Screen-friendly
page
Printer-friendly
pageMostly Closed + Remote Administration Firewall Group Details
This page contains information about the "Mostly Closed + Remote Administration" campus firewall group.
Summary
The Mostly Closed + Remote Administration firewall group is designed for web or email servers, allowing access to those services without being fully exposed to the Internet. It can be too permissive for some desktop systems, and too restrictive for other types of servers.
The difference between the Mostly Closed group and this group is that this group allows users and administrators to remotely administer the computer from off campus. In this group, ten additional ports are allowed for remote administration.
Services allowed in
Like the Mostly Closed group, HTTP, HTTPS, IMAP, secure IMAP, POP3, secure POP, SSH, telnet, FTP, SFTP, SMTP, and H.323 are allowed. (A specific port list is available.)
Ten additional remote administration ports are also permitted (listed here).
Assuming that a machine uses the standard ports for its services, placement in this group means that users from outside the firewall will be allowed to initiate connections with encrypted and unencrypted web servers, mail servers, telnet or SSH sessions, FTP sessions, and voice-over-IP connections on machines in this group. However, no other services will be accessible to outside users if a machine is in this group.
Services allowed out
All (except the ports that are always blocked in both directions)
Advantages
- Computers in this group are at lower risk from attacks from outside the university on the ports that are blocked.
- Users still get access to Internet for services they already have.
- Popular services are still accessible from outside (for example, departmental web servers, mail servers, etc.).
- Power users and administrators can access the computer from outside the firewall for administration purposes.
Disadvantages
- Computers are still at risk for any attacks coming through the ports that are open. Examples include telnetd exploits, web server vulnerabilities, sendmail vulnerabilities, etc. Note that many non-web-server devices now have interfaces that use web ports; some of the vulnerabilities that target web ports will cause problems in these devices. For example, HP JetDirect printers could be made to print out extra pages because of a web server vulnerability.
- If a computer is offering services that require additional ports, this package will not work for that machine.