Computer Systems Lab
Connecting & Supporting the Computer Sciences Department
Insecure/Experimental workstations and networks

Insecure/Experimental workstations and networks

The Computer Systems Lab has designated networks for computers that can not be on our regular production networks, including computers running insecure operating systems, operating systems not supported by the Systems Lab, and computers not managed by the Systems Lab. These systems can not directly access the internet, to protect these experimental computers and to prevent an insecure computer from causing harm to external hosts.

Insecure/Experimental Computer Networks

  • 128.105.102.0/24
  • 128.105.104.0/24

Experimental network restrictions

We place network restrictions on these networks as a security precaution for both the rest of the Computer Science Department and to prevent an insecure computer from causing harm to external hosts. Additional ports are sometimes rapidly blocked in the event of large scale suspect network activity. Hosts that are believed to have been infected or are causing malicious activity will be disconnected from the network.

Access to the CS networks is generally allowed, with the following restrictions:

Blocked ports:

  • TCP 25 SMTP
  • UDP 69 TFTP
  • Microsoft SMB
    • TCP 135 RPC
    • UDP 137 NetBIOS Name Resolution
    • UDP 138 NetBIOS Datagram Service
    • TCP 139 NetBIOS Session Service
    • TCP 445 SMB over TCP/IP
    • TCP 593 RPC over HTTP
  • UDP 514 SYSLOG
  • TCP 515 LPD
  • TCP 587 Submission
  • TCP 4444 Blaster Worm
  • ICMP Ping
  • Access to any network other than general CS networks is blocked

Insecure/Experimental Computer Network Configuration

The insecure/experimental networks are configured as follows:

Network: 128.105.102.0
Netmask: 255.255.255.0
Broadcast Address: 128.105.102.255
Default Gateway: 128.105.102.246
DNS Servers: 128.105.252.100

Testing connectivity on the Insecure/Experimental network

IP addresses are assigned by the CSL for each computer. Do not use any additonal IP addresses without coordinating with the CSL. Although ICMP pings are normally filtered, the host ping.cs.wisc.edu (currently 128.105.252.4) should be reachable as a network connectivity check.

Using the Web/FTP on a restricted network

A caching web proxy is available for www and anonymous FTP at squid.cs.wisc.edu port 3128.

Most applications require specifying the proxy in the format squid.cs.wisc.edu:3128

Other Troubleshooting

  • Are the network card indicator lights on? If they are not lit at all, check:
    • that the network cord is plugged securely into the computer and into the wall
    • that the mac address in our records matches the mac address of the network card
  • Are you using the correct network settings?
    • Check your network settings using ifconfig in linux/mac or ipconfig in Windows to check the ip, netmask, and gateway
  • Can you ping ping.cs.wisc.edu?
    • If you can ping 128.105.252.4 (ping.cs.wisc.edu's ip) but not the hostname ping.cs.wisc.edu, you may have set your DNS server incorrectly.