INITIATIVE: Security at the Network Perimeter - Border Firewall (Fall 2018)
The UofM network is the target of continuous malicious inbound traffic, ranging from scans seeking out vulnerable systems to actual attacks. Some of these threats are blocked by a network Intrusion Prevention System (IPS), however a significant number pass through undetected. In August 2017, the IT Security team instituted limited port blocks for SSH traffic originating outside the United States and Canada. While these blocks have proved beneficial, attackers are increasingly turning to US based hosting providers to launch attacks.
While some individuals who use the campus network have both the will and the technical
expertise to harden their systems against these external threats, this is not the
norm. Anecdotally, a substantial percentage of our community assumes that their systems
are not accessible from the internet and are surprised to find that a full firewall
is not in operation at the perimeter. This is, after all, significantly less protection
than is typical on their home networks, where most broadband routers have integrated
There is a natural tension between an open network that allows research and collaboration to occur without impediment and the obligation that ITS has to provide effective computer security mechanisms to the campus. Efforts to secure the campus network must therefore always be undertaken with due consideration for the possible implications with regard to the academic mission. A satisfactory solution to this problem would be one in which all computer systems are protected by default, but also allow for exceptions to be created for legitimate use cases that further the academic mission of the University
The IT Security, Identity Management, and Compliance team recommends further implementation of a firewall at the campus network perimeter to filter out any inbound traffic that has not been specifically granted by exception.
- Institute further packet filtering at the campus network perimeter using existing
Palo Alto equipment. By default, all inbound network traffic will be denied except
traffic destined for the ITS data center or the Library data center colo, each of
which have their own firewall systems. The IT Security team is only recommending inbound
filtering; outbound traffic to the internet will be unaffected.
- Individuals can utilize the campus VPN service to access systems behind the border
firewall without requesting an exception. This would be the preferred method.
- Exceptions may be requested by a faculty or staff member by submitting a helpdesk
ticket. The IT Security team will review all requests and work with the requestor
if the request is overly broad or represents a significant risk to campus security.
The IT Security team will work with LSPs and their constituents to pre-populate any
exceptions prior to the implementation date. Exceptions will be reviewed periodically
and may require renewal in the future.
- The planned implementation date is Monday, November 12th. Pending further feedback from IT Governance committees and approval by the CIO, the change will be communicated to the campus community in mid-October. The IT Security team reserves the right to modify the implementation date should additional communication or exception vetting arise.