In the evaluations of cyber incidents within higher education, we often read that the security of the ICT network is a challenge due to the nature of these organisations. Educational institutions are open learning environments with many users, such as students, researchers, lecturers, employees and guest users. As a result, there are many different needs and wishes concerning ICT services. That is often the case within our university, which makes us reluctant to block protocols between the Internet and UTnet. However, our Information Security policy is based on Zero Trust, i.e. providing access to information systems and information facilities in a controlled manner. The open environment is at odds with Zero Trust, but we can take steps in a safer direction here.
Many ICT services (protocols) were designed to be used purely within a local network. Making them accessible through the Internet makes them a target for cybercriminals. Those criminals actively scan for these protocols.
Therefore, LISA will block some services from being accessed outside our network. This can apply for the entire network or only parts of it.
The protocols are still available within the UT network (also through eduVPN). Doing your everyday work will still be possible, but it might require a little more effort.
LISA can block services for several reasons.
- The service uses a protocol with a high risk for abuse.
- The protocols in themselves have high-risk vulnerabilities.
- Systems use the protocols for Operational Technology (OT).
- The protocols show high amplification rates when used to stage a DDoS attack.
Main changes
It will no longer be possible to access systems on the university's network using remote access protocols like SSH, Microsoft and Apple Remote Desktop.
Database access will not be possible for systems in the university's buildings. Access to databases in the dorms will stay possible. We do urge you to take measures against abuse.
More information about the protocols and services is available in the new Guidelines on blocking protocols.
