University IT
ISO SecOps Windows Template Rules
Attention Application Owners & Rule Delegates
The following set of firewall policies, referred to as "Template Rules", are provided for administrators of AS owned/managed servers that require a specific set of source hosts/nets and services allowed for administration.
When applying these Template rules, please consider any additional necessary "custom" policies to guarantee the inbound or outbound connectivity that servers will require. Those "custom" policy requests can be made via the Firewall Rule Request form.
Please contact the Firewall Team (firewall-team@lists.stanford.edu) with any questions.
Firewall Template Rules
Traffic Inbound to the Firewall
| From | To | Ports | Description |
|---|---|---|---|
| iso-secops-windows-pbh | destination_host | tisw_pbst | Personal Bastion LightsOut |
| secops-bigfix-ring0 | destination_host | tisw_bigfix | BigFix Services |
| secops-ossec | destination_host | tisw_ossec | OSSEC Services |
| as-idg-nagios-monitoring | destination_host | tisw_nagions | Nagios Monitor Services |
| g_su_admin_nets | destination_host | IPSEC | IPSEC Services |
Traffic Outbound to the Firewall
| From | To | Ports | Description |
|---|---|---|---|
| source_host(s) | g_su_dns_servers | g_dns | Campus (anycast) DNS services |
| source_host(s) | g_su_dhcp_servers | DHCP | Campus DHCP services |
Address, Service & Object Definitions
| Group | Members |
|---|---|
Address & Address Groups | |
| iso-secops-windows-pbh | 171.67.47.160/28 |
| secops-bigfix-ring0 | bigfixinfra | 171.64.7.188 |
| secops-ossec | ossec1 | 171.67.33.178 ossec2 | 171.67.33.179 |
| as-idg-nagios-monitoring | nagios01 | 171.67.217.115 nagios02 | 171.67.217.114 |
| g_su_admin_nets | Stanford Campus networs excluding the Residence networks |
| g_su_dns_servers | Stanford (anycast) DNS servers |
| g_su_dhcp_servers | Stanford (campus) DHCP servers |
Service & Service Groups | |
| tisw_pbst | TCP: 135, 139, 445, 1311, 2179, 3389, 4900-5000, 5985-5986 UDP: 135, 139, 445 |
| tisw_bigfix | UDP: 52311 |
| tisw_ossec | UDP: 1514 |
| tisw_nagios | TCP: 5666 |
Roles
Template Owner
Responsible for determining, maintaining and modifying the template rules and membership of the different server groups. The application owner is notified regarding any changes to the template.
Current Template Owners:
- Ping Wei
- Stacy Lee
- Jeremy Tavan
- Adam Todd
- Todd Boyden
System Administrators
Request rule approval from the application owner.
ISO Security
The ISO group will audit the rules and make recommendations as needed or upon request from either the System Administrators or the Application Owners. In addition, any changes to this template must be reviewed by ISO prior to implementation.
