FAQ: Turning Off Network Ports
Why does TNS (Telecommunications and Network Services) turn off ports?
Why doesn't TNS tell me when the port is turned off?
So why can't the notification go directly to the user of the computer connected to the network port?
Why doesn’t the University have a firewall to protect us from these attacks?
When will the University install a firewall?
Why do I need to provide the MAC address to get my port turned on?
What should I do with my computer if my network is not turned off?
What should I do if I have a Macintosh?
How can I double-check my machine to make sure its safe?
Why does TNS (Telecommunications and Network Services) turn off ports?
A port is usually turned off for one or both of two reasons. There are other situations that require ports to be turned off, but these are by far the most common.
The first reason for a port being turned off is that the computer connected to the network port has been compromised (a hacker has gained control of the computer) and the information on the computer is in danger. Often times a hacker will gain control of the computer, use it for storing their own material and snoop around to see what additional information they can find on the system they've gained control of. If they find anything valuable to them, they’ll whisk it away for use later. What could be valuable to them? Personal information, passwords for other systems, research data, administrative data, grades have all been targets of hackers. In order to prevent loss of any information, the port is turned off immediately.
The second most common reason for turning off a port is that the computer connected to the network port is having a significant negative impact on the network or other computers. If one computer is attacking another or attacking the network, the port will be turned off. When hackers want to attack another computer or network, they seldom use their own computer, but instead use one that they can control from a distance. This is especially true if the computer is part of a Distributed Denial of Service (DDOS) attack. In these cases, many (sometimes thousands) of computers are used to target one machine. We need to disable the ports quickly before the denial of service impairs the computer, or the network. Many times these attacks can disrupt large portions of the campus and while turning off a port is also disruptive, it is less disruptive than having 10s, 100s or even 1000s of computers unavailable.
Why doesn't TNS tell me when the port is turned off?
The decision to turn off the port is almost always made in the IT Security Office. At the same time they inform TNS to turn off the port, they also notify the Network Security Contacts for the building. Each building has at least one, and often several of these Security Contacts. The Security Contacts then have the responsibility of telling whoever is responsible for the computer connected to the port about the situation.
So why can't the notification go directly to the user of the computer connected to the network port?
Right now this isn’t feasible because there isn't an effective way to find out who that person is, and how to contact them. Someday we hope to have a registration system that will record who’s computer is connected to each port. At that point, there may be some way of direct contact. But until that time, the Network Security Contact is supposed to play that role. The list of Network Security Contacts can be found by using this search.
Why doesn’t the University have a firewall to protect us from these attacks?
Firewalls are not a silver bullet for computer security. Depending on how it was implemented, a firewall would have had little impact on these latest attacks. Firewalls do have the ability to limit some or all of the traffic at borders between networks. The difficulty in setting up a firewall for the University is in answering the following questions
- Where does the campus network end (what is behind the firewall and what isn't)?
- What traffic is allowed or denied to cross that border?
There are parts of the campus network that are obviously a part of the campus (the colleges and administrative units). But there are other “affiliates” of the University, like the Technology Innovation Center clients on the Oakdale Campus, the Iowa Department of Geologic Survey, the State Auditors Office, the UI Foundation, and various other research centers. Different people would answer the question of whether they are part of the campus for each of these entities in different ways.
The problem with the second question is related to size and diversity of the campus network. There are many “special” requirements and each of these special requirements needs a hole punched through the firewall. By the time all the adjustments are made, the firewall looks like Swiss cheese! This greatly lessens the value of a firewall.
While these questions are hard to answer for the University as a whole, they are much easier to answer for an individual system. So we recommend using a firewall on your individual system. These personal firewalls allow a computer to be locked down to just what is needed on that system, there is no need to compromise based on what a neighboring system might need. These software products have been around for several years and have become quite reliable. There is one built into Windows XP, so you may not even need to purchase anything.
When will the University install a firewall?
It is unlikely that the University would purchase a firewall for the entire campus. A firewall big enough to handle all of the University traffic would be expensive and isn’t likely to return its value in protection.
Why do I need to provide the MAC address to get my port turned on?
Because DHCP (dynamic host configuration protocol) is widely used on campus, the most consistent identifier is the MAC (media access control) address. In this most recent situation there have been many systems that were compromised multiple times, so tracking these repeat offenders is only possible by using the MAC address. The MAC address is the hardware (physical) address of the network card on a computer.
What should I do with my computer if my network is not turned off?
We are recommending that all Windows computers follow the protection instructions at the Help Desk Virus website. In particular, run the RPC fix toolkit found there, to ensure that the required security updates have been installed on your computer. The toolkit will also check for evidence of worms and trojan horse programs which may not have been detected by network scanning.
What should I do if I have a Macintosh?
The current network security threats are against Windows based computers. However, no matter what operating system you run, the basic discipline of keeping it updated, turning off unneeded programs & services, using updated anti-virus, being careful to only install from trusted sources/media, keeping good backups, never opening unexpected attachments, etc are important.
How can I double-check my machine to make sure its safe?
Run "Windows Update" on a regular basis to check for new patches, or turn on Automatic Updates (Windows XP only). Make sure your Norton anti-virus program runs "LiveUpdate" on a DAILY schedule. Have your department desktop support person request a network security scan of your system. If you need help setting these things up, call the ITS Help Desk at 4-HELP or consult with your department desktop support person.