Steinbuch Centre for Computing (SCC)

The service descriptions are being translated at the moment

If there´s no English information available please use the German counterpart. We are working on the English translations right now and we apologize for any inconvenience.

  • Network based security systems

  • Protection against unauthorized access to network segments inside the KIT (firewall).

Der Service dient dem Schutz von Endgeräten im Datennetz des KIT vor unberechtigten Zugriffen.

Der Zugriffsschutz ist mehrstufig aufgebaut und orientiert sich am vom Kunden angeforderten Schutzbedarf seiner Systeme:
* Schutz vor unberechtigten Zugriffen aus dem Internet ("Zentrale Firewall")
* Zusätzlich Schutz vor unberechtigten Zugriffen aus anderen Netzsegmenten des KIT ("Dezentrale Firewall")
* Zusätzlich Schutz vor unberechtigten Endgeräten innerhalb des Netzsegments ("Network Access Control (NAC)"

* Zentrale Firewall: formlos via email
* Dezentrale Firewall / NAC: nach Absprache

formlos via email

Organisatorische Voraussetzungen

  • Für jedes Netzsegment muss ein für den Betrieb der Endgeräte in diesem Netzsegment zuständiger Ansprechpartner benannt sein (IT-Verantwortlicher / LAN-Koordinator).
  • Die Endgeräte müssen bei SCC registrierte IP-Adressen besitzen.

Technische Voraussetzungen

  • TCP/IP - Kommunikation
  • Authentifizierungsdienst (für NAC)
  • DHCP (für NAC)

Zentrale FW

Die zentrale Firewall regelt die Kommunikation zwischen dem kabelgebundenen Netzwerk des KIT (Intranet) und dem Internet. Die Firewall wirkt in beide Richtungen:

  • Sie begrenzt die Möglichkeiten von Rechnern im Internet auf Rechner im KIT zuzugreifen.

  • Sie schränkt den Zugang interner Rechner zu Diensten im Internet ein.

Die Firewall wird "zentral" genannt, weil sie für alle im Intranet angeschlossenen Geräte wirkt. Organisations-Einheiten mit erhöhtem Sicherheitsbedarf können zusätzlich den Dienst "Dezentrale Firewall" nutzen.


Enthaltene Leistungen


  • Schutz vor unerwünschten Zugriffen aus dem Internet
  • Freigabe von Serverdiensten für den Zugriff aus dem Internet
  • Einschränkung des Internet-Zugangs




Nicht enthaltene Leistungen


  • Schutz vor unerwünschten Zugriffen aus dem Intranet
  • Einschränkung des Intranet-Zugangs
  • Regelung der Kommunikation im WLAN


dezentrale FW

Die dezentrale Firewall regelt die Kommunikation zwischen dem kabelgebundenen Netzwerksegment eines Instituts/einer Org.-Einheit des KIT und dem Intranet. Die Firewall wirkt in beide Richtungen:

  • Sie begrenzt die Möglichkeiten von Rechnern in anderen Teilen des Intranets auf Rechner des Instituts/der Org.-Einheit zuzugreifen.

  • Sie schränkt den Zugang von Rechnern eines Instituts/einer Org.-Einheit zu Diensten im Intranet ein.


Enthaltene Leistungen


  • Schutz vor unerwünschten Zugriffen aus dem Intranet
  • Freigabe von Serverdiensten für den Zugriff aus dem Intranet
  • Einschränkung des Intranet-Zugangs


Nicht enthaltene Leistungen


  • Schutz vor unerwünschten Zugriffen aus dem selben Netzwerksegment
  • Einschränkung des Zugangs zum Netzwerksegment


Firewall concepts

Basically, there are different concepts for implementing a firewall.

Firewalls mostly used are combining port / packet filters on the end devices (so-called personal firewalls). Since the introduction and improvement of "personal firewalls" on end devices (for example, Windows Firewall after XP SP2), they are no longer part of the SCC portfolio.
On the other hand, the communication of whole network segments with other networks (campus network, Internet) is controlled by various rules, which take place either on routers or on firewalls. Depending on the security requirements, there are different security levels, which are offered and implemented by the SCC in a kind of a modular system. These safety levels divide the KIT network into four network zones (A - D).


Security level “Base Protection”:

On the router systems, default security settings are defined that are configured according to the following classification:
• Internet uplink;
• User networks;
• Server networks on the SCC
A black list is configured on the Internet uplink, which allows full accesses from the outside to the KITnet to pass through with a few exceptions. Access to the following protocol ports is not permitted:

TCP 25, 53, 135, 137, 138, 139, 445, 593, 2745, 5554, 9996
UDP 25, 53, 69, 135, 137, 138, 139, 161, 445, 2745, 5554, 9996

For outgoing connections from KITnet, the following protocol ports are not permitted:

TCP 25, 2745, 54040
UDP 2745, 4000, 7871, 54040

Exceptions are been strongly regulated to individual cases, e.g. for central mail and DNS servers.
On the Internet uplink, incoming and outgoing rules for anti-spoofing are implemented according to RFC 2827.
Anti-spoofing is basically configured on the router interfaces for user and server networks.
Additional service-specific filters exist at router interfaces of the server networks in inbound direction.

Security Level 1

The goal of level 1 is the foreclosure of systems against the Internet. The basic principle is that connections initiated internally can be answered from the outside. A connection-initiation from the Internet is not possible. This principle applies equally to private and public IP addresses.
Since private addresses are only valid within an enterprise, the use of application gateways or an address translation is necessary to allow communication between these systems and the Internet. In case of application gateways, SCC offers web proxies and mail servers as gateways. For all other protocols and applications an address translation (PAT / NAT, port / network address translation) is been used to allow an internal node using a private IP address to communicate with the Internet. This service is centralized at the firewall level 1.

Exceptions for accessing internal systems from the Internet can be realized in two ways:

If a service must be accessible from all source IP addresses world-wide, the implementation can be made via NATVS +, an application self-developed by SCC. NATVS + has a user interface, which allows the DNSVS administrators of the respective address range to independently manage their firewall rules. Attempts to open ports listed above as “generally blocked at the Internet” uplink are ineffective. The activation of changes to the firewalls made in NATVS + is automated at least twice a day (at 10:00 a.m. and 3:00 p.m.).
Requests for opening firewall rules with restrictions on specific source IP addresses must be addressed through the responsible IT officer (IT-Beauftragter) by e-mail to the firewall team at SCC (firewall∂

Security Level 2

Security Level 2 corresponds to the implementation of security level 1 with the difference that here a group of systems is additionally protected against unwanted accesses from other parts of the KIT network. The systems to be protected must be in a separate VLAN. Exceptions for worldwide access from the Internet are been defined similar to Security Level 1 through NATVS+. The responsible IT officer must request limited exceptions by e-mail to firewall∂