ResNet firewall policy
Overview
ResNet has a default deny with exceptions policy for unsolicited incoming connections to ResNet. This helps protect computers on ResNet by preventing many attacks from the Internet.
Purpose
The firewall is designed to protect systems on ResNet against attack from other computers on the Internet, while still allowing ResNet users access to as many facilities as possible. Introducing the network firewall provides an extra layer of security, in addition to personal firewalls, antivirus software, patches, and other security measures already in place.
Adjustments for the firewall
The firewall does not affect web browsing, email, or most typical uses of ResNet.
However for some uses, including two way communication tools (remote control software, webcams, and voice chat) you will need to change settings on your computer to continue working now the firewall is in place. In some cases certain functions in programs may no longer work, although alternatives should be available. See configuring applications with local network settings.
To find out if there is a current issue with an application then please look at our Firewall Issues Past and Present page.
Scope
This applies to all ResNet users.
Policy
Outgoing Connections
These are connections to machines and services external to the University from machines within the ResNet network. The policy is default allow. All connections to machines and services external to the University from machines within the ResNet subnets will be allowed with a small number of exceptions that represent an unnecessary security risk to your machine and/or the ResNet network. Typically these are protocols (such as windows file/printer sharing) that are designed for local networks rather than the Internet.
Incoming Connections
These are connections to machines and services within the ResNet network from machines outside the University.
The policy is default deny of unsolicited connections with a number of exceptions. Unsolicited connections to machines within the ResNet network from machines external to the University will be not be allowed unless they have first been approved by ResNet.
Web Servers, SSH servers, remote control and file transfer are services that have been approved but use non-standard ports. Details on application configuration can be found on the config page.
New applications/services/servers that require ports in the firewall to be opened will be reviewed based on the following criteria:
- The connection does not represent an unnecessary security risk to the University.
- The connection does not use an insecure protocol where a more secure alternative exists.
- The connection does not involve unnecessary replication of functionality.
- All requests will be considered, but priority will be given to requests for educational purposes.
For example:
- A request which requires a very large range of ports to opened is likely to be declined.
- A request which only requires one or two ports and provides functionality not available another way is likely to be granted.
- A request to open a port which is known to be actively exploited is unlikely to be granted if there is an alternative (eg other software with the same functionality, or opening a non-standard port and configuring the application to use that).
Connections between computers on ResNet
The policy is default allow with a small number of exceptions, notably for Windows file/printer sharing.
Connections between computers on ResNet and other systems on the campus network
The current policy is default allow with a small number of exceptions. This policy may change in future to default deny with exceptions.