1. Background
Trinet is a high-speed network that offers users data transmission at speeds approaching 1 Gbps. Misconfigurations or abuse can have a much larger effect on other users and the Internet on the whole than with regular home Internet connections. Therefore we would like to encourage our users to behave responsibly and keep their computers up-to-date.
Trinet is a part of Funet, the Finnish national research and education network. Thus, Funet network ethics and usage policy (available in Finnish) are also in use at the Trinet network. Network access is primarily intended for study-related use.
2. Issues
Users unaware of the security threats on the Internet can infect their computers with malicious software. The intent of the creators of this software is usually to either steal personal information or abuse the computers' network connection. Trojaned computers can be a part of a botnet of thousands of computers controlled by one or several hackers. Hackers can use these botnets to unleash so-called distributed denial of service (DDoS) attacks that cripple or completely shut off the connectivity of their targets e.g. web sites. Keeping your computer up-to-date with patches, using antivirus software and avoiding dubious web sites keeps these miscreants at bay.
3. Network security and filtered ports
Trinet network implements some commonly accepted security practices, such as IP address spoofing protection (ie. infrastructure access control lists or unicast reverse path forwarding), blackhole routing for reserved networks and various other protection mechanisms. Not so widely used security practice is our decision not to bring traditional stateful firewalls aka chokepoints to the network, but to keep packet forwarding and policing (including filtering) wire-rate in the routers. All these can be considered security features which are used both to protect the users and the network, and to decrease interruptions in the service.
The following services are filtered in the border of Trinet network or between the buildings' subnetworks:
| Service | Port | Direction | Notice |
|---|---|---|---|
| QOTD | 17/udp | in | |
| CHARGEN | 19/udp | in | |
| Telnet | 21/tcp | in | |
| SMTP | 25/tcp | out | by request only (smtp.ayy.fi) |
| DNS | 53/tcp,udp | in | non-official DNS servers blocked |
| TFTP | 69/udp | in | |
| Portmap | 111/udp | in | |
| NTP | 123/udp | in | non-official NTP servers blocked |
| MS RPC | 135/udp | both | also blocked between buildings |
| NetBIOS | 137-139/tcp,udp | both | |
| SNMP | 161-162/tcp,udp | both | |
| CIFS | 445/tcp | both | |
| AFP | 548/tcp | both | |
| IPMI | 623/udp | in | |
| UPnP | 1900/udp | both | also blocked between buildings |
| RDP | 3389/tcp | in | visitor networks only |
| NAT-PMP | 5351/udp | in | IPv4 only |
| mDNS | 5353/udp | in | |
| VNC | 5900/tcp | in | visitor networks only |
| CWMP | 7547/tcp | in | |
| Linksys Backdoor | 32764/tcp | in | temporary filtering (2014-01-04) |
| Intel AMT | 623,664,16992-16995/tcp | in | temporary filtering (2017-05-07) |