Closing SFSU border firewall Prepared by E.Rayz DoIT Network Services Coordinator February 14, 2012

Topics covered by this presentation CSU San Francisco Edge Network Design overview Firewall rules - how they work Best practices when closing the borders On-going support overview Q&A

CSU San Francisco Edge Network Design

Firewall rules - how they work

- VPN software available for faculty and staff, also some sponsored contractors -systems administrators are encouraged to use sftp, ssh, and https vs other unencrypted protocols - systems administrators need to use static ip addresses for servers, and register those ip addresses in dns via to - requests for justified exceptions will follow an established process and change control procedure, and may take approximately 1 week Best practices when closing the borders

On-going support for exemptions requests The completed “Border FW inbound Port exemption” form should be ed by authorized Change Control contact to with a CC to by Thursday, March 1 st, The border firewall closure is scheduled for Thursday, March 15 th, You will be contacted within 3 business days regarding your request The following unencrypted and shell access protocols will not be allowed through the firewall except where there is a business justification (e.g. anonymous FTP). End users and administrators are encouraged to use campus VPN for systems needing access via any of the following: Telnet FTP Secure Shell Remote Desktop

NameJonSmith DepartmentEducation BuildingBurk Hall Room #999 Phone ApplicationActionProtocolSource IP Source Port Destinati on IP Destin ation Port Operating System (Drop- Down Choices) Device (Drop- Down Choices) Reason for Exemption wwwALLOWTCPANY MacOSServerWeb Server Border firewall inbound port exemption template example:

Q&A A comprehensive border firewall workshop is scheduled for February 20 th 10:30 a.m. – 12 noon, please stay tuned for details on location and full agenda