Fully Closed + Remote Administration Firewall Group Details

Summary

The Fully Closed + Remote Administration group is designed for desktops and for servers that serve only on-campus users. It allows traffic to leave the computer without restriction, and allows responses to the user's requests. It blocks nearly all incoming traffic from off campus that is not in response to the user's request. It's too restrictive for a server with off-campus users.

The difference between the Fully Closed group and this group is that this group allows users and administrators to remotely administer the computer from off campus. In this group, five ports are allowed for remote administration.

Services allowed in

Only remote administration services: SSH, Windows Remote Desktop Protocol (RDP), or Apple Remote Desktop (NetAssistant). The five permitted ports are 22, 3283, 3389, 5900, and 5988.

Services allowed out

All (except the ports that are always blocked in both directions)

Advantages

• Computers in this group are at very low risk from attacks from outside the university.
• Traffic to other campus units is unaffected, so a department that wants to offer services only to campus addresses can do so easily.
• Power users and administrators can access the computer from outside the firewall for administration purposes.

Disadvantages

• Computers in this group are still vulnerable to other machines on campus, so a department must still be concerned with security patches on these machines.