AYY logo
Trinet

the Otaniemi campus student network founded in 1986

Trinet Network Usage Guidelines

1. Background

Trinet is a high-speed network that offers users data transmission at speeds approaching 1 Gbps. Misconfigurations or abuse can have a much larger effect on other users and the Internet on the whole than with regular home Internet connections. Therefore we would like to encourage our users to behave responsibly and keep their computers up-to-date.

Trinet is a part of Funet, the Finnish national research and education network. Thus, Funet network ethics and usage policy (available in Finnish) are also in use at the Trinet network. Network access is primarily intended for study-related use.

2. Issues

Users unaware of the security threats on the Internet can infect their computers with malicious software. The intent of the creators of this software is usually to either steal personal information or abuse the computers' network connection. Trojaned computers can be a part of a botnet of thousands of computers controlled by one or several hackers. Hackers can use these botnets to unleash so-called distributed denial of service (DDoS) attacks that cripple or completely shut off the connectivity of their targets e.g. web sites. Keeping your computer up-to-date with patches, using antivirus software and avoiding dubious web sites keeps these miscreants at bay.

3. Network security and filtered ports

Trinet network implements some commonly accepted security practices, such as IP address spoofing protection (ie. infrastructure access control lists or unicast reverse path forwarding), blackhole routing for reserved networks and various other protection mechanisms. Not so widely used security practice is our decision not to bring traditional stateful firewalls aka chokepoints to the network, but to keep packet forwarding and policing (including filtering) wire-rate in the routers. All these can be considered security features which are used both to protect the users and the network, and to decrease interruptions in the service.

The following services are filtered in the border of Trinet network or between the buildings' subnetworks:

ServicePortDirectionNotice
QOTD17/udpin
CHARGEN19/udpin
SMTP25/tcpoutuse smtp.ayy.fi for outgoing email
DNS53/tcp,udpinnon-official DNS servers blocked
TFTP69/udpin
Portmap111/udpin
NTP123/udpinnon-official NTP servers blocked
MS RPC135/udpbothalso blocked between buildings
NetBIOS137-139/tcp,udpboth
SNMP161-162/tcp,udpboth
CIFS445/tcpboth
IPMI623/udpin
UPnP1900/udpbothalso blocked between buildings
NAT-PMP5351/udpinIPv4 only
mDNS5353/udpin
Linksys Backdoor32764/tcpintemporary filtering (2014-01-04)
Intel AMT623,664,16992-16995/tcpintemporary filtering (2017-05-07)

© 2017 Veijo Kyläverkko <verkko@ayy.fi>
Last updated: 2017-05-07