Traffic Filtering
AMRES filters the network traffic in order to ensure protection against Internet attack and to preserve primary function of AMRES network. Protection of network and server infrastructure connected with AMRES infrastructure as well as AMRES end users is performed by this proactive approach.
Traffic filtering is performed at two levels:
- Filtering at transport level, filters unauthorized protocols. More details about this filtering method are given below.
- Filtering of web-traffic by means of Web-proxy service, end users are protected against malware on web pages and high quality link to the Internet for the needs of scientific-research network is ensured.
Filtering at Transport Level
Filtering of network traffic at transport level means filtering of applications and services by means of filters (Firewall Filter / Access Control List) on AMRES network devices. Applications and services use certain protocols and communication ports, and filters on network devices define rules about which protocols and ports are allowed for traffic forwarding in the network. If the protocol and the port used by certain service or application are not allowed in network filters, the observed application or service will not be available in AMRES network.
Filtering of network traffic is performed at:
- AMRES’ Points of Presence (PoP) and
- AMRES main site.
Filtering in AMRES Points of Presence
AMRES’ PoP is the place in AMRES’ network where the infrastructure of AMRES’ user is connected to AMRES’ network. AMRES’ access points include network devices which filter traffic coming from AMRES users and entering AMRES network. Traffic filtering at AMRES access point is aimed at filtration of the most vulnerable network services which are mostly not used and which may harm proper functioning of AMRES infrastructure and other AMRES users. The following services are filtered at AMRES PoP:
| SERVICES | PORTS | TRAFFIC DIRECTION | АCTION |
|---|---|---|---|
| ICMP | inbound/outbound | Everything except echo-request, echo-reply, time-exceeded, unreachable is filtered | |
| Echo | tcp 7 | inbound/outbound | is filtered |
| Discard | tcp/udp 9 | inbound/outbound | is filtered |
| Daytime | tcp/udp 13 | inbound/outbound | is filtered |
| Qoute of the Day | tcp/udp 17 | inbound/outbound | is filtered |
| Chargen | tcp/udp 19 | inbound/outbound | is filtered |
| RPC | tcp/udp 135, 593 | inbound/outbound | is filtered |
| NetBios | tcp/udp 137, 138, 139 | inbound/outbound | is filtered |
| Microsoft-DS | tcp 445 | inbound/outbound | is filtered |
| SQL | tcp/udp 1433 1434 1521 1522 1525 1529 3306 5432 | inbound/outbound | is filtered |
| SMTP | tcp 25 | outbound |
All traffic is filtered except the traffic comming from reported email server |
If AMRES institution has its own email server, it should report IP addresses email servers to AMRES so that those servers could be exempt from filtering SMTP traffic. Institution’s technical contact is responsible for reporting IP address of email server to AMRES by sending an email to AMRES helpdesk. Excluding services explicitly specified in the table above, all other traffic is allowed.
Filtering at AMRES main site
AMRES main site infrastructure is the core of AMRES network which includes network devices and equipment that connect AMRES to the Internet. Traffic filtering at AMRES main site is aimed at regulation of traffic that AMRES institutions exchange with the Internet. It allows the set of basic and most frequently used services while it filters all other traffic. Filtering of other protocols and services is performed in order to prevent malicious traffic from the Internet which may harm proper functioning of AMRES infrastructure and other AMRES institutions. The following services and protocols are allowed when communicating with the Internet:
| SERVICES | PORTS | TREFFIC DIRECTION | ACTION |
|---|---|---|---|
| ICMP | inbound/outbound | Only echo-request, echo-reply, time-exceeded, unreachable are allowed | |
| GRE | inbound/outbound | allowed | |
| AH | inbound/outbound | allowed | |
| ESP | inbound/outbound | allowed | |
| FTP, FTPS | tcp 20, 21; tcp/udp 989, 990 | inbound/outbound | allowed |
| SSH | tcp 22 | inbound/outbound | allowed |
| SMTP i SMTP SSL | tcp 25, 587 (465) | inbound/outbound | allowed |
| NTP, TIME, SNTP | udp 123; tcp/udp 580 | inbound/outbound | allowed |
| DNS | tcp/udp 53 | inbound/outbound | allowed |
| HTTP/HTTPS | tcp 80, 443 | inbound/outbound | Allowed for servers. End users have to use web-proxy service. |
| Kerberos | tcp/udp 88 | inbound/outbound | allowed |
| POP3 i POP3 SSL | tcp 110, 995 | inbound/outbound | allowed |
| SFTP | tcp/udp 115 | inbound/outbound | allowed |
| NNTP | tcp 119 | outbound | allowed |
| SciFinder | tcp 210 | outbound | allowed |
| IMAP i IMAP SSL | tcp 143, 993 | inbound/outbound | allowed |
| IRC | tcp, udp 194; tcp 6665 - 6669 | inbound/outbound | allowed |
| IPSec | udp 500, 4500; tcp/udp 10000; ah, esp | inbound/outbound | allowed |
| Webmin | tcp/udp 10000 | outbound | allowed |
| AppleShare | tcp 548 | inbound/outbound | allowed |
| SpamAssasin | tcp 783, 2703 | inbound/outbound | allowed |
| RSYNC | tcp 873 | inbound/outbound | allowed |
| OpenVPN | tcp/udp 1194 | inbound/outbound | allowed |
| L2TP VPN | tcp/udp 1701 | inbound/outbound | allowed |
| Polycom | tcp 1720, 5060; udp 3230 – 3237, 5060 | inbound/outbound | allowed |
| PPTP | tcp/udp 1723 | inbound/outbound | allowed |
| RADSec | tcp/udp 2083 | inbound/outbound | allowed |
| Apple Remote Desktop | tcp/udp 3283; tcp 5900,5988 | inbound/outbound | allowed |
| Remote Desktop (RDP) | tcp 3389 | inbound/outbound | allowed |
| E-banking (UniCredit) | tcp 3600, 3604 | outbound | allowed |
| iTunes | tcp 3689 | outbound | allowed |
| Subversion (SVN), WMS | tcp/udp 3690 | inbound/outbound | allowed |
| ICQ | udp 4000; tcp, udp 5190 | inbound/outbound | allowed |
| OMA BCAST | tcp/udp 4090 | inbound/outbound | allowed |
| Viber | tcp 4244, 5242; udp 5243, 9785 | inbound/outbound | allowed |
| tcp 4244, 5222, 5223, 5228,5242 | inbound/outbound | allowed | |
| Google Play | tcp/udp 5228 | inbound/outbound | allowed |
| Yahoo Voice | tcp/udp 5000 – 5010, tcp 5100 | inbound/outbound | allowed |
| SIP | tcp/udp 5060, 5061 | inbound/outbound | allowed |
| PC Anywhere | tcp/udp 5631 | inbound/outbound | allowed |
| VNC | tcp 5800; tcp/udp 5900 | inbound/outbound | allowed |
| Calendar Server | tcp 8008 | outbound | allowed |
| TeamSpeak | tcp 14534, 51234; udp 8767 | inbound/outbound | allowed |
| GIT | tcp, udp 9418 | inbound/outbound | allowed |
| NetPerf | tcp 12865 | inbound/outbound | allowed |
| TCP/UDP TRACEROUTE (LINUX) | udp 33434 - 33465 | inbound/outbound | allowed |
| FaceTime | udp 3478-3497, 16384-16387, 16393-16402 | inbound/outbound | allowed |
Excluding services explicitly specified in the table above, all other traffic is filtered.
If AMRES institution needs to use certain service or protocol which is filtered according to AMRES policy, institution’s technical contact has to send an email with request to AMRES helpdesk to exempt it from the global filtering policy, with the IP addresses and ports for which communication should be allowed as well as short explanation for using the service/protocol. AMRES will respond to the request as soon as possible.