About LAWN
 Introduction
 News & Outages
 Security
 Policy
Access
 Map
 Locations
Help
 Getting Started
 Troubleshooting
Forums
Admin
Search

Security

There are four security topics outlined below, host based security, port blocking, login hijacking, and use of insecure services. It is important that you read and understand these topics, as the security of your account is dependent upon it.

Host Based Security

We strongly recommend that all LAWN users practice strong Host Based Security on their devices. This includes running a personal firewall, using secure services, keeping current on operating system and application patches, and running an up to date virus scanner. Details on these are available on the OIT Website.

Port Blocking

When the Department of Homeland Security issued an advisory about Microsoft's RPC vulnerability, several units expressed concern over the security of our Local Area Wireless Network (LAWN). Due to the inherent insecurities of wireless networks, they should often be treated as untrusted networks. As such, we will be implementing the same filters on the LAWN that exist at our campus borders. The impact of blocking these ports will be loss of access to some applications, such as Windows File Sharing. The following blocks were put in place at 8AM on 8/13/03:

port, protocols
description
69 udp
tftp - Trivial FTP
111 tcp/udp
SunRPC - Sun's Remote Procedure Call port
135 tcp
DCE endpoint resolution
137-139 tcp/udp
NetBIOS - ports used for Windows file shares & SAMBA drive mounts
161 udp
SNMP - Simple Network Monitoring Protocol
445 tcp/udp
Windows Secure File Share - File sharing between Windows 2000 and Windows XP systems
515 tcp
Line Printer - Printer daemon with multiple exploits across multiple UNIX operating systems
1433-1434 tcp/udp
Microsoft SQL
1521 tcp/udp
Oracle8i Listener
2049 tcp/udp
SunNFS - provides Sun drive mounts initialized on port 111
27374 tcp/udp
default subSeven - port commonly used for subSeven trojan
31337 tcp/udp
default Back Orifice - port commonly used for BO trojan

Login Hijacking

Because of the architecture of the LAWN network, there is a chance that someone may try to fool your computer into contacting a rogue server and presenting you with a fake LAWN login screen. The purpose behind such an attack would be to gain your login and password.

Though LAWN may look on the surface to be susceptible to such an attack, if you pay attention to how your browser presents the LAWN login screen, you can avoid being fooled. You should look for two things:

  • First, check to see that the your browser URL matches exactly:

    https://auth.lawn.gatech.edu/lindex.php

    Pay close attention to the https:// prefix. It must say https:// and not http:// .If your browser displays anything other than the above URL, do not log in. Report the problem to the OIT Customer Support Center (404-894-7173, support@oit.gatech.edu).
  • Make sure that your browser creates the https:// connection cleanly, without any warning messages. If, after clicking the Login button, you get a pop-up message alerting you to any warning or error, do not log in. The warning may say something like "The name on the security certificate does not match the name of the site" or "The security certificate was issued by a company you have not chosen to trust..." or something similar. Report the error to the OIT Customer Support Center (404-894-7173, support@oit.gatech.edu).

Use of Insecure Services

Many frequently used Internet protocols (e.g. http, POP, IMAP, telnet, ftp) transmit account and password information in "clear text", unencrypted. The danger of this is that anyone with a machine on the same network as a machine using those protocols can easily acquire any login and passwords sent using those protocols (e.g. If you use Eudora to POP email while using LAWN, someone can easily steal your login and password that you use to access your email server). LAWN is a shared network. Using unencrypted protocols on just about any shared network (including LAWN) places you at risk and is a bad idea. The following table offers safe alternatives for the most common protocols:

 

protocols
alternatives
POP, IMAP, SMTP

POP, IMAP and SMTP are protocols used by email clients to read and send email messages. If you use Eudora, Outlook or Outlook Express, you are most likely using POP or IMAP to read your mail and SMTP to send mail.

Without encryption, when you use POP or IMAP to log into your email server to retrieve your messages, your login and password are sent in the clear and can be intercepted. Most email clients default to using non-encrypted POP or IMAP. However, both POP and IMAP can be enabled to use encryption, via SSL/TLS (POPs/IMAPs).

Both your email client and email server must support POP or IMAP encryption. OIT's SPECTRUM email service allows users to read email via unencrypted and encrypted versions of POP and IMAP. If you are checking email from the LAWN you should be using encrypted POP or IMAP only. If you don't, you place your login and password information at risk.

SMTP is used to send email, and like POP and IMAP is usually unencrypted. Some email servers allow for secure (AKA SSL encrypted) SMTP and you should use it if your email server supports it. OIT's SPECTRUM email service allows for encrypted SMTP.
telnet
Information passed via telnet is not encrypted. For example, if you use telnet to login to acme, then your username and password are sent to acme in the clear, and thus can be intercepted. Interactive connectivity can be achieved with encryption using ssh (secure shell). There are commercial/shareware/freeware ssh clients for various operating systems. The machine you are connecting to via ssh must be running an ssh server (acme can be accessed via ssh).
ftp

FTP sends its login information, as well as its files, unencrypted. There are two popular secure alternatives, sftp and scp. As with ssh above, commercial/shareware/freeware sftp and scp clients are available for various platforms. And again, the machines you are contacting via sftp/scp much be running a sftp or ssh server (respectively).

Another common use of ftp is public access to files (i.e. "anonymous ftp"). In the case of anonymous ftp, there is less of a risk, as the account/password ("anonymous" or "ftp", and an email address) are shared and publicly known.
http
Any information that you submit via form on a web page can be intercepted if the site you are viewing is using http and not https. All major web browsers support https, so there is no additional software for you to use. Just be aware that sensitive information shouldn't be typed into any form on a page whose URL begins with http://

What is Inbound Service Security ?

Inbound Service Security (ISS) uses stateful packet inspection to help protect your LAWN connected device from hacking/virus attacks originating from outside of the LAWN network.

When Inbound Service Security is enabled for your LAWN session, hosts outside of the LAWN network are blocked from connecting to services running on your machine. For example, if your LAWN connected device is running a web server, with Inbound Service Security enabled, hosts not on the LAWN network will not be able to connect to your machine's web server.

A service can be provided by any application on your machine which listens for and accepts TCP connections to your machine by another host. Because these services commonly present vulnerabilities which hackers exploit, and are often unintentionally enabled, it is in your best interest, security-wise, to use Inbound Service Security when logging into LAWN. ISS will be enabled for your LAWN login session unless you check the "disable Inbound Service Security" box on the login form.

Note that Inbound Service Security is not a complete security solution; you should make sure your computer is up to date with vendor supplied patches, disable any unnecessary services, and utilize a personal firewall.

If you have reason to offer services from your LAWN host to users outside of the LAWN, you can disable the default blocking behaviour via the checkbox on the LAWN login page, or by passing the proper arguments if you use the command line login method. By disabling this safeguard, you accept full responsibility for the increased risk associated with allowing connections to your machine. Please note that disabling Inbound Service Security security allows for the outside-of-LAWN access to any TCP port in use by any service on your machine.

Security Forum

We welcome input into our Security forum. Please feel free to add to the forum below in regard to security related topics. Our hope is that a contribution from the campus will enrich the information of this site for all to benefit.

Please note that the forums are not meant as a replacement for the official OIT help system REMEDY (which can be reached via email ... support@oit.gatech.edu ... or via web at http://remedy.gatech.edu/request.html).

 
You must Login to LAWN Forums in order to post to this forum (HTTP cookies required).

Security
This forum discusses security issues surrounding wireless usage.
You are not logged in
sorted by:
 
Forum Posts
gth625n

Posted:
May 2, 2005, 7:59 pm
 		 Is the an outgoing smtp mail server available to LAWN users?
GT54

Posted:
June 21, 2005, 4:45 pm
 		 smtp.mail.gatech.edu should work.
Ilya Dovidovskii

Posted:
June 30, 2005, 9:16 am

Modified
June 30, 2005, 9:17 am
 		 How can I login into LAWN through command prompt, and how do I configure it to either enable or disable the ISS? (meaning what command string should I run in the command prompt).
Matthew J. Sanders

Posted:
June 30, 2005, 10:34 am
 		 check out this page:

http://www.lawn.gatech.edu/help/command_line.html
gth274a

Posted:
July 28, 2005, 12:32 pm
 		 why does GT LAWN keep sening me packets? I have been watching my firewall and there are useing on the network trying to get information off my computer. (i have date IP address and what they where looking at ) Some are NetBIOS...
gth730n

Posted:
September 9, 2005, 3:12 pm
 		 Why does my browser keep on sending me back to the fastpass website no matter what address I put in the search?
bw171

Posted:
March 8, 2006, 5:05 pm
 		 Has anyone experienced problems connecting to TCP/IP printer ports from LAWN
gth877g

Posted:
April 15, 2006, 11:48 am
 
gth877g

Posted:
April 15, 2006, 11:48 am
 
Matthew Mehall McKeon

Posted:
July 17, 2006, 5:00 pm

Modified
July 17, 2006, 5:01 pm
 		 Does one need to authenticate to LAWN in order to connect to other machines on the subnet? Let's say I have a server that provides a UPnP service on LAWN, and only needs to be visible (and available) to other LAWN-connected devices. Because it advertises itself on the subnet, it doesn't need a static IP or any kind of internet access. Can that server simply connect to LAWN wirelessly on bootup (using WEP) and avoid having to authenticate?

The reason that I ask is that I often see iTunes shares and other Bonjour services from other LAWN users before I authenticate to LAWN.
GT09

Posted:
July 20, 2007, 12:35 pm

Modified
July 20, 2007, 12:38 pm
 		 what ports are open for udp for incoming connections?
jmckillop3

Posted:
November 27, 2007, 1:56 pm
 		 Are there any plans to switch to WPA2-PSK?
glawal3

Posted:
December 17, 2007, 12:04 am
 		 how do i log in


 
   

This service is provided to authorized clients only.
Unauthorized access to this service is prohibited.

This page last modified: Jun 7, 2005 at 04:17 PM EDT
Disclaimer || Contact: