Fermilab Computing Division
Search

Network Blocks at FNAL

sidemenu
Security Home Page
ALERTS
Policy Guidelines
Technical Info
Support and Services
Certificates
Meetings and Events
Contacts
Restricted Access

Network access at Fermilab is restricted in a few different ways to defend against various types of attack and misuse. If you are having troubles getting network access, you may want to check some additional items beyond the usual OS troubleshooting.

Inbound

A few of the "well known" ports are blocked for inbound connection to the lab or have restrictions. The list primarily contains:
  • the NETBIOS ports
  • lprng
  • sunrpc
  • smtp (save to gateway machines)
  • domain/tcp (save to the nameservers)
  • webservers (except to registered addresses)
  • IP protocols 53, 55, 77

The recommended way to gain access to these services is via a VPN connection.

There are automatic blocks applied to addresses which exhibit scanning behaviour associated with attacks. We have yet to hear a report of any "false positives" associated with these blocks, but if you believe you are being stopped (wrongly) by such a block, please report the date, time, external address and type of connection to nightwatch@fnal.gov

Outbound

All network devices must be registered with MISNET to get a FNAL address. The DHCP servers issue a restricted address to unregistered machines. To gain temporary access to the network, open a webbrowser and fill out the temporary registration form. On some subnets (typically control system subnets) there is no DHCP service available. Check with a local expert if you're getting no DHCP address at all.

A few services are blocked outbound at the border:

  • snmp
  • sunrpc
  • sunrpc
  • sunrpc
  • IRC

There are also automatic block outbound against scanning behaviour. Such blocks are maintained for the duration of the scanning behaviour. One test to see if this is the problem is to wait 10 minutes after ceasing the suspect application and see if offsite network access returns.

Machines which exhibit a Critical Vulnerability or Infection may be blocked from the network. Mail is sent to registered sysadmins wherever possible in such cases, but the current list of blocked systems is available at http://www-dcn.fnal.gov/%7Enetadmin/blocked/. (This link is only available onsite.)

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by TR on July 13, 2006.
(Address comments about page to the Computer Security Team.)