NetDB Automation for Departmental Firewalls
The Departmental firewall automation project provides the administrator of a NetDB node with the option to enable Firewall Template services through the NetDB web interface. Adding a custom field labeled 'SU Firewall' settings allows the administrator to configure access to a set of commonly used services from a number of specific sources.
The purpose of these configuration options is to allow the owner or administrator of the current NetDB node record to define rudimentary firewall access to this node without having to submit a regular firewall rule request to Networking group. The configured settings will have no effect if the network on which the node resides is not firewalled.
Changes to the settings will generally be implemented within 30 minutes once the service is in production.
Depending on the service and the network one of four sources can be selected which will determine from where the related service can be accessed. Some services will not be accessible from all four sources in accordance with the Stanford wide security policy.
The available source options are:
World Access (w)
- Allow access to the corresponding service from anywhere, campus networks, dorm networks, and the Internet. There are no restrictions in place when accessing this service/port.
Stanford All Networks (s)
- Allow access from all Stanford networks. This covers the administrative as well as the residential networks
- (18.104.22.168/14,172.24.0.0/14,22.214.171.124/16,172.24.0.0/14,126.96.36.199/21,172.20.224.0/21,10.200.0.0/16,10.32.0.0/12,10.48.0.0/15 and 172.20.128.0/17)
Stanford Admin Networks (a)
- Allow access from the administrative campus networks only.
- (188.8.131.52/14,172.24.0.0/14,184.108.40.206/21,172.20.224.0/21,10.200.0.0/16,10.32.0.0/12,10.48.0.0/15 and 172.20.128.0/17)
Stanford VPN Networks (v)
- Allow access from the public and administrative VPN networks. These networks are a subset of the Stanford administrative networks.
- (220.127.116.11/21 and 18.104.22.168/21)
- Stanford wireless nets (not including guest wireless) are included in the Stanford "Admin" designation.
- The Stanford wireless network is not firewalled and is not considered part of your local departmental network.
Basic firewall settings for a Node can be configured for a limited set of common services keeping in mind that a service can consist of multiple ports.
Firewall settings will not be implemented unless they have been enabled for the given node. This means that the node will not be configured on the firewall and no settings will be applicable other than the default of the policy for the network on which that node resides. (see example illustration below)