Rice’s Internet Firewall - Background

Background

When the new Rice Networking infrastructure (“RiceNet2”) was being developed, several changes were identified and planned that fundamentally changed how individual computers on the Rice campus relate to the Internet and to other machines also on campus.

The first of these changes dramatically reduced the barriers between large groups of on-campus computers by eliminating the traditional barriers between similar systems. Instead of grouping computers only by geographical location and thereby placing them with dissimilar systems, RiceNet2 has provides dedicated, logical networks for Faculty/Staff, Students, Visitors, Research, Open Servers, Closed Servers, and DMZ systems .Except in rare cases, all Faculty and Staff systems are on the same logical network.This means that no matter how they access the network (via a wired network port, a wireless network, or Rice’s VPN), their ability to reach other services is uniform, regardless of their physical location.The same holds true forstudents.In addition, all Staff/Faculty, Student, and Research systems all have unfettered access (i.e. no firewall blocks traffic) to the servers installed in the Open network.In other words, apart from limits between the Staff/Faculty and Student networks, nothing restricts on-campus communication between machines.

The second change started moving Rice’s systems from a “network-based security” model towards more “host-based security” model. Instead of expecting the network to provide access control lists to block or allow traffic between computers on-campus, system administrators would configure systems to protect themselves by disabling unneeded services, patching automatically, enabling host-based firewalls, and utilizing best practices for system administration. Implemented properly, this approach will dramatically improve campus security because the necessary protection stays with the computer regardless of where it is attached to the Internet (e.g. at home, at a wireless hotspot, at conference, or at Rice).

The third change involved the installation of firewall hardware between Rice and the Internet and the establishment of a new campus firewall posture. Instead of having to rely on rudimentary block-this, block-that, the firewall hardware allows for much more sophisticated network traffic management and make it possible to change how Rice’s systems relate to the Internet.

In the past, all unsolicited Internet traffic sent to Rice was allowed to pass into the campus except when it posed an identifiable and unacceptable risk (e.g. telnet, ftp, PCAnywhere). In order to address the continuing and developing threats to computers on the Rice campus, Information Technology is changing the firewall posture such that all unsolicited Internet traffic sent to Rice computers will be denied entry except for some specific protocols and return traffic for connections initiated from on-campus to the Internet.

Although completely open access from the Internet is an attractive concept, especially for academic environments, given the current set of attacks directed towards Rice computers from the Internet and the increasing dependency that the Rice community is developing on computer and network communications systems, Rice has determined that this is no longer a sustainable configuration.

IT is performing this work for the Student network during the academic semester for several reasons:

• IT does not want to create an unexpected surprise for students as they return to campus in the Fall.
• Achieving the best possible outcome for everyone while making these changes can only be accomplished with real-world network traffic flows. Properly identifying and fixing problems will be much faster than during the summer months when the network usage patterns are very different.
• The current threat-level on the Internet and the number of active security problems on campus strongly indicates that waiting would not be prudent.