Network security
Currently we have:- 130.194.168.*
Has full access outside (and vise versa) - 130.194.169.*
Can only access 130.194.168.*. - port 80 outgoing
Blocked to force web proxy use. (except ip's 1-4) - port 20,21 outgoing
Blocked to force ftp proxy use. (except ip's 1-4) - port 25 incoming
Blocked to restrict mail.
I would suggest changing the IP structure of the department to the following:
- 130.194.168.1-7 Servers
Allowed to establish connections to the outside world (with incoming ports blocked as defined below). - 130.194.168.8-31 Worldly clients
Allowed to establish connections to the outside world (with ports blocked as defined below). - 130.194.168.32-63 Monash clients
Allowed to establish connections to monash only (with ports blocked as defined below). - 130.194.168.63- and 130.194.169.* Plebs
Blocked from all external access (to and from) (except where allowed below)
Where possible ITS services should be available inside the department (but not relied upon). Most useful in this group are, web proxy for cheaper surfing, mms mail because we cant avoid it, novell drives for software updates.
Working on the paranoid assumption, all services are blocked by default, except for the following.......
Network address filters
| IP address | Description | FROM this address to earth | TO this address from earth |
|---|---|---|---|
| 127.0.0.0/8, 10.0.0.0/8, whatever the others are | Unallocated IPs | Block. Nasty addresses. | Block. Nasty addresses. |
| 255.255.255.255 | Broadcast address | Block. No incoming broadcasts thanks. | Block. No outgoing broadcasts. Yes we will have to run our own dhcp server, we already do. |
| 0.0.0.0 | Old sun? broadcast address | Block. | Block. |
| Peter's maths machine 130.194.160.133 |
One of our staff works in maths part time. | Allow samba and VNC traffic through (see rules table). | |
| to and from 130.194.168.0/23 | From Earth network To Earth network |
Block. No earth science traffic should be traversing the router with our address range in the source and destination field. | |
| 130.194.0.0/16 | Monash network (not us) | Filter out all possible (see table) (ie place table rules here). |
Filter out all possible (see table) (ie place table rules here). |
| 130.194.168.1-7 | Our servers | Block new connections (if possible). Only connections established in the table below are allowed. | Allow (our servers can get outside). |
| 130.194.168.8-31 | Our worldy clients | Block new connections (if possible). Only connections established in the table below are allowed. | Allow (our worldy clients can get outside). |
| 130.194.168.32-63 | Our monash clients | Block new connections (if possible). Only connections established in the table below are allowed. | Allow to monash only (our monash clients can get to monash). |
| Any | Default | Block. Default action. | Block. Default action. |
Network services
| Service Name | Port | Action (to earth sci, from outside) | Action (to outside, from earth sci) |
|---|---|---|---|
| ftp | 20,21 (tcp) | Block (use web instead) | Allow for 1-7 (ftp to world, via proxy, but can also be direct) |
| ssh (out) | 22 (udp?/tcp) | Allow for 1-31 or just DMZ machine. (log into earth science) | allow all or just 1-31 (connect to the rest of the world) |
| telnet | 23 (tcp) | Allow for DMZ host only or block. (telnet'ing to us is baaad) | just 1-31 or block. (telnet'ing out is almost as bad) |
| smtp | 25 (tcp) | Allow for 1-7 (servers can recieve email, requires removing current its block) | Allow for 1-7 (servers can send email) |
| DNS | 53 (udp/tcp) | Allow for 1-7 or block (name servers we provide?) | Allow for 1-7 to monash only (our caching name servers) or Allow all to monash DNS server only. |
| httpd | 80 (tcp) | Allow for 1-7 (our web server[s]) | Allow for 1-7 (our proxy, incase no proxy farm can go direct) or Allow all to monash proxy farm only. |
| pop2,pop3,imap2,imap3 | 109,110,143,220 (tcp,udp) | Allow for 1-7 or DMZ? (our mail servers so people can read email from outside) | Allow for all or just 1-7 and force fetchmail(?) |
| ntp | 123 (udp/tcp) | Block | Allow from 1-7 (to monash ntp servers only) |
| ipx | 213 (udp,tcp) | Block | Allow from 1-64 (to monash only) or Allow all to monash only? |
| https | 443 (udp,tcp) | Allow for 1-7 (to our https servers?) | Allow for 1-7 (for proxy service only) or Allow all (internet banking etc)? |
| afpovertcp | 548 (udp,tcp) | Block | Allow for 1-64 (to monash only) |
| cvspserver | 2401 (udp,tcp) | allow for 1-7 or block and force ssh tunnel | allow for 1-64? |
| simap,spop3 | 993,995 (tcp) | Block (not installed) | Allow for all or just 1-7 and force fetchmail(?) |
| mail1 webmail???? | 8000? (tcp) | Block (not installed) | Allow for all (probably a nice idea :) |
| vnc | 5900 (udp,tcp) | Allow to 130.194.168.157 from peters maths machine 130.194.160.133 | Allow for 1-31 |
| netbios-[ns,dgm,ssn] | 137,138,139 (udp,tcp) | Allow to 1-7 from peters maths machine 130.194.160.133 | Allow for 1-31? |
