted Certificate Authority. To request a certificate visit the Certificates website.

  • The smtp (port 25) port for all hosts is closed by default. This configuration of the Texas A&M SMTP relay servers was implemented to prevent third-party email relaying. To learn more, visit the Infrastructure Services website. If you need the smtp port opened, you must provide detailed documentation on the reasons the Texas A&M configuration is not sufficient, and your machine will be checked to verify that it is not relaying mail. To request an exception, please email security@tamu.edu. The Division of IT will monitor traffic on any exception granted.

  • All incoming IP Traffic is blocked by default at the campus firewall. To open a needed port, send a request to firewall@tamu.edu. The table below shows which ports can be opened through the campus firewall.

  • Incoming ICMP echo requests are blocked by default at the campus firewall. To request an exception to this rule, please email firewall@tamu.edu.

  • TCP and UDP protocols and applications are permitted through the border firewall, both inbound and outbound, subject to the rules policy. IT Security will evaluate the risk to campus of a request. In some cases, a business justification may be required.

  • For resource protection, only IT Security and the resource owners are permitted to monitor network traffic, and only in the course of investigation of a network problem or security incident. Multiple appliances are used to monitor traffic.

  • IT Security will regularly audit and test the firewall rule set to verify accuracy and effectiveness. If a system is found to be a security risk during this audit, the port(s) for that host may be blocked, and the owners will be contacted concerning the issue.

Note: Ports Usually Not Opened require justification and vulnerability scan.

FAQ

Why do we have a campus firewall?
How do I find out the firewall configuration for a certain host?
How do I request a new firewall exception?
What ports can I open through the firewall if I live in a dorm/residence hall?

Why do we have a campus firewall?

The campus firewall restricts access to the Texas A&M campus network from the Internet. It protects campus resources from abuse/attack by Internet users who may take advantage of the many vulnerabilities on modern computer systems.

How do I find out the firewall configuration for a certain host?

Current firewall settings for an individual machine can be viewed at View Firewall Settings. You must provide your NetID and password in order to enter the site. Once this information is entered, all hosts for which you are listed as a group owner in Infoblox will have their firewall settings returned.

How do I request a new firewall exception?

You can request a port opening at https://scan.tamu.edu/campus/. Requests must come from a member of an Infoblox group which is listed as owning the host and may take up to two business days to be processed. Requests can also be made through email to security@tamu.edu. Please include the IP address or hostname needing the exception, the port(s) needing to be opened, and the reason for the port opening.

What ports can I open through the firewall if I live in a dorm/residence hall?

Due to changes in network configurations, students in the Residence Halls will no longer be allowed to request a port opening for computers on ResNet. This means that no computer on ResNet can be accessible from off campus.

Back to Top