Last Updated: February 5, 2002
With the increase in attacks on the Internet, the need for security and protection rises. At Queen's University, ITServices has installed a number of blocks and protections into the gateway between Queen's and the Internet.
These measures have been put into place to limit the amount of mail Spam received on campus, to prevent known trojan horses, and to protect against possible exploits of open services on campus. A brief summary of some of the services blocked is given in this document.
Access to the SMTP port (port 25) of most machines at Queen's is restricted from off-campus. The primary reason for this is to prevent access to systems that are not secured against third-party mail relay. Before this restriction was put in place, systems at Queen's were delivering thousands of pieces of Spam daily. In addition, there are still systems at Queen's running old mail transfer agents (ie sendmail, Exchange, etc) for which there are known exploits. Blocking access to them provides a small measure of protection.
Mail is delivered to systems at Queen's through a small number of "mail gateways" which have open SMTP ports to off-campus connections. These mail gateways accept mail from off-campus sites, filter it for spam and viruses and relay it to the destination campus mail servers. To ensure that machines within Queen's can actually receive mail, all mail hosts need special entries in the DNS database; a process is run regularly (typically on a weekly basis) to create these entries. For hosts in other domains they must be created by the person or agency responsible for maintaining the DNS database for the appropriate domain. For example, sample MX records might look like:
post.queensu.ca IN MX 15 post.queensu.ca
post.queensu.ca IN MX 55 mailgw.queensu.ca
business.queensu.ca IN MX 10 notesbus.queensu.ca
business.queensu.ca IN MX 55 extmail.queensu.ca
Mail to post.queensu.ca is routed through the mail gateway "mailgw" whereas mail to the School of Business mail server is routed through a different mail gateway named "extmail."
In the same way, non-queensu.ca hosts need two MX records. One must be a low-priority one pointing to one of the mail gateways, normally "extmail.queensu.ca." (The mail gateway "mailgw" is normally reserved for primary mail services or main departmental mail servers.) The other MX record is a high-priority one pointing to the destination mail host. In addition, ITS must be notified <firstname.lastname@example.org> to allow extmail to route mail for the external domain. (This will not necessarily be done if the domain is unrelated to normal university business.)
In addition to the issues discussed above, ITServices also runs various anti-Spam filters and DNS-based blacklists on all ITServices machines with accessible SMTP ports. This reduces the amount of Spam arriving on campus.
More information on Spam can be found in the ITServices What Is Spam? FAQ.
A number of problems have arisen due to the nature of file sharing and the default settings available from many vendors for file sharing products. A number of blocks for these have been placed on the gateway in order to limit the possibility of attacks or unauthorized data access from outside of the Queen's Community. Please note that these blocks will not prevent unauthorized access from within the Queen's domain. To protect against these, file sharing products should be patched with all available vendor security patches and the settings should be configured in such a way as to prevent unauthorized access.
Some of the data sharing protocols that are blocked by Queen's include NetBios (Microsoft Windows file sharing protocol), RPC (used by NFS), and SNMP (used to collect data about networks and traffic).
There are many network trojan viruses, such as NetBus and Back Orifice, that allow the remote-control of personal computers. These viruses give an attacker complete access to an infected computer. The attacker can transfer and delete files, start and stop programs, and much more. Further details on NetBus can be found on the SANS webpages.
These viruses typically operate using a client-server model. The virus, the program that infects the computer, is the server. It is typically sent to a user via an email attachment. The remote-control program is the client. This is what the attacker will use to scan for and communicate with infected computers.
To protect the Queen's community, ITServices blocks the network ports that many of these trojan viruses use including those used by NetBus, Back Orifice, and Sub-Seven. This means that even if a user becomes infected with a network trojan virus, there is little risk of attackers from the Internet taking over their computer.
Changes may be made to the Queen's University Internet Border to block (or unblock) ports at any time as the need arises. These changes will be reflected in this document whenever possible.