Network Packet Filtering at UBC internet border

To UBC Network Administrators and users of Windows Filesharing:

Due to numerous threats against Microsoft Windows systems we have updated the packet filters applied on the border router connecting UBC to the Internet. There is no fee for this service.

Action

The TCP and UDP Ports listed below are blocked at the campus gateway routers starting Thursday August 14, 2003 (updated January 21, 2008 to block Windows Messenger).

WINS
SMB
Windows
Messenger

42

135

137

138

139

445

1026

1027

1028

Effect

This would stop sharing of files between on- and off-campus computers by Microsoft protocol "SMB", also known as "CIFS", "NetBIOS", "shares", "network neighborhood" ...

We will not block other filesharing methods (web http ftp ...), nor block any communication within UBC (except in urgent cases).

Reason

Protect the campus network from Windows filesharing security vulnerabilities, notably the "blaster" worm exploiting flaws in Microsoft RPC, and stop UBC machines from attacking off-campus Windows machines. Microsoft recommends doing this in security bulletin support.microsoft.com/kb/890710 and others.

Alternatives

Note that we are not blocking other filesharing methods (i.e. FTP, HTTP, PCanywhere, Timbukto, NFS, etc.), nor SMB hidden inside an encrypted tunnel (SSH, VPN, etc.) . A more secure method for Windows File Sharing would be to use VPN to create a secure tunnel between peers/servers.

Use the UBC VPN service.

Disclaimer

This is one small improvement in security, not a firewall service. Even firewalls do not offer adequate protection to computers, which also require regular system updates (patching) and "hardening" (removing extra services and accounts, implementing security polices for passwords). In particular, this does not protect against compromised UBC computers attacking each other.

Blocking Request Form

Login to https://transmogrifier.ubc.ca (assuming you are a UBC network administrator whose CWL login has been associated with the subnet in question)

  1. Select building network, click on [Show Network Information] and scroll down to "Subnets".
  2. Under column "Edit Traffic Filters" click [edit]
  3. The leftmost column selects the default for the subnet, and the next 3 columns can be used to define exceptions.

Contact

We welcome your input. If you have any comments, please contact the Network Management Centre.