[Please remove <h1>]
Internal Access
The computer network infrastructure for the School of Computer Science uses a blend of public and private IP addresses, with varying degrees of access control. Many addresses are reachable from off-campus (although that will change with the introduction of the campus firewall), many addresses can only be accessed from on-campus, and many addresses can only be accessed from other CS systems.
External Access
The campus Internet connection blocks certain kinds of network traffic. That is about to change to something far more strict, expected Winter 2016. Check the status of your machine here.
What's Happening
The University is implementing a "default deny" firewall, which by default will not let externally initiated unapproved traffic enter. Network connections that start from on campus will not be affected.
The intent is that people use the campus VPN (Virtual Private Network) for remote access to the campus network.
CSCF's cs-teaching and cs-general Environments
Traffic initiated from off-campus that will be allowed, without using the campus VPN, will include:
- cs-teaching environment
- `ssh` access to the linux.student.cs systems
- WWW servers (www.student.cs.uwaterloo.ca, markus.student.cs.uwaterloo.ca, marmoset.student.cs.uwaterloo.ca)
- cs-general environment
- `ssh` access to linux.cs
- WWW server (cs.uwaterloo.ca)
Reaching any other (non-research) system from off-campus will require the VPN,
Research, Faculty, and Graduate Equipment
CSCF will meet with each research group to discuss firewalling of that group's equipment. This is being done on a group-by-group basis to ensure the right balance of protection and network access for each group.
To assist in determining what's needed, CSCF will use a recent network traffic sample to propose a protocol based grouping of machines. Machines in a specific group will be accessible (without using the VPN) via the protocols associated with the group. While there is a large variety of traffic, the greatest usage is seen for `ssh`, e-mail, and WWW service, so there will be groups for those services in various combinations. For those systems engaged in less popular protocols, more detailed discussion may be required. When you receive the suggested grouping, please assess the accuracy, and let us know what has been missed, and what is unnecessary.
The recent traffic sample of systems that records show you might be involved with is available in
The Implementation
It's likely that many of the approvals will be implemented by using rules specific to networks, rather than to individual machines. That could mean that a system might be accessible via more protocols than requested. Just how this will or can happen remains to be determined.
The application of the firewall rules will be in multiple steps. That will be facilitated by first making the transparent change of moving all CS systems behind the firewall, with "default allow" rules (so you won't notice any difference). That is expected to happen early in the Winter 2016 term.
It is expected that the application of firewall rules will be ongoing during the Winter 2016 term, with non-research systems likely being handled first. The transition for research systems could take a while, so we're assuming that it could take the entire Winter 2016 term.
Firewall Status utility
We have developed a utility to help determine the current and future firewall status of a given workstation/server. Please check your machine here: https://cs.uwaterloo.ca/cscf/policies/firewall-status/
History
Effective early 2005, most computers in the School of Computer Science were protected by a network firewall. Some systems were outside of the firewall to meet research needs. It used the approach of defining rules for groups of networks (a.k.a. Zones), in an attempt to minimize rules specific to hosts. Since then, the firewall was replaced by much less restrictive rules in network switches. And soon that will be augmented by a campus "default deny" firewall.
Zone Descriptions
For historical reference, the zones used were:
Zone 0 - CSCF
This zone consists of CSCF computers. This zone has fairly strict access control policies for inbound traffic since this is where most of the systems administration for the school is done. Traffic out of this zone is fairly open again because of systems and network administration.
Zone 1 - CS Servers
This zone consists of hosts such as file servers, mail servers, web servers, cpu servers, and domain controllers in the CS teaching and CS general environments. The policies for traffic originating to and from this zone are based on the services provided by machines in this zone.
Zone 2 - Thin Clients
All X11/RDP thin client terminals in the School reside in this zone. The following protocols will be allowed:
- X11,font,tftp,xdmcp (to local X11 servers)
- RDP (to local RDP servers)
- DNS (to campus DNS servers)
- HTTP (to the world)
- PING (to on-campus)
Zone 3 - Teaching Lab Workstations (PCs and Macs)
This zone consists of PCs (Nexus/Linux) and Macs located in public terminal rooms. This is a client-only network, meaning that only outbound traffic will be allowed (no servers).
Zone 4 - Office Workstations (PCs and Macs)
This zone consists of workstations (PCs/Macs/Unix) located in offices of faculty, staff, and graduate students. Like Zone 3, this is a client-only network, except that inbound SSH and RDP are permitted. Most office computers in the School are expected to be in this zone. No firewall exceptions will be made for individual computers in Zone 4. Computers that require less restrictive firewalling may instead be placed in Zone 5.
Zone 5 - Research Computers
This zone is for computers used in research where access control policies in the other zones are too restrictive. Outbound traffic from this zone is unrestricted, and inbound traffic to this zone is restricted to the following:
- Secure Shell (SSH)
- Remote File Transfer (FTP)
- Microsoft Remote Desktop (RDP)
- Apple File Sharing (AFP over TCP)
- Windows File Sharing (SMB)
Machine owners can request customized firewall policies for Zone 5 machines by contacting their CSCF Point of Contact. The above list of default inbound restrictions may be modified by popular demand.
Zone membership by subnet
The table below shows what subnets belong to which zone.
Zone | Type | Subnet(s) |
0 |
CSCF |
129.97.15.0/24 (cscfnet) 172.19.16.0/20 or 172.19.{16-31}.0/24 (cscampus{16-31}net) 10.15.16.0/20 or 10.15.{16-31}.0/24 (cspriv{16-31}net) |
1 |
CS Servers |
129.97.152.0/24 (csserver1net) 172.19.32.0/20 or 172.19.{32-47}.0/24 (cscampus{32-47}net) 10.15.32.0/20 or 10.15.{32-47}.0/24 (cspriv{32-47}net) |
2 |
Thin Clients |
129.97.49.0/24 (cstc1net) 129.97.59.0/24 (cstc2net) 172.19.48.0/20 or 172.19.{48-63}.0/24 (cscampus{48-63}net) 10.15.48.0/20 or 10.15.{48-63}.0/24 (cspriv{48-63}net) |
3 |
Teaching Lab Workstations |
129.97.51.0/24 (cslab1net) 172.19.64.0/20 or 172.19.{64-79}.0/24 (cscampus{64-79}net) 10.15.64.0/20 or 10.15.{64-79}.0/24 (cspriv{64-79}net) |
4 |
Office Workstations |
129.97.84.0/24 (csclient1net) 129.97.168.0/22 (csclient2net) 129.97.169.0/22 (csclient3net) 172.19.80.0/20 or 172.19.{80-95}.0/24 (cscampus{80-95}net) 10.15.80.0/20 or 10.15.{80-95}.0/24 (cspriv{80-95}net) |
5 |
Research Computers |
129.97.7.0/24 (csresearch1net) 172.19.96.0/20 or 172.19.{96-111}.0/24 (cscampus{96-111}net) 10.15.96.0/20 or 10.15.{96-111}.0/24 (cspriv{96-111}net) |