Strong Host-Based Security
We strongly recommend that all LAWN users practice strong Host-Based Security on their devices. This includes running a personal firewall, using secure services, keeping current on operating system and application patches, and running an up-to-date virus scanner. Details on these are available on the OIT Website.
Due to the inherent insecurities of wireless networks, they should be treated as untrusted networks. We have implementing filters on the LAWN that exist at our campus borders. The impact of blocking these ports will be loss of access to some applications, such as Windows File Sharing.
Because of the architecture of the LAWN network, there is a chance that someone may try to fool your computer into contacting a rogue server and presenting you with a fake LAWN login screen. The purpose behind such an attack would be to gain your login and password.
Though LAWN may look on the surface to be susceptible to such an attack, if you pay attention to how your browser presents the LAWN login screen, you can avoid being fooled. You should look for two things:
Use of Insecure Services
Many frequently used Internet protocols (e.g. http, POP, IMAP, telnet, ftp) transmit account and password information in "clear text," unencrypted. The danger of this is that anyone with a machine on the same network as a machine using those protocols can easily acquire any login and passwords sent using those protocols (e.g., if you use Eudora to POP email while using LAWN, someone can easily steal your login and password that you use to access your email server). LAWN is a shared network. Using unencrypted protocols on just about any shared network (including LAWN) places you at risk and is a bad idea. The following table offers safe alternatives for the most common protocols:
What are the LAWN network ranges?
LAWN is composed of multiple networks. Depending on how you access the LAWN will determine which network range you will be assigned to.
If you are attempting to configure your host based firewall and would like to control traffic to/from the LAWN network ranges, they are published here for your convenience:
What is Inbound Service Security ?
Inbound Service Security (ISS) uses stateful packet inspection to help protect your LAWN-connected device from hacking/virus attacks originating from outside of the LAWN network.
When Inbound Service Security is enabled for your LAWN session, hosts outside of the LAWN network are blocked from connecting to services running on your machine. For example, if your LAWN-connected device is running a Web server, with Inbound Service Security enabled, hosts not on the LAWN network will not be able to connect to your machine's Web server.
A service can be provided by any application on your machine which listens for and accepts TCP connections to your machine by another host. Because these services commonly present vulnerabilities which hackers exploit, and are often unintentionally enabled, it is in your best interest, security-wise, to use Inbound Service Security when logging into LAWN. ISS will be enabled for your LAWN login session unless you check the "disable Inbound Service Security" box on the login form.
Note that Inbound Service Security is not a complete security solution; you should make sure your computer is up-to-date with vendor supplied patches, disable any unnecessary services, and utilize a personal firewall.
On eduroam/GTwifi: By default, eduroam/GTwifi users are placed behind a stateful firewall (ISS enabled), which does not allow unsolicited connections from outside of LAWN. If you do not want a stateful firewall (ISS disabled) on eduroam/GTwifi, please contact
By disabling this safeguard, you accept full responsibility for the increased risk associated with allowing connections to your machine. Please note that disabling Inbound Service Security allows access from outside of the LAWN network to any TCP port in use by any service on your machine.
An important technical note: Communication is automatically permitted between any two LAWN hosts (without authenticating), regardless of network (LAWN utilizes multiple networks). When using GTwifi, all of your devices (logged in under the same username) should be on the same network (unless you have requested ISS disabled).
For those of you who need additional technical information, devices placed on the same Layer 2 network and broadcast based services (such as Apple's Bonjour protocol) should work as expected. If you need any additional details or have any specific questions, please contact the LAWN Services Team (at email@example.com).
We welcome input into our Security forum. Please feel free to add to the forum below in regard to security-related topics. Our hope is that a contribution from the campus will enrich the information of this site for all to benefit.
Please note that the forums are not meant as a replacement for the official OIT help system ServiceDesk (which can be reached via email, firstname.lastname@example.org, or via the phone at 404-894-7173).
You must Login to LAWN Forums in order to post to this forum (HTTP cookies required).