ResNet firewall policy

Overview

ResNet has a default deny with exceptions policy for unsolicited incoming connections to ResNet. This helps protect computers on ResNet by preventing many attacks from the Internet.

Purpose

The firewall is designed to protect systems on ResNet against attack from other computers on the Internet, while still allowing ResNet users access to as many facilities as possible. Introducing the network firewall provides an extra layer of security, in addition to personal firewalls, antivirus software, patches, and other security measures already in place.

Adjustments for the firewall

The firewall does not affect web browsing, email, or most typical uses of ResNet.

If you find that an application does not work and you suspect that the ResNet firewall is the cause then please contact the IT Service Desk by email but please see information about how to go about opening firewall ports in the ResNet firewall FAQ

Scope

This applies to all ResNet users.

Policy

Outgoing Connections

These are connections to machines and services external to the University from machines within the ResNet network. The policy is default allow. All connections to machines and services external to the University from machines within the ResNet subnets will be allowed with a small number of exceptions that represent an unnecessary security risk to your machine and/or the ResNet network. Typically these are protocols (such as windows file/printer sharing) that are designed for local networks rather than the Internet.

Incoming Connections

These are connections to machines and services within the ResNet network from machines outside the University.

The policy is default deny of unsolicited connections with a number of exceptions. Unsolicited connections to machines within the ResNet network from machines external to the University will not be allowed unless they have first been approved by ResNet.

Web Servers, SSH servers, remote control and file transfer are services that have been approved but use non-standard ports.

New applications/services/servers that require ports in the firewall to be opened will be reviewed based on the following criteria:

  • The connection does not represent an unnecessary security risk to the University.
  • The connection does not use an insecure protocol where a more secure alternative exists.
  • The connection does not involve unnecessary replication of functionality.
  • All requests will be considered, but priority will be given to requests for educational purposes.

For example:

  • A request which requires a very large range of ports to opened is likely to be declined.
  • A request which only requires one or two ports and provides functionality not available another way is likely to be granted.
  • A request to open a port which is known to be actively exploited is unlikely to be granted if there is an alternative (eg other software with the same functionality, or opening a non-standard port and configuring the application to use that).

Connections between computers on ResNet

The policy is default allow with a small number of exceptions, notably for Windows file/printer sharing.

Connections between computers on ResNet and other systems on the campus network

The current policy is default allow with a small number of exceptions. This policy may change in future to default deny with exceptions.

More Information

See questions and answers about the firewall policy.

Back to top