Security
Firewall Frequently Asked Questions
-
The firewall rules registration system for entering firewall details is somewhat basic and does not have the facilities to view data already entered.
The first firewall rules registration system was coded quite quickly and is being used to enable us to automatically generate firewall rules from the information provided by yourselves. Since then we have been coding and have improved the system functionality, you should now benefit from the additional functionality.
Please feel free to supply your feedback on desired feature and we will continue to enhance the interface accordingly.
-
What are externally facing services?
Any computers on campus that provide a service like: HTTP, FTP, SSH, AFP etc to users connecting from the Internet are providing externally facing services.
-
What about holes for individuals computers or will you open holes for Staff or Students to connect to their desktop machine for VNC, SSH, FTP, etc?
We are not planning to open holes for individuals' access to personal systems except where this is unavoidable.
Before the week commencing 19th December 2005, the Web File Access system will be fully launched for staff, however it is already live across the University providing an excellent interface to staff filestore, departmental servers and all computers in the Active Directory.
We may approach individuals to make a strong case for exceptions, which in turn will be discussed with the FITCs or appropriate faculty member.
-
Will you allow AFP over the Internet?
A. The decision has been made NOT to allow AFP over the Internet to on campus machines unless the machine is running MAC OS X Server 10.3 or 10.4 and configured to use AFP over SSH with no UAM fallback to ClearText.
AFP to MAC OS X client machines can be achieved through an SSH tunnel:
ssh -L 10548:127.0.0.1:548 user@server
afp://127.0.0.1:10548/
-
My rules are not active and you say you cannot scan the machine?
We are being slowed down more and more by users running Personal Firewalls on machines submitted for firewall holes. Despite repeatedly accessing staff to turn off Personal Firewalls we are still finding them running on machines we are trying to scan.
If your machine is running a Personal Firewall and we cannot scan it, your machine will not have a firewall hole applied.
Please see our Firewall Advice and Guidance www.lboro.ac.uk/it/security/firewall.html.
-
Following the outcome of the Off Campus Access project, we now offer a full VPN server. Further details regarding Off Campus Access www.lboro.ac.uk/it/off-campus/index.html.html are available.
-
What is the minimum version of OpenSSH you will create Firewall rules for?
OpenSSH 3.7.1p2 and newer do not suffer from serious exploits and we will allow firewall holes if OpenSSH is this version or greater.
-
Does this mean we will have the ability to modify our own rulesets?
Yes and No. At the moment all the details entered into the firewall rules registration system will be converted into firewall rules and over the next couple of weeks IT Services will perform a security scan on these services to ensure they are safe for Internet facing traffic. Once they have been authorised then they will become live rules, if there is a security issue then this will be raised with the individual concerned in partnership with the departmental IT Support Staff. In the Social Sciences and Humanities faculty (SSH) there will be an additional authorisation by Phil Wilkinson-Blake as Director of IT SSH.
There will be no additional authorisation in the Engineering, Science, or Support faculty.
-
How do we modify rules after the week commencing 19th December?
All firewall rule change requests from now on need to be submitted using the same registration system. Although we initially thought we would have to fall-back on the Service Desk system, enough resource has been focused into developing the firewall registration system so we can use this for the management of all rules.
Please note that new rules will not become live until a member of IT Services has scanned the machine and if you are a member of the Social Sciences and Humanities faculty (SSH), Phil Wilkinson-Blake the Director of IT SSH has authorised the rule.
-
The firewall rules registration system is too much work, too clumsy, troublesome etc, can't I use e-mail?
No sorry, we need all the firewall rules to be entered into the automatic system so we can generate the rules. You will only have to do this once, it should not take too long and you have over a week to complete it.
-
If I add a rule to the Firewall Registration system is it available from everywhere on the Internet as well as on Campus?
The Firewall Registration system only controls rules at our border gateways to EMMAN (The network that links us to the Internet). Several departments have local firewall rules or router ACLs including HallNET, therefore if you require your machines access to be ubiquitous on campus, you will need to request this via the IT Services' Service Desk. Remember that Internet connected machine may still not be able to reach your host even when your firewall rules are approved if there is another firewall at their institution, company or organisation including machine software firewalls.
-
Are the new firewall rules only going to block incoming connections from off campus?
Yes the rules will only block incoming TCP connections from the Internet, not from any of our netblocks, Holywell Park or HallNet.
We do already have some internal firewalling, particularly between HallNet and the campus network - and for some departments at their request. Therefore it is already the case that you cannot simply run a server in your department and assume everyone has access.
-
What about outgoing connections?
The current outgoing rules will apply as they do now, we are looking to revise the rules but there will not be a global default deny outgoing policy. We will be seeking feedback on this matter at a later date.
-
What services can I have holes for?
Pretty much anything that is secure; HTTP (if no sensitive data is sent clear text), HTTPS, SSH, SFTP etc. We cannot allow SMB over TCP/IP to be allowed through the firewall and would strongly urge AFP to be tunnelled in an SSH session instead of being able to be run natively.
-
What about servers that manage for us?
Servers managed by are already very heavily firewalled, more heavily firewalled than we are presenting as a default option under these changes. We actually block all incoming and outgoing TCP, UDP and ICMP to our Windows servers with specific holes for required services. Therefore you do not need to take any action.
-
No sorry, the changes will be made week commencing 19th December 2005. We need to ensure that the campus IT infrastructure is secure not just over the December / January period when staff are away for extended periods but all the time. The new rules will increase security and reduce the amount of time you spend re-building machines. The number of compromised machines has dropped significantly over the last few years and we would like the trend to continue.
-
Will you periodically scan these machines for vulnerabilities?
A. It is out ultimate aim to scan the machines which have holes in the firewall more frequently and provide an interface for IT Support Staff to manage this.
-
Will all my applications still work?
All supported applications should still work, however applications which we have limited knowledge of may fail to work as expected. We are already aware of issues with Instant Messaging, Internet Telephony and other similar applications before the firewall rules change. We will work with users on a best efforts basis to get these working.
-
What happens if I have a problem?
Please report all problems to the IT Services' Service Desk, not by e-mail directly to individual members of staff. There will be a number of staff trouble-shooting problems with the firewall and personal e-mails will probably not get dealt with for several days.
Please ensure the subject is "Firewall Rules Problem" and provides enough technical information so we can diagnose the problem quickly. Failure to provide enough technical details will delay resolution of the case.