Site Map |

Search InfoNet:

For the Public

• About InfoNet
• MARVEL!
• Library Projects

For Librarians

• MaineCat Contacts
• MaineCat
• Minerva
  • Cataloging
  • Circulation
  • Statistics
  • Governance
  • Policies
  • System Information
  • Support/Troubleshoot
    • Firewall Issues
    • Maine School & Library Network
    • System Emergencies
• SOLAR
• URSUS
• Download Library
• MARVEL Resources/Stats
• Van Delivery Service

Firewall Issues

Background

Network security concerns have increased with the proliferation of computer viruses, network worms and a variety of other network cracking activity. Firewall software exists to control traffic between computers within an organization's local area network and the vast and chaotic Internet. There are a variety of tools and strategies that together constitute a particular organization's firewall. Informed network management must make choices on how to use the available tools and how to implement security strategies to maximize network protection while nevertheless allowing users access to the tools they need.

The Minerva online library management system is shared by nearly 50 Maine libraries. Each must configure its local area network and firewall or other security facilities to allow library workstations to interact with the central database server located in Orono. This interaction takes several forms. Library users search their library catalog, make online requests for materials not available in the local library and manage the materials they have on loan from the library, all through a garden-variety web browser pointed at http://minerva.maine.edu.

Importance of Ports

Depending on the tasks being performed, staff may need to connect to the same server via telnet, web browser, Millennium Java-based client or Windows-based client. Server processes that support these clients, and specific tasks that can be accomplished with these clients, are addressed by port number on the server. Hence, in order to make use of the broad range of library management services provided by Minerva, it is imperative that local firewall configuration not impede data traffic between library client machines behind the firewall and those ports on the central server in Orono that correspond to functions used by the local library.

In order to avoid network-based attacks, firewalls are sometimes set to prohibit passage of any data packet coming from any but a small handful of "common" ports. This approach will not allow libraries to utilize the Innovative Interfaces software underlying Minerva. However, some sites have found that constraining traffic using "uncommon" ports to a small number of client machines behind the firewall and a single server machine outside the firewall establishes a sufficient level of security.

Ports Essential to Minerva Functions

Here is a list of ports used by the Minerva server for functions enabled for Minerva. This list is a subset of the larger list that represents functions used by software modules not enabled for Minerva.

List of Minerva Ports

Task / Service / Activity	Port Number
Primary port (without this, Millennium will not run)	2000
Telnet	23
Web OPAC (HTTP)	80 for the primary database, 81+ for alternate databases
Cataloging Workstation for Windows	4900, 4999, 5210
Web Report Manager	4448
Patron Search Statistics Web Report	4442
Fund Management Web Report	4443
Vendor Performance Statistics Web Report	4445
Circulation Statistics Web Report	4441
Collection Web Reports	4440
Patron API	4500
OCLC Interactive	5500
For all releases	4600 Millennium data server 4601+ Millennium Cataloging reference databases 4666 Millennium ILL data server 4999 Millennium search server 1030 Millennium Encryption port 1031 Database server (serves WebBridge, Millennium Statistics, and Distance Learning)

Compromise is Local

Notwithstanding that best practices in network security are ever-evolving, it should be noted that more than 1200 systems serving in excess of 10,000 discrete libraries nationally and internationally run this software without any reports of security breaches related to its use.. All run the same software with the same port access requirements.

The best way to adjust local security policy to meet the requirements of the Innovative Interfaces software is the way that satisfies the needs of library users, library staff and IT staff at any given site. Compromise may be necessary. Time and imagination may be required to arrive at the most function, yet acceptably secure solution. The fact that such a compromise is so commonly found

Firewall Time-Outs

A library running Millennium should NOT have a timeout set on a firewall. If a site running Millennium has a timeout set on a firewall, users may be logged-out during sessions when the terminal is idle for a few minutes.

Cisco Pix Firewall Issue

There are special issues with regard to configuration of a Cisco Pix firewall in conjunction with use of Millennium client software. For details go to the very end of the Innovative CSDIRECT firewall FAQ. (Username and password required.)

More Info

Check out the CSDIRECT firewall FAQ.

Maine.gov | InfoNet Home | Maine State Library | UMaine System | Site Policies | Feedback