You are here

Firewall Hole Admin/Tracking

Project ID: 
300
Current stage: 
Summary: 
Put in place a simple means to manage firewall holes opened for end users (generally on self-managed machines).
What: 

Users request firewall holes for services to be opened beyond EdLAN. We need a clean approval process to check that the users have done all the basic security measures. At an annual interval we review all our current firewall holes that are open to see if they are still required. These processes are currently carried out manually.

Why: 

By doing this we minimise our attack vector, reducing the number of ports, services and hosts that are directly accessable from outside EdLAN. We have some level of duty of care to self managed users to inform them of the risks and to pro actively minimise that risk.

When: 

No specific timeframe.

How: 

One suggestion is that we use the RT ticket requesting the firewall hole as the tracking element. We craft a stock reply to these requests (based on what we have already) that support can easily select from a drop-down and reply with in the first instance. We can add a dedicated RT queue/category (a'la software requests) for this purpose. We should be able to build a standard query that can be run against the RT database (or just using the existing search options) to pull out on a monthly basis firewall hole requests that have been open for more than a year which could be used as an email prompt to support to initiate checking for continued requirement.

See https://wiki.inf.ed.ac.uk/DICE/FirewallHolesAndDetonator which could be used as the basis for a boilerplate response.

Other: 

Dependencies:

Risks: