Network Policy

Jump to

Overview

The current Computing Science network consists of three main networks, each fed by 1GbE links to the campus backbone. These three networks are:

  1. Undergraduate Labs (ugrad)
  2. Department network (department)
  3. Wild West (wildwest)

We plan to simplify and combine the ugrad and department networks into a more cohesive network, backed by common infrastructure, so that the use of both networks is more transparent to both students and researchers. That will leave us two main networks, the department network, and the wildwest network.

The current ugrad network is split into 2 zones, and the department network is split into 4 zones:

  • Subnets 29, 41 (ugrad linux)
  • Subnet 28 (ugrad windows)
  • Subnets 4, 22, 23, 25 (research)
  • Subnet 16 (administrative)
  • Subnet 21 (load balanced/etc)
  • Subnet 159 (dmz)

The diagram shows the layout of the department network, with future ugrad portions in dashed parts. Each connection to the firewalls (fw1/fw2) is a point where we can control the type and amount of traffic to and from the networks connected. The subnets 4, 22, 23, and 25 are all controlled as one set.

Back to top

Policies for each subnet

Research (subnets 4, 22, 23, 25)

  • These subnets are meant for research machines.
  • These subnets will have no outside facing services.
  • The machines in these subnets have unfettered access to the bulk of the nfs data and home directory servers.

As much as possible, we should be moving towards segregating our research network into machines that need unauthenticated services (such as yp/nis/nfs) and machines that can work with authenticated services (smb/cifs/ldap). In this way, we could further restrict the damage a single machine security incident within these subnets could cause. This would mean moving the bulk of the windows and mac machines onto one subnet. This would also allow us to further reduce the number of ldap/cifs/smb relays and slaves (there are two per /24 subnet). As subnet 4 contains our authoritative DNS server (which is rather hard to move), we should move subnet 4 to containing our managed servers.

Administrative (subnet 16)

  • This subnet is meant to serve as a secure zone for administrative machines and in the future will house sysadmin machines.
  • There will be no outside services available from this subnet.
  • All access to this subnet will be through an authenticated means (VPN, local access by key to office, etc).

In the future, we will consider two-factor authentication (RSA ID tokens, Google authenticator, etc). The total set of services this subnet can access will be limited, and may be automatically blocked in case of suspicious behaviour.

Load balanced (subnet 21)

  • This subnet is meant to serve up load balanced content.
  • Access control will be much like the 159 subnet.
  • All access to and from this subnet is controlled and documented by specific firewall rules (not quite there yet).

UGrad Windows (subnet 28)

  • This subnet is meant to help segregate the windows infrastructure from the linux labs infrastructure.
  • This subnet has no outside facing services.
  • It accesses home directory space through authenticated SMB/CIFS service access on the local subnet.
  • Remote access to this subnet is not available.

UGrad Linux (subnet 29,41)

  • These subnets are meant for undergraduate lab machines.
  • These subnets will have no outside facing services.
  • The machines in these subnets have unfettered access to the bulk of the nfs home directory servers.

DMZ (subnet 159)

  • This subnet is meant to house machines serving content to the internet outside our department.
  • The only access to other department subnets will be through authenticated services. Both of the measures are essential (e.g. smb/cifs rather than nfs).

Machines in this subnet are at risk because they are open to the outside world, by virtue of the services they provide. Patch levels must always be kept up to date. Keeping patches up to date will help minimize the risk of these machines being compromised. Requiring authenticated, non-shell, access to other department subnets will minimize
the risk of an intruder using a compromised machine in this subnet as a launching point for attacks on the accounts and machines of other researchers in the department. Specific exceptions to un-authenticated services (such as nfs), will be documented, very specific, and approved by the Department Executive before being implemented. Unnecessary services will be turned off promptly.

Wild West (subnet 184)

  • This subnet is meant as a place to run services that can not be run within the department due to policy constraints and/or security concerns.
  • This subnet is meant to host outside facing services.

Note, campus policies will still need to be adhered to. The authority and responsibility on maintaining a network presence on this subnet is transferred to the owner of the service/machine(s). This will mean interacting with
campus central computing. Future direction for this subnet is to outsource the management of this subnet to central computing support (AICT).

Back to top

Firewall rules for all subnets

Research (subnets 4, 22, 23, 25)

Inbound

  • icmp, igmp, traceroute udp ports from any
  • ntp, bacula, ldap to specific hosts
  • dns to specific host
  • smb/cifs to specific hosts from VPN, subnets 21, 159, 28, 29, 41
  • ssh to any host from VPN, subnets 16, 28, 29, 41
  • cups to specific hosts from VPN, subnets 16, 28, 29, 41
  • ssh to specific hosts from any
  • vnc, rdesktop from VPN

Outbound

  • icmp, igmp, traceroute udp ports to any
  • ntp, ldap to specific hosts
  • general outbound access to all ports from cleared hosts. By segregating servers from desktops, we could further restrict traffic servers would be allowed to initiate.

Administrative (subnet 16)

Inbound

  • icmp, igmp, traceroute udp ports from any
  • ntp, bacula, ldap from specific hosts
  • yp/nis (push/etc) from specific host to specific host
  • ssh from specific sysadmin hosts, possibly specific exceptions
  • vnc, rdesktop to specific machines from VPN

Outbound

  • icmp, igmp, traceroute udp port to any
  • ntp, bacula, ldap to specific hosts
  • yp/nis (push/etc) from specific host to specific host
  • hrfinance, gradnews, misc ports to specific hosts (on campus)
  • smb/cifs to specific hosts
  • smtp, http, nntp, https, smtps, rtsp, imaps, 4001, 4443, 4444, 8080, 8081 to any

Load balanced (subnet 21)

Inbound

  • icmp, igmp, traceroute udp ports from any
  • ssh from subnets 4, 16, VPN
  • ntp, bacula, ldap from specific hosts
  • yp/nis, nfs to specific hosts from local subnets
  • 80, 443 to specific hosts from any

Outbound

  • icmp, igmp, traceroute udp ports to any
  • ntp, bacula, ldap to specific hosts
  • yp/nis/nfs/smb/cifs to specific hosts
  • MySQL/DB to specific hosts
  • 80, 443 to specific hosts (update/patch servers)
  • smtp, smtps from specific hosts

UGrad Windows (subnets 28)

Inbound

  • icmp, igmp, traceroute udp ports from any
  • ssh from specific sysadmin hosts, possibly specific exceptions

Outbound

  • icmp, igmp, traceroute udp ports to any
  • general outbound access to all ports from cleared hosts. By segregating servers from desktops, we could further restrict traffic servers would be allowed to initiate.

UGrad Linux (subnets 29, 41)

Inbound

  • icmp, igmp, traceroute udp ports from any
  • ssh to any host from VPN, subnets 16, 28, 29, 41
  • ssh to specific hosts from any

Outbound

  • icmp, igmp, traceroute udp ports to any
  • ntp, ldap to specific hosts
  • general outbound access to all ports from cleared hosts. By segregating servers from desktops, we could further restrict traffic servers would be allowed to initiate.

DMZ (subnet 159)

Inbound

  • icmp, igmp, traceroute udp ports from any
  • ssh from subnets 16, 21, 4, 22, 23, 25, VPN (possibly 29, 41, and 28 in future)
  • ntp, bacula, ldap from specific hosts
  • smb/cifs to specific hosts from any
  • 80, 443 to specific hosts from any

Outbound

  • icmp, igmp, traceroute udp ports to any
  • ntp, bacula, ldap to specific hosts
  • smb/cifs to specific hosts
  • MySQL/DB to specific hosts
  • 80, 443 to specific hosts (update/patch servers)
  • yp/nis, nfs to home servers for a very limited time (to go away)
  • yp/nis, nfs to specific hosts on subnets 4, 22, 23, 25 on a case by case basis
  • smtp, smtps from specific hosts

Wild West (subnets 184)

Inbound

  • icmp, igmp, traceroute udp ports from any
  • ssh rate limited inbound

Outbound

  • icmp, igmp, traceroute udp ports to any
  • general outbound access to all ports from all hosts
  • port 25 (smtp) rate limited outbound

Back to top