Interconnect between the restricted-access network and the regular campus network.

General

  • ITSO will determine and manage the access policy.
  • NIS will operate the in-line equipment.
  • All traffic from/to the restricted access network will pass through this border.
  • 1Gbps throughput will be good enough for now.

Access Policy

ICMP and other Firewall generic rules

  • Inbound ICMP errors SHOULD NOT be filtered by source IP address. RFC-4787 Network Address Translation (NAT) Behavioral Requirements for Unicast UDP,9. ICMP Destination Unreachable Behavior
  • Inbound ICMP errors MAY be filtered by stateful match with outbound traffic (e.g. Linux RELATED target).
  • Outbound ICMP echo requests SHOULD be permitted to any host for which other outbound traffic is permitted.
  • Outbound ICMP echo requests SHOULD be rejected if sent to non-authorized destinations. (admin prohibited)
  • Inbound ICMP echo replies SHOULD be permitted from any of the hosts ICMP echoes can be sent to. Stateful firewall may do this automatically.
  • TCP connections to unauthorized destinations should be rejected with TCP RST.

Hardware

  • IPv4 NAT
    • NIS will purchase and specify the IPv4 NAT device.
    • NAT device could most likely support IPv4 firewall as well.
  • Firewall
    • May be the same as IPv4 NAT device.
    • To be jointly specified by ITSO and NIS R&D
    • How to deal with IPv6
    • Cisco?
    • Juniper?
    • SonicWall?
    • StoneSoft? (being tested by ITSO)
    • Unix/Linux + iptables/pfsense for IPv6 only?
    • http://www.getipv6.info/index.php/IPv6_Firewalls
  • IPS/IDS
    • specified and purchased by ITSO.
  • FireEye
    • specified and purchased by ITSO.
  • No labels