|
Below is a list of answers to several frequently
asked questions about Cal Poly's firewall. If you have a question,
take a moment to read the following questions and answers to see
if yours is included. If you have any further questions not answered
on this page, please visit the Help Desk web site at http://www.helpdesk.calpoly.edu
or call 756-7000.
1. What is a firewall?
2. What does a firewall do?
3. Why does Cal Poly need a firewall?
4. How does this affect me? Will it keep me from doing what I used
to do?
5. What is a pinhole? (Plus example)
6. Who can request a pinhole?
7. How is a pinhole request evaluated and then either accepted
or denied?
8. How do I request a pinhole?
9. How long does it take to get a pinhole put in the firewall?
10. Is the firewall restricting access to a service that should
be available?
11. If I use the Imagine modem pool do I still need a pinhole?
12. What is Cal Poly doing about viruses?
13. Who is my Department LAN coordinator?
14. What is my IP address and/or host name?
15. Where can I go for more help?
16. Where can I find out more about firewalls?
1. What is a firewall?
A firewall is a network security device positioned between two
different networks, usually between an organization's internal,
trusted network and the Internet.
2. What does a firewall do?
A firewall protects networked computers from intentional attacks
from the Internet by restricting one's ability to:
- exploit well-known security holes that may exist on your computer
or
- flood a computer or the entire campus network with bad information,
resulting in denial of service – aka “Denial of Service”(DOS)
Attack.
This means that the risk of outside attacks potentially corrupting
data, compromising confidentiality or denying service is greatly
reduced.
A firewall DOES NOT protect your computer against viruses received
from email attachments, web downloads or file transfers from floppy
drives. To address these security issues, ITS is employing two additional
technology solutions focusing on virus protection.
3. Why does Cal Poly need a firewall?
In response to input from campus constituent groups, ITS has installed
a firewall as part of an overall security solution to increase the
security of our campus computing environment. A firewall helps Cal
Poly:
- balance the openness of the Internet with the need to protect
the privacy and integrity of campus information and services,
- reduce the threat of attacks that can deny service to campus computer
users,
- reduce the likelihood of off-campus individuals using campus computers
to launch attacks against others on the Internet (aka Pass Through
Sites).
This implementation plan has been reviewed and is endorsed by the
Information Resources Management Policy and Planning Committee and
the President’s Management Staff.
4. How does this affect me? Will it keep me from doing what I used
to do?
The implementation of the firewall should not limit campus related
services used by students, faculty and staff.
“Getting out to the Internet”
On-campus users will have the same access to the Internet and campus
resources as they did without a firewall.
“Getting to Cal Poly Resources from the Internet”
Access to information hosted by campus computers will be managed
by implementing “pinholes” in the firewall. This enables
access to that service and/or computing resource but limits access
to non-essential services that may be vulnerable to attack.
5. What is a pinhole? (Plus example)
A pinhole is a configuration setting in the firewall allowing access
to specific services running on a campus computer.
For example, in order for users on the Internet to access a campus
web page, a pinhole must be configured on the firewall to allow
requests to the web services on the computer hosting the web site.
This service description in TCP/IP lingo is called a port. Web services
commonly use Port:80.
So if a particular computer, called DeptWebServer1, needed to serve
a departmental web page to the Internet, the Department LAN Coordinator
might request a pinhole be configured on the firewall to allow access
for DeptWebServer1 port 80. This will allow web access to the Department
web page but still restrict other services where access by Internet
users is not required. By limiting access to just those services,
the risk of attacks from the Internet that try to exploit well-known
security holes is greatly reduced.
6. Who can request a pinhole?
Only Cal Poly Faculty or Staff members can submit pinhole requests.
Direct requests from students, student assistants or teaching assistants
will not be accepted. The integrity of the entire campus network
depends on appropriate use of pinholes and management of the systems
for which they are requested. Each request will be evaluated for
appropriate use and acceptance of system management responsibilities
to reduce the likelihood of creating a weak link in the campus network
protection strategy.
ITS will forward requests to Department LAN Coordinators for review
prior to ITS evaluating the request. ITS looks to Department LAN
Coordinators to consult and advise with their departmental faculty
and staff to ensure the appropriate pinholes have been identified
to achieve the service access expected. For those faculty and staff
who do not have a designated LAN coordinator, Network Administration
will evaluate the request on their behalf.
7. How is a pinhole request evaluated and then either accepted
or denied?
Under Policy Application, Item #3, the University’s Information
Technology Resources Responsible Use Policy (RUP) states:
"The University reserves the right to limit access to its
resources when policies or laws are violated and to use appropriate
means to safeguard its resources, preserve network/system integrity,
and ensure continued service delivery at all times.”
Based on this, ITS has implemented a process for reviewing and
evaluating pinhole requests that will maintain the integrity of
the network and ensure the firewall implementation can best be used
to reduce the threat of attacks.
Accordingly, ITS will use the following criteria to evaluate pinhole
requests:
- The services requested are required to meet the normal activities
of students, faculty or staff working as individuals or in collaborative
groups to fulfill current course requirements, University authorized
business and other activities directly related to the academic mission
of the University.
- The integrity of the computer is maintained by a Cal Poly faculty
or staff member using proper system administration (such as those
best practices described by http://www.cisecurity.org
benchmarks) to prevent intentional or careless acts that place
an excessive load on a computer or network to the extent that other
users may be denied service or the use of electronic networks or
information systems may be disrupted.
- The service cannot be provided or accommodated by an existing
departmental or central-computing organization/system, reducing
the risk of opening another pinhole in the firewall.
- The designated faculty/staff system administrator understands
that their machine may be removed from the campus network if a formal
complaint is received or the device is determined to be in violation
of campus policy, including Cal Poly’s Information Technology
Resources Responsible Use Policy (RUP), as outlined at http://www.calpoly.edu/computing/policy.html.
Please see “Procedures for Removal of Networked Devices from
the Cal Poly Network” for more information.
- If the request involves more than one machine, all system administrators
affected must acknowledge and approve of the request.
- No inadvertent vulnerabilities have been created through this
request.
- Appropriate primary and secondary contacts, contact information
and hours of availability are provided to ITS in case an incident
takes place, and the responsible faculty/staff member agrees to
keep ITS informed of any changes in contacts and availability as
they occur.
Pinhole requests submitted to ITS for configuration will be forwarded
to the Department LAN Coordinator for review and recommendation
prior to review by Network Administration. For those faculty and
staff who do not have a Departmental LAN Coordinator, Network Administration
will work with them directly to evaluate the request and recommend
any changes based on information received. Once ITS is assured that
the above criteria have been met, a pinhole request will be configured
and the requestor notified when complete.
If, after consultation with the requestor and the Department LAN
Coordinator, a request does not meet these criteria, the request
will be denied. The requester will be notified in writing and advised
of the reasons for denial. An appeal will be considered if the reasons
for denial are subsequently addressed. The request for reconsideration
must be sent directly to it-policy@calpoly.edu
and include supporting evidence. If a pinhole request is approved
and the request is later found to not be in compliance, the pinhole
will be revoked, and any subsequent appeals will follow this same
process.
Under these criteria, pinhole requests for individual student owned/operated
systems, such as a student club web server, will be denied. Cal
Poly provides accounts on managed resources, such as Central UNIX,
for this purpose. Affected clubs/individuals will be given a specified
time to transition to other resources prior to being removed from
the campus network.
8. How do I request a pinhole?
Pinhole requests can be submitted by valid faculty/staff users
by subscribing to the Firewall Channel of the portal at http://my.calpoly.edu
or by contacting your Department LAN Coordinator.
9. How long does it take to get a pinhole put in the firewall?
The normal turnaround time for firewall pinhole requests is 72
hours, which translates to 3 working days. ITS will do everything
in its power to process all requests as quickly as possible, but
asks that you allow 72 hours for the final process to complete.
It is imperative that you are in contact with your Department LAN
Coordinator immediately after your request has been submitted on
the portal, as it is up to him/her to release the pinhole remedy
ticket to Network Administration. The 72 hour process doesn’t
start until the Department LAN Coordinator releases the Remedy ticket
to Network Administration.
For Department LAN Coordinators who don't have a Remedy account,
pinhole requests can be emailed to firewall@calpoly.edu. Please
be aware that this method will take longer and we STRONGLY urge
users to use Remedy and create an account if they don't already
have one.
Special note: For the following three days only (Aug 26-28) Net
Admin will be on “heightened alert” to process firewall
pinholes within a two hour time frame. These three days are the
first three days following the initial cutover.
10. Is the firewall restricting access to a service that should
be available?
The symptoms will be different depending on the software being
used.
If the service does not work BETWEEN ON-CAMPUS computers, network
traffic is not passing through the firewall and there is another
reason for the denial of service.
The best way to determine the root cause of the problem is to either
contact your Department LAN Coordinator, enter a Remedy ticket with
the ITS Help Desk or call the ITS Help Desk at 756-7000.
11. If I use the Imagine modem pool do I still need a pinhole?
The answer is no. The Imagine modem pool is considered part of
the campus network. This means it is on the inside of the firewall.
Users accessing the Internet and campus resources through the modem
pool pass security by authenticating. Therefore, they have no need
to pass through the firewall.
12. What is Cal Poly doing about viruses?
A firewall does NOT protect the campus from viruses distributed
via email and web downloads. To address these security issues, ITS
is employing two additional technology solutions:
- Desktop and server level anitvirus software available now for
use on all campus computers, PDAs and personal home computers for
faculty, staff and students (including ASI and Foundation). This
will help with detection of viruses obtained through web downloads
or infected files on floppy drives. For more information, contact
your Departmental LAN Coordinator or visit our web page http://helpdesk.calpoly.edu.
- A gateway at the entrance of the campus network to detect, quarantine
and remove viruses embedded in email attachments received from off-campus.
Deployment of this gateway is planned for deployment during Fall
quarter 2002 and more information regarding this implementation
will be distributed in a separate announcement closer to the actual
implementation date.
13. Who is my Department LAN coordinator?
Departmental LAN Coordinators are listed on the ITS Help Desk web
site under the "Hardware Resources by Department" menu.
Select your department to find out who your Departmental LAN Coordinator
is.
If you department is not listed, contact the ITS Help Desk at 756-7000
for assistance.
14. What is my IP address and/or host name?
Go to http://network-tools.com. Your IP address will be the number
that appears in the field in the middle of the page. Next, click
on the "Lookup" radio button on the left and hit submit.
The host name of your computer, along with the IP address, will
appear on the left side of the screen.
15. Where can I go for more help?
If you have specific questions about opening up pinholes for one
of your computing devices or resources at Cal Poly, first see your
Department LAN Coordinator; this is your first point of contact.
If you do not have a Department LAN Coordinator, you may also contact
the ITS Help Desk to open a Remedy case. Finally, you may wish to
peruse the ITS Firewall Web Page at:
http://firewall.calpoly.edu
16. Where can I find out more about firewalls?
If you would like to learn more about firewalls, you will get many
good results by simply using a web search engine (e.g. http://www.google.com,
http://www.yahoo.com) to search
using the keyword "firewall".
Here are a couple of URLs we recommend for a start:
http://www.howstuffworks.com/firewall.htm
http://www.pcwebopedia.com/TERM/f/firewall.html
|
