Home > Security
> News & Services > Changes
to WHOI firewall policy
Changes to WHOI firewall policy
In response to advice from the Information Technology Advisory
Committee (ITAC), CIS will be changing over the WHOInet firewall
to an "inbound default deny" stance beginning Tuesday,
November 12. This will greatly increase WHOI's security from Internet-borne
attacks. However, it also means that operators of publicly available
network services (such as Web servers) hosted on WHOInet will
need to explicitly enable them to pass through the firewall.
The purpose of this change is not to restrict the services being
run on WHOInet, but to prevent outside attackers from exploiting
unintentionally exposed services. People operating public services
will be able to register them online beginning Monday, October
7, as well as through the CIS Helpdesk.
To register your systems, please see Registering
your services below.
Whom does this affect?
This change does not affect the use of Web browsers,
email, FTP clients, and the like. Access to outside Web sites
and other services is not being changed in any way. It also does
not affect your access to network resources within WHOI.
Basically, the only WHOInet users who will be directly affected
by this change are those running Internet services that are intended
for use by people outside of WHOInet. This can include:
- Web pages for public consumption
- FTP archives of data for other institutions' use
- Secure Shell (SSH) for remote administration
... among others. Naturally, if your Web page or FTP archive
is hosted on the central WHOI Web or FTP server, it will continue
to be accessible.
How a firewall works
The role of a firewall in a network is to defend against attacks
by blocking unwanted or unexpected network traffic. If an attacker
cannot connect to a service on your system, then s/he can't attack
your system. The firewall resides between WHOInet and the outside
Internet, standing guard over incoming and outgoing network connections.
At present, our firewall has a default allow policy.
It blocks only those things we specifically tell it to block.
The problem with this is that new attacks are being invented all
the time -- and under a default allow policy, we are exposed to
any attack that we don't specifically secure against. If you have
a Web server that's only intended for use by WHOI users but leave
it open to the world, anyone might attack it -- since under default
allow we do not block access to WHOInet Web servers unless asked
Inbound default deny
What we mean by inbound default deny is that we will
continue to allow WHOInet computers to connect to any outside
Internet service, but will place restrictions on whether outside
hosts are allowed to connect to WHOInet services. By default,
if an outside system probes or tries to connect to a WHOInet computer,
that connection will be rejected (denied) by the firewall. External
access will only be allowed if the person responsible for the
service has told CIS that it should be allowed by registering
We are retaining the outbound default allow policy, meaning
that computers within WHOInet will still be allowed to access
outside network resources with no further restriction. This is
what happens when you access a Web page, for instance, and "outbound
default allow" means that you'll still be able to access
Web pages just the same.
The WHOI Information Technology Advisory Committee (ITAC) recommended
the "inbound default deny / outbound default allow"
stance in its white
paper on network security (PDF) as a way of improving WHOInet
security with a minimum of interference with work. After evaluating
and purchasing new firewall hardware and developing an online
registration system, CIS is implementing this policy.
Because the firewall stands between the outside world and WHOInet,
it cannot protect your computer from attacks coming from other
WHOI computers. It's unlikely that a WHOI user would want to attack
your system, but a worm or virus that got inside WHOInet via an
exposed service could still do so. For this reason, it's still
your responsibility to maintain your systems securely.
Registering your services
You can now register your network services using the online
Registration System. When prompted for your username and
password, enter the username and password you use to check your
After the 12th of November, outside Internet users will only
be able to access WHOInet services which have been registered
with CIS. What this means is that if you have a Web server, FTP
server, or the like and you want it accessible from outside WHOI,
you need to register it. This lets us know that you want
it to be accessible through the firewall.
You will also be able to register your services by contacting
the CIS Helpdesk.
Please register your hosts and services sooner rather than later.
The reason we are announcing this a month in advance is so that
you have time to do so before the changes take effect. This way,
your services will never be blocked or disrupted. As long as you
register your services prior to November 12, this change
will not disrupt them at all.
Keep in mind that when you register a service, you are asking
CIS to expose that service to the outside world. This means we
are opening up a hole in the firewall -- a hole you're responsible
for defending. You need to ensure that your systems and services
are up to date and maintained securely, so that your system does
not cause a security threat to the rest of the WHOI community.
If you are off-site or prefer to use an encrypted Web form,
you may wish to use the SSL-encrypted
version of the Service Registration System. In order to reach
the secure server, some browsers will need to have a CIS
Security Certificate installed. (Under Netscape or Internet
Explorer, just click on the CIS Security Certificate link, and
your browser will lead you through installing the certificate.)
Questions & Concerns
If you have any questions or concerns about the firewall system,
the policy changes being made, or the service registration system,
please contact Karl Krueger
or Art Gaylord.