Securing a computer on Campus

Issue

You are contacted by IT with regards to securing your computer due to an OIT (Office of Information Technology) report with regards to vulnerability.

Cause

Majority of the systems on campus are on a Public Addressable IP.  This means the computer is available to be directly accessed based on what software that may be running on the computer.

The Campus Network will block some Network Ports, however, the Campus Network is configured to allow reasonable access for most computer network activity and relies on users of the network to secure their computer.

Resolution

Here is a list of what you can do to secure your computer (or device) for the Campus Network...

Use Strong Passwords

Any user account that is on the machine that is used to access the machine should use strong passwords, as define here What is a 'strong' password?

No outside (Non-university) users access

Computers on campus are strictly for use of University purposes only.

While you maybe collaborating with off-campus people, computers on campus is strictly for University users and should only be accessed with supervision by on campus users.

Use a Firewall

Most computers will have firewall capability.

If there are services on the computer that you need to access remotely (i.e. Access the computer from home), it may be wisest to have the computer's firewall configured to block the service you need to a very specific IP Range.

Given the various kinds of Operating Systems and Firewall Software that is available, we will not be able to go into detail on how to set it up, but we can recommend the IP range you will want to define to secure the system a bit better.

For computers on the wired Campus Network or VPN only (most secure):

  • 128.111.0.0/16 (128.111.0.0-128.111.254.254)

For computers on the Campus Wireless (Wireless web/UCSB Secure/Eduroam)

Please note this DOES includes some guest using self registration for wireless web

Please also note that there are so many ranges in use that many devices with a limited number of firewall rules, like printers, will not be able to fit all of them in

full list of wireless ranges available at https://www.it.ucsb.edu/wifi/wireless-networking

 List of Ranges: Click here to expand...
  • 169.231.8.0/22
  • 169.231.16.0/20
  • 169.231.32.0/20
  • 169.231.48.0/20
  • 169.231.64.0/20
  • 169.231.80.0/20
  • 169.231.96.0/20
  • 169.231.112.0/20
  • 169.231.128.0/20
  • 169.231.144.0/20
  • 169.231.160.0/20
  • 169.231.176.0/20
  • 169.231.192.0/20
  • 169.231.208.0/20
  • 169.231.240.0/21 (added September 2024)

additionally if the above public ranges are full, Nat'ed private IPs will be used

For computers using the UCSB wireless, Facilities, ResNet and other internal non-wired non-VPN UCSB ranges (largest range, hence least secure):

  • 169.231.0.0/16 (169.231.0.0-169.231.254.254)

We recommend that devices use the Campus VPN service, even if they are on the Campus Wireless Network. This allows you to drop all ranges except for 128.111.0.0/16.

The smaller the allowed in range, the less chances of allowing in people you don't want.

We encourage people not to use 169.231.0.0/16 as a generic rule to cover all UCSB non wired networks, unfortunately some devices only allow a limited number of rules for their firewall. 

Disable or uninstall the service reported to you

If you aren't really using the service or application that is being reported to you, perhaps it is best to remove/uninstall the service.

Services such as:

  • Bonjour
  • Avahi (Linux version of Bonjour)
  • Printer Sharing
  • File Sharing
  • Remote Desktop

If you are planning on Using Printer/File Sharing or even Remote Desktop, please configure the firewall to restrict the access to the Campus Network and use the Campus VPN if you need to access the computer from off campus.

Keep your software updated

Always make sure your software is up to date. 

If it is a service or application you use, there is a chance that it has been updated to deal with the vulnerability.

If it is older software or hardware and has no update, or something you cannot get an update for it...  You may have to consider either replacing it or make arrangements with your IT Staff on possible alternatives or means to isolate the computer/device for network security.

For more information

Please refer to UC Santa Barbara IT Website

Related articles