Changes to WHOI firewall policy

In response to advice from the Information Technology Advisory Committee (ITAC), CIS will be changing over the WHOInet firewall to an "inbound default deny" stance beginning Tuesday, November 12. This will greatly increase WHOI's security from Internet-borne attacks. However, it also means that operators of publicly available network services (such as Web servers) hosted on WHOInet will need to explicitly enable them to pass through the firewall.

The purpose of this change is not to restrict the services being run on WHOInet, but to prevent outside attackers from exploiting unintentionally exposed services. People operating public services will be able to register them online beginning Monday, October 7, as well as through the CIS Helpdesk.

To register your systems, please see Registering your services below.

Whom does this affect?

This change does not affect the use of Web browsers, email, FTP clients, and the like. Access to outside Web sites and other services is not being changed in any way. It also does not affect your access to network resources within WHOI.

Basically, the only WHOInet users who will be directly affected by this change are those running Internet services that are intended for use by people outside of WHOInet. This can include:

• Web pages for public consumption
• FTP archives of data for other institutions' use
• Secure Shell (SSH) for remote administration

... among others. Naturally, if your Web page or FTP archive is hosted on the central WHOI Web or FTP server, it will continue to be accessible.

How a firewall works

The role of a firewall in a network is to defend against attacks by blocking unwanted or unexpected network traffic. If an attacker cannot connect to a service on your system, then s/he can't attack your system. The firewall resides between WHOInet and the outside Internet, standing guard over incoming and outgoing network connections.

At present, our firewall has a default allow policy. It blocks only those things we specifically tell it to block. The problem with this is that new attacks are being invented all the time -- and under a default allow policy, we are exposed to any attack that we don't specifically secure against. If you have a Web server that's only intended for use by WHOI users but leave it open to the world, anyone might attack it -- since under default allow we do not block access to WHOInet Web servers unless asked to.

Inbound default deny

What we mean by inbound default deny is that we will continue to allow WHOInet computers to connect to any outside Internet service, but will place restrictions on whether outside hosts are allowed to connect to WHOInet services. By default, if an outside system probes or tries to connect to a WHOInet computer, that connection will be rejected (denied) by the firewall. External access will only be allowed if the person responsible for the service has told CIS that it should be allowed by registering it.

We are retaining the outbound default allow policy, meaning that computers within WHOInet will still be allowed to access outside network resources with no further restriction. This is what happens when you access a Web page, for instance, and "outbound default allow" means that you'll still be able to access Web pages just the same.

The WHOI Information Technology Advisory Committee (ITAC) recommended the "inbound default deny / outbound default allow" stance in its white paper on network security (PDF) as a way of improving WHOInet security with a minimum of interference with work. After evaluating and purchasing new firewall hardware and developing an online registration system, CIS is implementing this policy.

Because the firewall stands between the outside world and WHOInet, it cannot protect your computer from attacks coming from other WHOI computers. It's unlikely that a WHOI user would want to attack your system, but a worm or virus that got inside WHOInet via an exposed service could still do so. For this reason, it's still your responsibility to maintain your systems securely.

Registering your services

You can now register your network services using the online Service Registration System. When prompted for your username and password, enter the username and password you use to check your WHOI email.

After the 12th of November, outside Internet users will only be able to access WHOInet services which have been registered with CIS. What this means is that if you have a Web server, FTP server, or the like and you want it accessible from outside WHOI, you need to register it. This lets us know that you want it to be accessible through the firewall.

You will also be able to register your services by contacting the CIS Helpdesk.

Please register your hosts and services sooner rather than later. The reason we are announcing this a month in advance is so that you have time to do so before the changes take effect. This way, your services will never be blocked or disrupted. As long as you register your services prior to November 12, this change will not disrupt them at all.

Keep in mind that when you register a service, you are asking CIS to expose that service to the outside world. This means we are opening up a hole in the firewall -- a hole you're responsible for defending. You need to ensure that your systems and services are up to date and maintained securely, so that your system does not cause a security threat to the rest of the WHOI community.

If you are off-site or prefer to use an encrypted Web form, you may wish to use the SSL-encrypted version of the Service Registration System. In order to reach the secure server, some browsers will need to have a CIS Security Certificate installed. (Under Netscape or Internet Explorer, just click on the CIS Security Certificate link, and your browser will lead you through installing the certificate.)

Questions & Concerns

If you have any questions or concerns about the firewall system, the policy changes being made, or the service registration system, please contact Karl Krueger or Art Gaylord.