Tech Guides :: Information Security :: Campus Border Firewall
Overview
In 2005 and 2006, technical advisory groups and ITS recognized the increasing need for better protections against network-based threats to electronic systems on campus. The CSU system also recognized the need for system-wide network security and funded a project to increase network security, called Infrastructure Terminal Resources Project (ITRP2). As a part of the ITRP2 project, HSU received redundant firewalls and installation support for the campus connection to the Internet. Because HSU indicated a desire for implementation we were selected as the first campus to receive this deployment.
On October 1st, 2009, Humboldt State closed the firewall to better protect campus computers and information. This is called a “closed border configuration.” Generally speaking, a firewall works one of two ways. They either “allow” all traffic to come in and only “block” traffic that is specifically identified, known as an “open border configuration” or they “block” all traffic unless it is specifically identified, known as a “closed border configuration”. On April 1st, 2009, HSU began identifying all traffic that needs a “firewall exception” so that a closed border configuration may be enabled.
Schedule and Outages
April 1st, 2009 to August 1st 2009: On-Line Registration for firewall exceptions.
Telecommunications has posted an online form that will allow IT support personnel to request and track firewall exceptions. If you are not an IT support person, and think you might need an exception, contact your IT support area.
August 1st, 2009 to October 1st 2009: Firewall Cut-over preparations.
Telecommunications and Network Services will monitor and resolve any issues during the 2 months prior to the anticipated border closure. During this 2 month window, firewall exceptions will be performed on a first come first serve basis, as time permits.
September 8th, 2009: IT Council Review Process for October 1st re-configuration.
The Closed Border Process and status will be reviewed with IT Council during its September 8th meeting.
September 30th, 2009: CIO to make Go/No-Go
The Chief Information Officer will make a final decision to proceed with the firewall re-configuration based on the confidence that rules are in place to allow normal academic and business functions.
October 1st, 2009: Border firewall configuration changed to “default deny”
24 Hour Fall Back Window: A second “go/no-go” decision will be made by the CIO within 24 hours after the cut over. If the CIO determines there is sufficient cause to abandon the upgrade, configuration settings will be returned to their previous state.
October 1st, 2009 to October 21st, 2009: Temporary Exception Window
For a three week period after the cut-over, temporary exceptions for specific ports will be granted unless it is deemed to cause excessive and unnecessary risk. Temporary exceptions will be immediately granted through the normal firewall change request process, pending a security scan for detectable vulnerabilities based on the most current SANS (SysAdmin, Audit, Network, Security) Institute top 20 security risks.
*** Any temporary exceptions not resolved by January 2, 2010 will be removed.
FAQ
What is a firewall? - A firewall is a network security device positioned between two different networks, usually between an organization's internal, trusted network and the Internet.
What does a firewall do? - A firewall protects networked computers from intentional attacks from the Internet by restricting one's ability to:
- exploit well-known security holes that may exist on your computer or
- flood a computer or the entire campus network with bad information, resulting in denial of service – aka “Denial of Service”(DOS) Attack.
This means that the risk of outside attacks potentially corrupting data, compromising confidentiality or denying service is greatly reduced. A firewall DOES NOT protect your computer against viruses received from email attachments, web downloads or file transfers from removable media (such as portable USB and Firewire drives). To address these security issues, ITS is employing two additional technology solutions focusing on virus protection.
Why does HSU need a firewall? - A firewall helps HSU:
- balance the openness of the Internet with the need to protect the privacy and integrity of campus information and services,
- reduce the threat of attacks that can deny service to campus computer users,
- reduce the likelihood of off-campus individuals using campus computers to launch attacks against others on the Internet (aka Pass Through Sites).
Does this mean that I can't use my computer to access the Internet unless I register it? - No. Only traffic that originates outside the campus is affected by this change. Your campus computer will continue to function normally.
How does this affect me? Will it keep me from doing what I used to do? - The implementation of the firewall should not limit campus related services used by students, faculty and staff.
Getting out to the Internet: On-campus users will have the same access to the Internet and campus resources as they did without a firewall.
Getting to HSU Resources from the Internet: The initial firewall implementation will not change access to campus resources from the Internet.
Will the campus block traffic from the internet to campus systems? - The campus will identify all legitimate computers and services that should be available from off campus. This information is used to create “pinholes” in the firewall that enable access to a service and/or computing resource but limits access to non-essential services that may be vulnerable to attack. When the campus identifies legitimate computers and services changes will be made to the firewalls, access to non-essential services from the Internet will be blocked.
How can I access my computer from off-campus? - If you are already accessing your computer from off-campus, you will need to use the VPN to make this connection after October 1. Insatructions will be available soon.
What is a pinhole? (Plus example) - A pinhole is a configuration setting in the firewall allowing access to specific services running on a campus computer.
For example, in order for users on the Internet to access a campus web page, a pinhole must be configured on the firewall to allow requests to the web services on the computer hosting the web site. This service description in TCP/IP lingo is called a port. Web services commonly use Port:80.
So if a particular computer, called DeptWebServer1, needed to serve a departmental web page to the Internet, the Departmental ITC might request a pinhole be configured on the firewall to allow access for DeptWebServer1 port 80. This will allow web access to the Department web page but still restrict other services where access by Internet users is not required. By limiting access to just those services, the risk of attacks from the Internet that try to exploit well-known security holes is greatly reduced.
Where can I find out more about firewalls? - If you would like to learn more about firewalls, you will get many good results by simply using a web search engine (e.g. http://www.google.com , http://www.yahoo.com) to search using the keyword "firewall".
Here are a couple of URLs we recommend for a start:
http://www.howstuffworks.com/firewall.htm
http://www.pcwebopedia.com/TERM/f/firewall.html
