navigation
Internet and The Firewall
 
You are here: Home Infrastructure Computing Data Communication Networks Internet and The Firewall Site Access Policy

Site Access Policy

last modified 18-02-2010 19:57

What's allowed, what's prohibited

 

In the text below,

  • outgoing means "from inside (e.g. ESRF or ILL or EMBL) to outside" while
  • incoming stands for the other way
  • the DMZ (DeMilitarized Zone) is the only network accessible from outside, where the firewall and the public Web/Ftp servers are located

 

Internal users can communicate without constraints with the external world

 

Outgoing Ssh, Ftp and Http (World Wide Web) are allowed. Http is only possible by setting the browser's proxy configuration to the internal Web cache of each Institute. Telnet was closed in February 2003 and is replaced by Ssh (encrypted sessions).

 

Users must be security-aware: exactly as installing the contents of an unchecked USB Key on a PC may result in the destruction of the hard disk, care must be taken regarding EXECUTABLE FILE OR UTILITIES downloaded from the Internet via Ftp, E-mail or Web. This can be done at your own risk on a PC but not on an UNIX server !

 

Our site can be accessed by external users, with some restriction

Access is only accepted from client computers correctly registered in the DNS.

Incoming Ssh is restricted to the firewall itself, which in turn connects to predefined internal secure hosts, one per Institute on the site. From these secure hosts, any Ssh or Ftp can be issued, be it outgoing or internal (the latter corresponds to "bouncing").

Incoming Sftp (similar to ftp but using Ssh transport for encryption) can be used to connect to the same predefined internal secure hosts as with Ssh.

Incoming Telnet has been closed in February 2003 and is replaced by Ssh (encrypted sessions).

Incoming Ftp can reach only one dedicated anonymous Ftp server per Institute on the site, located on the DMZ network, and called public Ftp server. Outgoing Ftp is performed by first using Ssh to one internal secure host, then an optional Ssh/Telnet to the desired internal host, and finally a Ftp from that host to the external file server.

Incoming Http (World Wide Web) can reach only one dedicated World Wide Web server, unique for each Institute on the site, located on the DMZ network, and called public Web server.

 

Once again, users must be security-aware: the password of an internal account has to be unguessable and must NEVER be given to an external user. Your system administrator should be contacted first if an external user needs to access our site. The firewall is a complex system and its maintenance is expensive, so please don't make it useless!

Unsupported services

 

What is not specifically allowed is forbidden.

A number of services are NOT SUPPORTED, as there is generally no secure method of providing them. These include

  • telnet,
  • talk,
  • rlogin,
  • rusers,
  • ping,
  • traceroute,
  • NFS,
  • X-Window,
  • NTP and many others.

All UDP-based services are NOT PROVIDED, e.g. NFS.

While this may seem like an inconvenience, it is necessary for the survival of our internal systems that we maintain this apparently-paranoid stance. Technically, these services involve dynamic port allocation mechanisms for which no filtering can take place, allowing them would open large security holes in the firewall.

 

Please do not open a backdoor window: use of modems is restricted

 

 

Independant modems are PROHIBITED, because securing the front door is crazy if backside windows are wide open !

Therefore, use exclusively the remote access systems operated by the Computing / Network services. If your modem is absolutely required for any good reason, then it must be registered.
European Synchrotron Radiation Facility