Skip to content Skip to site navigation

Administrative Systems Server Template Rules

Attention Application Owners & Rule Delegates

The following set of firewall policies, referred to as "Template Rules", are provided for administrators of AS owned/managed servers that require a specific set of source hosts/nets and services allowed for administration.

When applying these Template rules, please consider any additional necessary "custom" policies to guarantee the inbound or outbound connectivity that servers will require. Those "custom" policy requests can be made via the Firewall Rule Request form.

Please contact the Firewall Team (firewall-team@lists.stanford.edu) with any questions.

Template Rules 

Traffic Inbound to the Firewall 

From To Ports Description
tasm_tripwire_svrs ANY tasm_tripwire AS Tripwire Services
tasm_em_svrs ANY tasm_em AS EM Services
tasm_scan_svrs ANY ANY AS Security Scanning Services
tasm_bastion_svrs ANY tasm_bastion AS Bastion Services
tasm_infra_svrs ANY tasm_infra AS Infrastructure Services
tasm_manage_svrs ANY tasm_manage AS Management Services
tasm_nagios_svrs ANY tasm_nagios AS Nagios Services
tasm_backup_svrs ANY tasm_backup AS Backup Services
tasm_paw_vpn ANY tasm_paw_linux AS Linux PAW Access

Host Group Object Definitions

Group Members
tasm_tripwire_svrs asiaappprd6 | 171.67.39.23
tasm_em_svrs asiaappg1prd98 | 171.67.5.2
asiaappg1prd99 | 171.67.5.3
ciaappg1prd01 | 171.67.5.12
ciaappg1prd02 | 171.67.51.194
tasm_scan_svrs as-qualys-d65 | 171.67.42.130
as-qualys-i27 | 171.67.42.133
tasm_bastion_svrs asinfraprd01 | 171.67.38.8
asinfraprd06 | 171.67.38.9
asinfraprd22 | 171.67.42.199
ascoreinfra01 | 171.67.39.3
jetfire | 171.67.39.14
solitude | 171.67.39.25
tasm_infra_svrs asiaappprd6 | 171.67.39.23
asinfraprd05 | 171.67.42.137
asinfraprd06v | 171.67.39.30
asinfraprd08 | 171.67.42.140
asyumprd01 | 171.67.42.189
asyumprd02 | 171.67.42.219
nwinfraprd04 | 172.20.134.12
ascoreinfra01 | 171.67.39.3
jetfire | 171.67.39.14
tasm_manage_svrs asinfraprd03 | 171.67.39.2
asinfraprd20 | 171.67.39.8
asinfraprd23 | 171.67.42.178
tasm_nagios_svrs asinfraprd09 | 171.67.42.148
nagios01 | 171.67.217.115
nagios02 | 171.67.217.114
tasm_backup_svrs asinfrastore95 | 171.67.42.191
asinfrastore97 | 171.67.42.169
aspinfrastore98 | 171.67.42.155
asinfraaws99 | 171.67.42.200
tasm_paw_vpn AS PAW Network | 171.67.52.0/23

Service Group Object Definitions

Group Ports
tasm_tripwire tcp: 8080
tcp: 18889
tasm_em tcp: 22
tcp: 1159
tcp: 3872
tcp: 4889
tcp: 7799
tasm_bastion tcp: 22
tasm_infra tcp: 80
tcp: 443
tasm_manage tcp: 135
tcp: 139
tcp: 445
tcp: 8192-8194
tcp: 4900-5000
tcp: 3389
tcp: 80
tcp: 2607
tcp: 443
tcp: 22
tcp: 1311
udp: 161-162
tasm_nagios tcp: 5666
tcp: 12489
tcp: 80
tcp: 443
tasm_backup tcp: 5555
tasm_paw_linux

tcp: 22

Roles

Template Owner

The template owner is responsible for determining, maintaining, and modifying the template rules and membership of the different server groups. The application owner is notified regarding any changes to the template.

Current Template Owners:

  • Armand Capote
  • Stanley Lee
  • Laurie Miller
  • Calvin Hom

Application Owner

Responsible for approving the template rules initially and for requesting the addition of hosts behind the firewall to the "windows_hosts" group.

System Administrators 

Request rule approval from the application owner to put in place the template rules or to apply them to hosts (adding them to the template "windows_hosts" group).

ISO Security

The ISO group will audit the rules and make recommendations as needed or upon request from either the System Administrators or the Application Owners. In addition, any changes to this template must be reviewed by ISO prior to implementation.

 

Last modified March 13, 2024