Summary
This announces the upcoming change to the firewall ruleset for the 8th floor of Berkeley Way West (BWW) on the 128.32.175.0/24 network. On September 15, 2020, the network border firewall policies will be brought in line with the existing IRIS (EECS) firewall ruleset for secure production networks. This change is to help facilitate moving all IRIS networks to the campus Palo Alto firewall infrastructure. Also, going forward, emailed requests for BWW firewall exceptions will no longer be needed. The standard IRIS network registration forms will be utilized to make web servers at BWW available to the outside Internet.
In more detail
On September 15, 2020, the BWW default firewall rules that block all incoming traffic will be removed.
This change will result in rules that only block ports/protocols as documented here:
https://iris.eecs.berkeley.edu/faq/security/eecs-firewall-ports/
In particular, services that utilize “high” or ephemeral ports (generally, anything over 1024) will no longer be blocked by the firewall, and will be accessible from the outside world. Printing and Microsoft remote desktop access (via 3389/tcp) will remain restricted to campus networks (including the campus VPN but not the CalVisitor guest wireless networks). Access from outside the BWW network to Microsoft ports will remain blocked. SSH (22/tcp) access to BWW from the Internet will remain open.
Devices should continue to use their own host-based firewall to block and protect any services that should not be exposed to the internet, in accordance with campus minimum security standards.
The purpose of the change is to bring the Palo Alto firewall ruleset in line with the firewall ruleset we have used for IRIS with our Juniper NetScreen firewalls. This will enable us to migrate our other secure production subnets to the newer Palo Alto firewalls, in preparation for retirement of the older Junipers NetScreen firewalls.
Going forward
You’ll no longer need to request any firewall exceptions, unless they pertain to one of the blocked ports/protocols as linked above. For some blocked ports/protocols (e.g. http/https and smtp) you may request that it be allowed to your fixed DHCP (fixed IP address) devices by registering that device in the IRIS Network Database (https://iris.eecs.berkeley.edu/network/) and indicating the need for that traffic.
See also: