For the latest information regarding technology support for the Coronavirus situation, please visit UCI TechPrep.

How I learned to stop worrying and love the border firewall

Firewall illustrationBy default, connections from off-campus are denied to campus systems.  If there is a business need, Server Registration  is a tool that allows people to open ports on the firewall for systems they are responsible for.  It is important to periodically review registrations you may have opened in the past to make sure they are still needed and keep them as tightly locked down as possible.  If you are a group lead, you can use Firewall Rule Viewer (https://wiki.oit.uci.edu/x/OQFWMg) to review all rules that may have been registered by others for your group’s systems.

Here are some guidelines to determine if a system should be registered open in Server Registration:

  1. If the server/application/service only needs to be accessed by UCI staff/students/affiliates, keep it closed and require people to first connect to the UCI VPN (https://www.oit.uci.edu/vpn/), which is a secure bridge across the border firewall, to access it.
  2. If there is a business need for general public (non-UCI affiliates) to access the system, open just the minimum ports that are required, not “all”.
  3. If there are multiple applications/services on a server, some of which require public access and some of which don’t, separate the public applications/services to a host on a different IP address than the non-public applications/services, and just open the minimum ports for the public host keeping the non-public host completely blocked.
  4. Don’t leave a system open because you think it is inconvenient to use the UCI VPN, or because you are worried the UCI VPN will be unavailable.  Remember that attackers are targeting our systems 24 hours a day, 7 days a week, 365.242 days per year, which far outweighs the likelihood of those concerns.
  5. Even if you have a local firewall protecting a system, you should also close the ports at the border firewall.  Defense in depth is important, as any single defense will likely fail due to technology or human error.  And that goes for the border firewall too, don’t depend upon it as your only defense.

Thanks,

~Josh

Scroll Up