Firewalls on Nebula Bronze Workstation and Local Servers

Topics on this page

• Policy Changes
• Using Windows Firewall
• Using IPSec Filtering
• Using the UW Technology Managed Firewall
• Compliance criteria
• Scanning for compliance

Nebula policy permits firewalls on bronze workstations and local servers provided they meet the criteria documented here. The intent of this criteria is to provide access for remote manageability by Nebula support staff, as well as compliance with the UW minimum data security standards. The "no firewall" policy remains in effect for kiosks, gold workstations and managed servers. These systems are protected by other means.

We strongly encourage clients to use the Windows firewall if they feel they need a firewall, but they can choose any firewall product they like. Nebula (or one of our UW Technology partners) will provide limited support if they choose any of the following:

• the Windows firewall.
• IPSec filtering.
• the UW Technology managed firewall

Other products are unsupported.

Using Windows Firewall

Because we are administratively configuring the settings of the Windows firewall for specific ports to provide access for Nebula support staff, the client will be unable to configure the ports documented in the criteria here. For instance, this means that the client won't be able to add their home computer to the scope of the RDP port, tcp 3389. They'll receive an error message similar to: "Windows Firewall cannot add the port 'TCP 3389 (rdp)' to the list of exceptions, possibly because the port you are trying to add is already included in a service, such as File and Printer Sharing." We have included the network segment where the Nebula VPN servers live, so any computer using the Nebula VPN has access to the ports automatically configured. This is a failing in the design of the Windows Firewall product which will hopefully be addressed in future versions. In the meantime, the VPN is a good workaround that should meet all client needs for access to those ports.

Using IPSec Filtering

IPSec filtering is permitted if the configurations meet the criteria listed below.

Using the UW Technology Managed Firewall

For more information on using the UW Technology managed firewall, please email help@u. This firewall is permitted if the configurations meet the criteria listed below.

Compliance criteria

From networks with IP addresses assigned of the form:

• 140.142.112.0/24
• 140.142.110.0/24
• 140.142.1.0/24
• 140.142.13.224/27
• 140.142.55.0/24
• 140.142.3.0/24
• 140.142.15.0/24
• 172.22.112.0/24
• 172.22.110.0/24
• 172.22.1.0/24
• 172.22.13.224/27
• 172.22.55.0/24
• 172.22.3.0/24
• 172.22.15.0/24

Some firewall products do not understand the 'slash' notation, so it may be necessary to also provide the corresponding subnet masks:

• for /24 use 255.255.255.0
• for /27 use 255.255.255.224

These ports should be open:

• tcp: 135, 139, 445, 3389
• udp: 137, 138
• icmp: all

Scanning for Compliance

Nebula will scan to see if bronze/local servers meet the firewall criteria. When a computer is found to not meet the criteria, the owner will be notified of the need to come into compliance with the criteria documented within this policy. The owner will have a period of 2 weeks to come into compliance. If the computer isn't in compliance by the end of that period, it will be removed from the domain. The computer can return to Nebula when it's brought into compliance.

If you have questions or suggestions, please forward them to nebula at u.washington.edu.

Nebula Support Team (nebula@u)
Sign up for Nebula News
View the UW's IT web site, IT Connect
Last modified: May 12, 2009