Georgia Tech :: LAWN :: Security

About LAWN
News
Security
Policy

Help
GTwifi
GTother
GTvisitor

Quick Links
How to help
Pre-shared Key
Sponsor Guest
Device Login
LAWN Login API
LAWN Debug Page

Services
Bonjour
Classroom Wireless
Device Registration
Printing
Centergy Wireless

Forums

Search

Strong Host-Based Security

We strongly recommend that all LAWN users practice strong Host-Based Security on their devices. This includes running a personal firewall, using secure services, keeping current on operating system and application patches, and running an up-to-date virus scanner. Details on these are available on the OIT Website.

Port Blocking

Due to the inherent insecurities of wireless networks, they should be treated as untrusted networks. We have implementing filters on the LAWN that exist at our campus borders. The impact of blocking these ports will be loss of access to some applications, such as Windows File Sharing.

port, protocols

description

69 udp

tftp Trivial FTP

111 tcp/udp

SunRPC - Sun's Remote Procedure Call port

135 tcp

DCE endpoint resolution

137-139 tcp/udp

NetBIOS - ports used for Windows file shares & SAMBA drive mounts

161 udp

SNMP - Simple Network Monitoring Protocol

445 tcp/udp

Windows Secure File Share - File sharing between Windows 2000 and Windows XP systems

515 tcp

Line Printer - Printer daemon with multiple exploits across multiple UNIX operating systems

1433-1434 tcp/udp

Microsoft SQL

1521 tcp/udp

Oracle8i Listener

2049 tcp/udp

SunNFS - provides Sun drive mounts initialized on port 111

27374 tcp/udp

default subSeven - port commonly used for subSeven trojan

31337 tcp/udp

default Back Orifice - port commonly used for BO trojan

Login Hijacking

Because of the architecture of the LAWN network, there is a chance that someone may try to fool your computer into contacting a rogue server and presenting you with a fake LAWN login screen. The purpose behind such an attack would be to gain your login and password.

Though LAWN may look on the surface to be susceptible to such an attack, if you pay attention to how your browser presents the LAWN login screen, you can avoid being fooled. You should look for two things:

First, check to see that the your browser URL matches exactly:

https://auth.lawn.gatech.edu/lindex.php

Pay close attention to the https:// prefix. It must say https:// and not http://. If your browser displays anything other than the above URL, do not log in. Report the problem to the OIT Technology Support Center (404-894-7173, support@oit.gatech.edu).
Make sure that your browser creates the https:// connection cleanly, without any warning messages. If, after clicking the Login button, you get a pop-up message alerting you to any warning or error, do not log in. The warning may say something like "The name on the security certificate does not match the name of the site" or "The security certificate was issued by a company you have not chosen to trust," or something similar. Report the error to the OIT Technology Support Center (404-894-7173, support@oit.gatech.edu).

Use of Insecure Services

Many frequently used Internet protocols (e.g. http, POP, IMAP, telnet, ftp) transmit account and password information in "clear text," unencrypted. The danger of this is that anyone with a machine on the same network as a machine using those protocols can easily acquire any login and passwords sent using those protocols (e.g., if you use Eudora to POP email while using LAWN, someone can easily steal your login and password that you use to access your email server). LAWN is a shared network. Using unencrypted protocols on just about any shared network (including LAWN) places you at risk and is a bad idea. The following table offers safe alternatives for the most common protocols:

protocols

alternatives

POP, IMAP, SMTP

POP, IMAP and SMTP are protocols used by email clients to read and send email messages. If you use Eudora, Outlook or Outlook Express, you are most likely using POP or IMAP to read your mail and SMTP to send mail.

Without encryption, when you use POP or IMAP to log into your email server to retrieve your messages, your login and password are sent in the clear and can be intercepted. Most email clients default to using non-encrypted POP or IMAP. However, both POP and IMAP can be enabled to use encryption, via SSL/TLS (POPs/IMAPs).

Both your email client and email server must support POP or IMAP encryption. OIT's SPECTRUM email service allows users to read email via unencrypted and encrypted versions of POP and IMAP. If you are checking email from the LAWN you should be using encrypted POP or IMAP only. If you don't, you place your login and password information at risk.

SMTP is used to send email, and like POP and IMAP is usually unencrypted. Some email servers allow for secure (AKA SSL encrypted) SMTP and you should use it if your email server supports it. OIT's SPECTRUM email service allows for encrypted SMTP.

telnet

Information passed via telnet is not encrypted. For example, if you use telnet to login to acme, then your username and password are sent to acme in the clear, and thus can be intercepted. Interactive connectivity can be achieved with encryption using ssh (secure shell). There are commercial/shareware/freeware ssh clients for various operating systems. The machine you are connecting to via ssh must be running an ssh server (acme can be accessed via ssh).

ftp

FTP sends its login information, as well as its files, unencrypted. There are two popular secure alternatives, sftp and scp. As with ssh above, commercial/shareware/freeware sftp and scp clients are available for various platforms. And again, the machines you are contacting via sftp/scp must be running a sftp or ssh server (respectively).

Another common use of ftp is public access to files (i.e., "anonymous ftp"). In the case of anonymous ftp, there is less of a risk, as the account/password ("anonymous" or "ftp," and an email address) are shared and publicly known.

http

Any information that you submit via form on a Web page can be intercepted if the site you are viewing is using http and not https. All major Web browsers support https, so there is no additional software for you to use. Just be aware that sensitive information shouldn't be typed into any form on a page whose URL begins with http:// .

What are the LAWN network ranges?

LAWN is composed of multiple networks. Depending on how you access the LAWN will determine which network range you will be assigned to. If you are attempting to configure your host based firewall and would like to control traffic to/from the LAWN network ranges, they are published here for your convenience:

CIDR VLAN Network Notes

143.215.96.0/20 1296 GTother

143.215.112.0/20 1312 GTwifi

143.215.132.0/24 1332 GTwifi ISS Disabled

143.215.204.0/22 804 Wired LAWN

128.61.16.0/20 316 GTwifi

128.61.32.0/20 332 GTwifi

128.61.48.0/20 348 GTwifi

128.61.112.0/20 1312 GTwifi

What is Inbound Service Security ?

Inbound Service Security (ISS) uses stateful packet inspection to help protect your LAWN-connected device from hacking/virus attacks originating from outside of the LAWN network.

When Inbound Service Security is enabled for your LAWN session, hosts outside of the LAWN network are blocked from connecting to services running on your machine. For example, if your LAWN-connected device is running a Web server, with Inbound Service Security enabled, hosts not on the LAWN network will not be able to connect to your machine's Web server.

A service can be provided by any application on your machine which listens for and accepts TCP connections to your machine by another host. Because these services commonly present vulnerabilities which hackers exploit, and are often unintentionally enabled, it is in your best interest, security-wise, to use Inbound Service Security when logging into LAWN. ISS will be enabled for your LAWN login session unless you check the "disable Inbound Service Security" box on the login form.

Note that Inbound Service Security is not a complete security solution; you should make sure your computer is up-to-date with vendor supplied patches, disable any unnecessary services, and utilize a personal firewall.

On GTwifi: By default, GTwifi users are placed behind a stateful firewall (ISS enabled), which does not allow unsolicited connections from outside of LAWN. If you do not want a stateful firewall (ISS disabled) on GTwifi, please contact
lawn-support@gatech.edu and include your GT account and the wireless MAC address of the device. This setting is permanent until you request us to change it back.

By disabling this safeguard, you accept full responsibility for the increased risk associated with allowing connections to your machine. Please note that disabling Inbound Service Security allows access from outside of the LAWN network to any TCP port in use by any service on your machine.

An important technical note: Communication is automatically permitted between any two LAWN hosts (without authenticating), regardless of network (LAWN utilizes multiple networks). When using GTwifi, all of your devices (logged in under the same username) should be on the same network (unless you have requested ISS disabled).

For those of you who need additional technical information, devices placed on the same Layer 2 network and broadcast based services (such as Apple's Bonjour protocol) should work as expected. If you need any additional details or have any specific questions, please contact the LAWN Services Team (at lawn-support@gatech.edu).

Security Forum

We welcome input into our Security forum. Please feel free to add to the forum below in regard to security-related topics. Our hope is that a contribution from the campus will enrich the information of this site for all to benefit.

Please note that the forums are not meant as a replacement for the official OIT help system REMEDY (which can be reached via email, support@oit.gatech.edu, or via Web at http://remedy.gatech.edu/request.html).

You must Login to LAWN Forums in order to post to this forum (HTTP cookies required).

Security This forum discusses security issues surrounding wireless usage.
You are not logged in	sorted by:

Forum Posts
Ilya Dovidovskii Posted: June 30, 2005, 9:16 am Modified June 30, 2005, 9:17 am	How can I login into LAWN through command prompt, and how do I configure it to either enable or disable the ISS? (meaning what command string should I run in the command prompt).
Matthew J. Sanders Posted: June 30, 2005, 10:34 am	check out this page: http://www.lawn.gatech.edu/help/command_line.html
William J. Miller Posted: April 24, 2013, 1:06 pm

This service is provided to authorized clients only.
Unauthorized access to this service is prohibited.

This page last modified: Apr 17, 2013 at 11:10 AM EDT
Disclaimer || Contact: