Deny Unsolicited Inbound Traffic (DUIT)

Tags NUIT-CI

The Deny Unsolicited Inbound Traffic (DUIT) service is an “opt-in” service that gives Northwestern Technology Leaders the ability to block unsolicited off-campus data network traffic to the on-campus subnets they administer. All inbound connections, regardless of application or service port, will be blocked by the Intrusion Prevention System (IPS) at the campus network border for subnets that opt-in to the service. This includes both IPv4 and IPv6 traffic, where provisioned. See Service Notes.

Devices on subnets that opt-in to the service will still be able to access the Internet normally (e.g. to browse web sites or download software), but are only able to provide services, such as  printing, to clients that are on campus or connected to Northwestern VPN.

Northwestern technology leaders interested in discussing the service further can request a consultation with a network support specialist.

Security Benefits

The majority of devices connected to the campus network have no need to support incoming connections from off-campus. By denying inbound internet traffic, the service greatly reduces the attack surface for network based security threats.

Additional security benefits include:

  • Preventing unknown workstations connected to the Internet from sending unauthorized print jobs to campus printers
  • Limiting unauthorized access to systems
  • Reducing potential for data exfiltration
  • Minimizing performance degradation due to small-scale Denial of Service (DoS) attacks

Service Adoption

Northwestern networks that are configured to deny unsolicited inbound traffic include:

  • Northwestern IT-provided Wi-Fi (Northwestern, eduroam, Guest-Northwestern, Device-Northwestern)
  • Wired guest service
  • Subnets that are behind a departmental or data center firewall configured to deny inbound connections
  • Devices on subnets using “private” IPv4 addresses (192.168.x.x or 10.x.x.x)
  • Wired Residential Networks

In addition, Northwestern IT blocks inbound connections for some services for the entire campus network (i.e. Microsoft Remote Desktop Protocol (RDP)) and also blocks some inbound connections for additional services, such as Microsoft SQL Server, on a per subnet, opt-in basis.

Consultation and Implementation

Northwestern IT provides expert assistance for University departments that are interested in participating in the security benefits of the DUIT service.

Consult with a network support specialist who can provide you with answers to your questions, provide details surrounding the implementation process, and offer technical assistance to determine possible impact of existing applications. Request a consultation.

Service Notes

  1. DUIT is provisioned on a per subnet basis. Individual hosts that require this service must be moved to a subnet that has opted in to the service. In cases where a small number of hosts require inbound Internet access, Northwestern IT will assist departments to identify another subnet to which the devices can be moved. 
  2. DUIT only denies inbound connections from off-campus hosts. Inbound connections or abuse from other hosts also connected to the campus network (or VPN services) are not prevented by this service.
  3. Departments that require additional security to block on-campus networks are encouraged to explore the Northwestern Firewall Service.
  4. The IPS is deployed in a “fail open” configuration to ensure off-campus connectivity for data network services in the event the IPS experiences a catastrophic failure. While the failure persists, subnets will not have the protection of the DUIT service.