University IT
Administrative Systems Server Template Rules
Attention Application Owners & Rule Delegates
The following set of firewall policies, referred to as "Template Rules", are provided for administrators of AS owned/managed servers that require a specific set of source hosts/nets and services allowed for administration.
When applying these Template rules, please consider any additional necessary "custom" policies to guarantee the inbound or outbound connectivity that servers will require. Those "custom" policy requests can be made via the Firewall Rule Request form.
Please contact the Firewall Team (firewall-team@lists.stanford.edu) with any questions.
Template Rules
Traffic Inbound to the Firewall
| From | To | Ports | Description |
|---|---|---|---|
| tasm_em_svrs | ANY | tasm_em | AS EM Services |
| tasm_scan_svrs | ANY | ANY | AS Security Scanning Services |
| tasm_bastion_svrs | ANY | tasm_bastion | AS Bastion Services |
| tasm_infra_svrs | ANY | tasm_infra | AS Infrastructure Services |
| tasm_manage_svrs | ANY | tasm_manage | AS Management Services |
| tasm_nagios_svrs | ANY | tasm_nagios | AS Nagios Services |
Host Group Object Definitions
| Group | Members |
|---|---|
| tasm_em_svrs | ciaappg1prd01 | 171.67.5.12 ciaappg1prd02 | 171.67.51.194 |
| tasm_scan_svrs | as-qualys-d65 | 171.67.42.130 as-qualys-i27 | 171.67.42.133 |
| tasm_bastion_svrs | asinfraprd01 | 171.67.38.8 asinfraprd06 | 171.67.38.9 asinfraprd22 | 171.67.42.199 ascoreinfra01 | 171.67.39.3 jetfire | 171.67.39.14 solitude | 171.67.39.25 |
| tasm_infra_svrs | asinfraprd05 | 171.67.42.137 asinfraprd06v | 171.67.39.30 asinfraprd08 | 171.67.42.140 asyumprd01 | 171.67.42.189 asyumprd02 | 171.67.42.219 nwinfraprd04 | 172.20.134.12 ascoreinfra01 | 171.67.39.3 jetfire | 171.67.39.14 |
| tasm_manage_svrs | asinfraprd03 | 171.67.39.2 asinfraprd20 | 171.67.39.8 asinfraprd20 | 171.67.39.18 ascoreinfra06 | 172.20.134.3 |
| tasm_nagios_svrs | asinfraprd09 | 171.67.42.148 nagios01 | 171.67.217.115 nagios02 | 171.67.217.114 |
Service Group Object Definitions
| Group | Ports |
|---|---|
| tasm_em | tcp: 22 tcp: 1159 tcp: 3872 tcp: 4889 tcp: 7799 |
| tasm_bastion | tcp: 22 |
| tasm_infra | tcp: 80 tcp: 443 |
| tasm_manage | tcp: 135 tcp: 137 tcp: 139 tcp: 445 tcp: 8192-8194 tcp: 4900-5000 tcp: 3389 tcp: 80 tcp: 2607 tcp: 443 tcp: 22 tcp: 1311 udp: 161-162 tcp: 2701 |
| tasm_nagios | tcp: 5666 tcp: 12489 tcp: 80 tcp: 443 tcp: 4373 |
Roles
Template Owner
The template owner is responsible for determining, maintaining, and modifying the template rules and membership of the different server groups. The application owner is notified regarding any changes to the template.
Current Template Owners:
- Armand Capote
- Stanley Lee
- Laurie Miller
- Calvin Hom
Application Owner
Responsible for approving the template rules initially and for requesting the addition of hosts behind the firewall to the "windows_hosts" group.
System Administrators
Request rule approval from the application owner to put in place the template rules or to apply them to hosts (adding them to the template "windows_hosts" group).
ISO Security
The ISO group will audit the rules and make recommendations as needed or upon request from either the System Administrators or the Application Owners. In addition, any changes to this template must be reviewed by ISO prior to implementation.
