(Archival) Security and Network Engineering Firewall Default Change Announcement

9/30/2005 updated 1/11/2006

On August 1, 2006 CITES will make a change to the campus firewall that will impact a number of units. This announcement details this change and outlines the procedure we will implement to assist units in mitigating any possible negative impact of this change. This change will only affect blocks of IPs that have never filed paperwork to request being explicitly placed in one of the existing firewall groups.

As most of you know, the campus firewall service offers network administrators the ability to place all or a portion of their subnets in one of six firewall groups. (See http://www.cites.uiuc.edu/firewall/plandetails.html for details). Presently (and for quite some time now) anyone requesting work on their subnet or a new subnet is required to fill out a formal request to have their subnet placed in one or more of the firewall groups. Historically it was possible to skip this process in which case your subnet fell automatically into the 'default' category. For example, if the process was skipped, an unassigned IP fell through the firewall rules table and in effect is handled as those machines are in the fully open group.

Unfortunately these machines not only bring a resource burden to the firewall devices but as the following diagram shows, are subject to significantly more security incidents then any other group.

Figure 1 Security Incidents by Firewall Group

It is worth noting that the fully closed group sees a large number of security incidents because of the large number of machines within this group. However, even accounting for the number of hosts, being in the fully open or default firewall groups more than doubles the odds of a workstation becoming compromised.

In the interest of improving campus network security, the final rule in the firewall table will be changed from "permit all" to "deny all". Thus any IPs that are not in an existing firewall group will find themselves, in effect, moved from the fully open group to the fully closed group. Networks that are currently in the fully open group will remain there and not be affected by this change.

Finally, hosts that are not within an explicitly defined firewall group bring an additional processing / load burden to the firewall (they must be tested against each group and have additional state information maintained for them). Thus the reliability of the firewall service is generally improved by placing all hosts in a firewall group.

How to get from here to there

In early January we will be sending through email, a note to those units that have a range of IPs that lack a formal firewall group request; as a result of this we are asking that you fill out a formal request for a firewall group. The information and links to the request form can be found at:

http://www.cites.uiuc.edu/firewall/participation.html.

The only change to the process from what currently appears on this URL is that requests to be placed in the fully open firewall group will be asked to complete a form describing what precautions are in place to protect these machines and the request will be reviewed by the security group for appropriateness. Systems that host confidential or high risk data will require special justification and additional security procedures before being permitted into the fully open firewall group. As the University Information Security Policy states, "No University-owned system or network subnet can have a connection to the Internet without the means to protect the information on those systems consistent with its confidentiality classification" (http://www.fs.uiuc.edu/cam/cam/viii/viii-1.2.html). All we are asking for here is that you describe what those means are for hosts in the fully open group.

We recognize that for some units this change could mean significant work in reviewing systems, moving IPs, and examining data with regard to its data classification. We hope that with nearly a year's notice and any assistance the NDO and the Security office can provide will minimize the burden of this process. Even if you are running your own firewall appliance or system, consider placing your subnet into one or more of the campus firewall groups to provide one more layer of protection as well as to lower the load on your firewall.

A number of network administrators have commented to us that they felt uncomfortable agreeing to the conditions in the statement of compliance form in that they have no oversight for the machines that research groups request be placed in the fully open portions of their subnet(s). In response to (and in partnership with) those groups, we have developed an additional form for the use by network administrators. This Departmental Statement of Compliance is intended to be a tool for network administrators. You may require it be completed before agreeing to place faculty or staff machines on fully open portions of your subnet(s). While not required, CITES Security would greatly appreciate receiving a copy of this form once you've signed off on it. Please send these forms to securitysupport@uiuc.edu.