Firewall Exceptions
Firewall Exceptions
By default, a firewall blocks all network traffic coming in to the network it is
protecting. For the campus firewall this means that no traffic from the Internet
can get on the Missouri State campus network without explicit permission.
To permit traffic through the firewall we create exceptions (or rules) that allow
certain traffic on the network. The rules are defined by the IP addresses
of the sender and receiver of the traffic as well as the type of traffic (e.g. web
or SSH).
Policies for Firewall Exceptions
Firewall exceptions are tightly regulated to protect the University network.
Every exception is a potential security vulnerability so we limit them to only those
that are absolutely needed. All University affiliates (students, faculty,
staff and emeritus) have access to use the
VPN
to connect to on-campus resources when they are off-campus. For this reason,
only services that are intended for people not affiliated with the university will
be allowed firewall exceptions.
Most services (e.g. HTTP and SSH) will be approved provided sufficient justification.
There are, however, at least two exceptions. Telnet and FTP are both considered
"insecure protocols" and will not be approved as firewall exceptions.
These protocols do not encrypt the user ID or password making it much easier for
an attacker to compromise the security of the server and the University network.
Only a computer functioning as a server will be considered for a firewall exception.
A computer being used as an individual's workstation does not qualify as this is more
vulnerable to malware, virus infections, and other programs that can impact the security
of the University network.
E-mail
with the following information to request an exception in a firewall:
- Server Owner(s)
- Owner Contact Information (phone and e-mail)
- Server Name
- Server IP Address
- Services Offered
- Audience of Services
- Ports needed (including protocol e.g. TCP and/or UDP)
- Length of time needed
- Is the server handling any credit card information, health information, or other
potentially protected data?
- Do MSU Residence Hall students need access to this site?
- Explanation of why a firewall exception is required.
Descriptions of Requested Information
- Server Owner(s)
-
The server owner is the primary contact for the server for which the exception will
be made. A secondary contact person is preferred but not required. At least one
contact should be technically familiar with the server and have administrator access.
All contacts should be full-time faculty or staff at the university. It is
very important that our records are updated in the event of an owner change.
If we cannot contact anyone about an exception we will eventually remove it.
- Owner Contact Information
-
Periodically we will need to contact someone with regards to the firewall exception.
Usually this will be to verify that the exception is still needed. Most communication
will be by e-mail but occasionally we will call the owner(s) if no e-mail response
is received or the issue is time-sensitive.
- Server Name
-
The DNS name of the server is used for convenience when discussing the exception.
It is not absolutely necessary.
- Server IP Address
-
The IP address of the server is used by the firewall to create the exception so
it is vital that it is correct and not change over time. For this reason
it must be a DHCP reservation or a hard-coded address. We will work with the
owner to set this address so that it will never change. Usually setting up
the address requires changing the IP address. A workstation for individual use
does not qualify for a DHCP reservation and is ineligible for a firewall exception
for security reasons.
- Services Offered
-
List the services that the server will be offering. These might be web, SSH
or proprietary.
- Audience of Services
-
Who will be accessing the server from off-campus? Usually we aren't interested
in the individuals but rather a description of the demographic.
- Ports Needed
-
These are part of the definition of the exception in the firewall so it is very
important that they are correct. We need both the protocol and the port numbers.
Here are some common ports:
- HTTP
-
TCP/80
- SSL (HTTPS)
-
TCP/443
- SSH
-
TCP/22
- Length of Time
-
If this is a temporary exception, please indicate when we can remove it. Rules
may exist for up to a year before they must be renewed - there is no such thing
as a permanent rule. Rules not renewed are subject to deletion
after warnings are sent to the registered server owner.
- Protected Data Information
-
There are a number of policies that the server and network must adhere to if any
personal credit card information (PCI) is being transferred or stored. If
this server has or will have any contact with PCI data then we need to know.
We can also help the owner in PCI compliance.
- Explanation
-
This section is for any additional information about the server, the services it
offers and/or the intended audience that might be relevant in justifying the firewall
exception.
Additional Questions
For additional information please contact
or Josh Stuppy or you can e-mail
.