Traffic Filtering

AMRES filters the network traffic in order to ensure protection against Internet attack and to preserve primary function of AMRES network. Protection of network and server infrastructure connected with AMRES infrastructure as well as AMRES end users is performed by this proactive approach. 

Traffic filtering is performed at two levels:

Filtering at Transport Level

Filtering of network traffic at transport level means filtering of applications and services by means of filters (Firewall Filter / Access Control List) on AMRES network devices. Applications and services use certain protocols and communication ports, and filters on network devices define rules about which protocols and ports are allowed for traffic forwarding in the network. If the protocol and the port used by certain service or application are not allowed in network filters, the observed application or service will not be available in AMRES network.

Filtering of network traffic is performed at:

  • AMRES’ Points of Presence (PoP) and
  • AMRES main site.

Filtering in AMRES Points of Presence

AMRES’ PoP is the place in AMRES’ network where the infrastructure of AMRES’ user is connected to AMRES’ network. AMRES’ access points include network devices which filter traffic coming from AMRES users and entering AMRES network. Traffic filtering at AMRES access point is aimed at filtration of the most vulnerable network services which are mostly not used and which may harm proper functioning of AMRES infrastructure and other AMRES users. The following services are filtered at AMRES PoP:

ICMP   inbound/outbound Everything except echo-request, echo-reply, time-exceeded, unreachable is filtered
Echo tcp 7 inbound/outbound is filtered
Discard tcp/udp 9 inbound/outbound is filtered
Daytime tcp/udp 13 inbound/outbound is filtered
Qoute of the Day tcp/udp 17 inbound/outbound is filtered
Chargen tcp/udp 19 inbound/outbound is filtered
RPC tcp/udp 135, 593 inbound/outbound is filtered
NetBios tcp/udp 137, 138, 139 inbound/outbound is filtered
Microsoft-DS tcp 445 inbound/outbound is filtered
SQL tcp/udp 1433 1434 1521 1522 1525 1529 3306 5432 inbound/outbound is filtered
SMTP tcp 25 outbound

All traffic is filtered except the traffic comming from reported email server

If AMRES institution has its own email server, it should report IP addresses email servers to AMRES so that those servers could be exempt from filtering SMTP traffic. Institution’s technical contact is responsible for reporting  IP address of email server to AMRES by sending an email to AMRES helpdesk. Excluding services explicitly specified in the table above, all other traffic is allowed.

Filtering at AMRES main site             

AMRES main site infrastructure is the core of AMRES network which includes network devices and equipment that connect AMRES to the Internet. Traffic filtering at AMRES main site is aimed at regulation of traffic that AMRES institutions exchange with the Internet. It allows the set of basic and most frequently used services while it filters all other traffic. Filtering of other protocols and services is performed in order to prevent malicious traffic from the Internet which may harm proper functioning of AMRES infrastructure and other AMRES institutions. The following services and protocols are allowed when communicating with the Internet:

ICMP   inbound/outbound Only echo-request, echo-reply, time-exceeded, unreachable are allowed
GRE   inbound/outbound allowed
AH   inbound/outbound allowed
ESP   inbound/outbound allowed
FTP, FTPS tcp 20, 21; tcp/udp 989, 990 inbound/outbound allowed
SSH tcp 22 inbound/outbound allowed
SMTP i SMTP SSL tcp 25, 587 (465) inbound/outbound allowed
NTP, TIME, SNTP udp 123; tcp/udp 580 inbound/outbound allowed
DNS tcp/udp 53 inbound/outbound allowed
HTTP/HTTPS tcp 80, 443 inbound/outbound Allowed for servers. End users have to use web-proxy service.
Kerberos tcp/udp 88 inbound/outbound allowed
POP3 i POP3 SSL tcp 110, 995 inbound/outbound allowed
SFTP tcp/udp 115 inbound/outbound allowed
NNTP tcp 119 outbound allowed
SciFinder tcp 210 outbound allowed
IMAP i IMAP SSL tcp 143, 993 inbound/outbound allowed
IRC tcp, udp 194; tcp 6665 - 6669 inbound/outbound allowed
IPSec udp 500, 4500; tcp/udp 10000; ah, esp inbound/outbound allowed
Webmin tcp/udp 10000 outbound allowed
AppleShare tcp 548 inbound/outbound allowed
SpamAssasin tcp 783, 2703 inbound/outbound allowed
RSYNC tcp 873 inbound/outbound allowed
OpenVPN tcp/udp 1194 inbound/outbound allowed
L2TP VPN tcp/udp 1701 inbound/outbound allowed
Polycom tcp 1720, 5060; udp 3230 – 3237, 5060 inbound/outbound allowed
PPTP tcp/udp 1723 inbound/outbound allowed
RADSec tcp/udp 2083 inbound/outbound allowed
Apple Remote Desktop tcp/udp 3283; tcp 5900,5988 inbound/outbound allowed
Remote Desktop (RDP) tcp 3389 inbound/outbound allowed
E-banking (UniCredit) tcp 3600, 3604 outbound allowed
iTunes tcp 3689 outbound allowed
Subversion (SVN), WMS tcp/udp 3690 inbound/outbound allowed
ICQ udp 4000; tcp, udp 5190 inbound/outbound allowed
OMA BCAST tcp/udp 4090 inbound/outbound allowed
Viber tcp 4244, 5242; udp 5243, 9785 inbound/outbound allowed
WhatsApp tcp 4244, 5222, 5223, 5228,5242 inbound/outbound allowed
Google Play tcp/udp 5228 inbound/outbound allowed
Yahoo Voice tcp/udp 5000 – 5010, tcp 5100 inbound/outbound allowed
SIP tcp/udp 5060, 5061 inbound/outbound allowed
PC Anywhere tcp/udp 5631 inbound/outbound allowed
VNC tcp 5800; tcp/udp 5900 inbound/outbound allowed
Calendar Server tcp 8008 outbound allowed
TeamSpeak tcp 14534, 51234; udp 8767 inbound/outbound allowed
GIT tcp, udp 9418 inbound/outbound allowed
NetPerf tcp 12865 inbound/outbound allowed
TCP/UDP TRACEROUTE (LINUX) udp 33434 - 33465 inbound/outbound allowed
FaceTime udp 3478-3497, 16384-16387, 16393-16402 inbound/outbound allowed

Excluding services explicitly specified in the table above, all other traffic is filtered.

If AMRES institution needs to use certain service or protocol which is filtered according to AMRES policy, institution’s technical contact has to send an email with request to AMRES helpdesk to exempt it from the global filtering policy, with the IP addresses and ports for which communication should be allowed as well as short explanation for using the service/protocol. AMRES will respond to the request as soon as possible.