...
What/Why
...
Currently
...
most
...
desktop
...
computers
...
and
...
many
...
group
...
compute
...
servers
...
at
...
SLAC
...
have
...
public
...
IP
...
addresses
...
with
...
most
...
ports
...
above
...
1024
...
open
...
to
...
the
...
internet.
...
The
...
vast
...
majority
...
of
...
these
...
machines
...
have
...
no
...
need
...
for
...
incoming
...
TCP
...
connections
...
and
...
leaving
...
these
...
ports
...
open
...
poses
...
a
...
security
...
risk
...
for
...
no
...
gain
...
in
...
functionality.
...
We
...
therefore
...
propose
...
to
...
move
...
to
...
a
...
system
...
where
...
by
...
default
...
all
...
incoming
...
TCP
...
ports
...
will
...
be
...
blocked
...
at
...
the
...
border
...
router.
...
Since
...
we
...
have
...
no
...
good
...
way
...
of
...
knowing
...
what
...
incoming
...
ports
...
will
...
need
...
to
...
remain
...
open
...
we
...
will
...
need
...
to
...
perform
...
a
...
community
...
outreach
...
to
...
inform
...
group
...
computing
...
coordinators
...
and
...
later
...
everyone
...
at
...
SLAC
...
about
...
the
...
plan.
...
During
...
this
...
initial
...
outreach
...
period,
...
and
...
for
...
the
...
foreseeable
...
future
...
after
...
port
...
blocking
...
is
...
implemented
...
we
...
will
...
need
...
to
...
have
...
a
...
very
...
low
...
impedance
...
method
...
for
...
people
...
to
...
request
...
that
...
ports
...
be
...
opened
...
to
...
specific
...
machines
...
or
...
sets
...
of
...
machines.
...
During
...
this
...
period
...
most
...
requests
...
for
...
incoming
...
port
...
openings
...
should
...
be
...
accepted
...
with
...
minimal
...
review.
...
When
...
port
...
blocking
...
is
...
first
...
implemented
...
we
...
should
...
anticipate
...
that
...
we
...
will
...
not
...
have
...
received
...
input
...
from
...
many
...
users
...
who
...
will
...
nevertheless
...
be
...
affected
...
by
...
the
...
blocking
...
and
...
will
...
have
...
to
...
plan
...
to
...
have
...
an
...
easy
...
way
...
for
...
users
...
to
...
get
...
ports
...
unblocked
...
quickly
...
(perhaps
...
by
...
increased
...
staffing
...
of
...
the
...
computing
...
"help
...
desk").
...
Timeline
In order to implement this policy we need to do the following:
- Document initial simple plan
- Set up (buy or make) some database to keep track of exceptions
- Communicate plan to relevant group computing coordinators
- Gather feedback and exception requests
- Acquire firewall capable of implementing this policy
- Set up automated system for feeding exceptions into firewall
- Finalize plan based on feedback
- Document plan in "policies and procedures"
- Announce plan to all users (via SLAC today?)
- Implement policy
- Anticipate feedback from confused users
- Ongoing review of exceptions and formulation of longer term policy
Gliffy Diagram | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
Open questions
- Block incoming ssh by default?
- Leave incoming UDP open by default?
- How to communicate to computing coordinators?
- IPV6 support?
- Who is going to do the work?