Versions Compared

Old Version 4

changes.mady.by.user Tony Johnson

Saved on

compared with

New Version 5

changes.mady.by.user Tony Johnson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

What/Why

...

Currently

...

most

...

desktop

...

computers

...

and

...

many

...

group

...

compute

...

servers

...

at

...

SLAC

...

have

...

public

...

IP

...

addresses

...

with

...

most

...

ports

...

above

...

1024

...

open

...

to

...

the

...

internet.

...

The

...

vast

...

majority

...

of

...

these

...

machines

...

have

...

no

...

need

...

for

...

incoming

...

TCP

...

connections

...

and

...

leaving

...

these

...

ports

...

open

...

poses

...

a

...

security

...

risk

...

for

...

no

...

gain

...

in

...

functionality.

...

We

...

therefore

...

propose

...

to

...

move

...

to

...

a

...

system

...

where

...

by

...

default

...

all

...

incoming

...

TCP

...

ports

...

will

...

be

...

blocked

...

at

...

the

...

border

...

router.

...

Since

...

we

...

have

...

no

...

good

...

way

...

of

...

knowing

...

what

...

incoming

...

ports

...

will

...

need

...

to

...

remain

...

open

...

we

...

will

...

need

...

to

...

perform

...

a

...

community

...

outreach

...

to

...

inform

...

group

...

computing

...

coordinators

...

and

...

later

...

everyone

...

at

...

SLAC

...

about

...

the

...

plan.

...

During

...

this

...

initial

...

outreach

...

period,

...

and

...

for

...

the

...

foreseeable

...

future

...

after

...

port

...

blocking

...

is

...

implemented

...

we

...

will

...

need

...

to

...

have

...

a

...

very

...

low

...

impedance

...

method

...

for

...

people

...

to

...

request

...

that

...

ports

...

be

...

opened

...

to

...

specific

...

machines

...

or

...

sets

...

of

...

machines.

...

During

...

this

...

period

...

most

...

requests

...

for

...

incoming

...

port

...

openings

...

should

...

be

...

accepted

...

with

...

minimal

...

review.

...

When

...

port

...

blocking

...

is

...

first

...

implemented

...

we

...

should

...

anticipate

...

that

...

we

...

will

...

not

...

have

...

received

...

input

...

from

...

many

...

users

...

who

...

will

...

nevertheless

...

be

...

affected

...

by

...

the

...

blocking

...

and

...

will

...

have

...

to

...

plan

...

to

...

have

...

an

...

easy

...

way

...

for

...

users

...

to

...

get

...

ports

...

unblocked

...

quickly

...

(perhaps

...

by

...

increased

...

staffing

...

of

...

the

...

computing

...

"help

...

desk").

...

Timeline

In order to implement this policy we need to do the following:

  • Document initial simple plan
  • Set up (buy or make) some database to keep track of exceptions
  • Communicate plan to relevant group computing coordinators
  • Gather feedback and exception requests
  • Acquire firewall capable of implementing this policy
  • Set up automated system for feeding exceptions into firewall
  • Finalize plan based on feedback
  • Document plan in "policies and procedures"
  • Announce plan to all users (via SLAC today?)
  • Implement policy
  • Anticipate feedback from confused users
  • Ongoing review of exceptions and formulation of longer term policy
Gliffy Diagram
sizeM
namePort blocking Workflow
pagePort blocking proposal
pageid69764595
space~tonyj

Open questions

  • Block incoming ssh by default?
  • Leave incoming UDP open by default?
  • How to communicate to computing coordinators?
  • IPV6 support?
  • Who is going to do the work?