Subject: Change in TAMU Network Firewall Configuration
In order to better protect University computing resources, access to web servers on-campus from the Internet will be restricted starting Fall semester, 2001.
Texas A&M Computing & Information Services maintains a network firewall between the University network and the Internet. Its purpose is to shield campus computers from outside attack and/or disruption. The shield does not stop all network traffic, as, consistent with our missions as a major university, we encourage many types of information exchange.
One kind of network information source is the web server. The original intent was provide an easy way to share all kinds of information. However, vendors have put web servers in all kinds of equipment (e.g., printers, wireless nodes, routers) and turned on web services by default on many personal computers. Thus, an individual or department may have several web servers without anyone's knowledge.
CIS has not blocked access to off-campus web sites and, until now, has allowed any web server on-campus to be accessed from off-campus. As recent events have shown, malicious people can and do launch highly disruptive, automated attacks against every web server that can be reached. To reduce unintended vulnerabilities, the default firewall configuration is being changed. This does not affect anyone's ability to browse to any web site from a campus computer.
By default, the campus firewall will now block outside access to all on-campus addresses. Members of the University community may request off-campus visibility ("a hole in the firewall") for specific systems. This will be implemented as follows, attempting to avoid any disruptions of service:
* The Residence Hall networks will be blocked immediately. Starting on move-in day for Fall semester, after residents get their systems hooked up, students may visit a web page to request off-campus visibility for their web server. The server will be network scanned for security vulnerabilities. A report will be provided to the student. When any necessary corrections have been made and verified, the web server will be made visible off-campus.
* System administrators for other campus systems will contacted over the next three weeks to identify any servers desired to be accessible off-campus. Where possible, CIS will provide a list of systems currently running web servers. The firewall will be kept open for identified systems, but they will be network scanned for security vulnerabilities. CIS will work with administrators where vulnerabilities exist, but vulnerabilities must be fixed prior to September 30, 2001 or the firewall will be closed. Any later systems desired to be visible must pass the network scan after a request before the firewall will be opened.
* The procedure for remote access users (DSL, modems) will not change. DSL sites are blocked by default but users may request port 80 be opened for a system. Modem (dial-in) users will not have server ports opened.
Remember, all web servers are accessible from any campus computer. The firewall only blocks access from off-campus. Only systems that the administrator wants visible and will keep secure will be visible to off-campus users.
If you have a question about the status of a host you own, please send mail to firewall@tamu.edu.