[unisog] Blocking Windows Networking at the Border?

Walter G. Aiello Walter.Aiello at Duke.edu
Wed Apr 24 13:35:03 GMT 2002

Russell Fulton wrote:
> Last year I altered the default access to block all incoming access to
> ports < 1024.  I left the high numbered ports open so that non passive
> ftp would still work in the default setup but I would like to block all
> ports now.
> Does anyone think this will cause major problems?
> Hmmm... and will it break KaZaA and friends ;-) i.e. does retrieving
> files require inbound connection?
> BTW this is the default access, if people want to run web or ftp servers
> then they can alter their access class.  The aim is to restrict inbound
> access to just what people ask for, most people don't run services (or
> don't know they do :( ) and are perfectly happy to have inbound
> connections blocked.
> --
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand


Our Cisco PIX blocks all incoming access by default. To 
allow incoming access to a server we need to assign it a
static IP address and allow incoming packets of the
appropriate type (always TCP in our case) from the specified
IP address to the specified port. You will need to know the
appropriate ports to open.

We have had no problems with this configuration, but our
hospital environment is not the same as most universities.

There is another problem that you may experience that is not
related to the blocking of all ports to incoming. Some
programs, usually old home-grown ones, are not network
compatible. For example, we have a utility called xferx that
is used to retrieve images from MR and CT scanners. It makes
a connection to the scanner and reports its IP address, which
the scanner uses to make a back connection. Of course the IP
address will be incorrect if you are using NAT and you will
not be able to retrieve the image. Rewriting the code is the
only alternative.

Dr. Walter G. Aiello
Manager, Network and Information Services
Magnetic Resonance Research Section
Box 3808, Department of Radiology
Duke University Medical Center

Walter.Aiello at Duke.edu
(919) 684 7519

More information about the unisog mailing list