Enhancing UCI’s Internet Firewall through “Server Registration”

In September 2007, NACS changed the configuration of the campus network to improve security.  UCI’s Internet firewall (a device that controls off-campus access to UCI computers) now denies inbound connections except the ones that have been approved in advance by faculty and staff. This protects most campus systems from unauthorized access while preserving off-campus connectivity wherever it is needed.

Directing Network Traffic

Directing Network Traffic

The process of authorizing specific off-campus connections is called “server registration” although it is not limited to servers in the traditional sense. If you own or manage a computer that needs to accept network connections from off campus, you can define what kinds of access are needed using a Web-based form. You can then manage all the machines you are responsible for, using a set of online tools.  Please check with your local support, because some units coordinate server registration on behalf of users.

Registration offers a simplified configuration process for common situations, such as remote access — secure shell (SSH) or Microsoft Remote Desktop — or systems that really are servers and are already protected by firewalls. If you manage a large number of systems, you can register them as a group by email request to security@uci.edu .

Since server registration was implemented last September, 4.5 billion unauthorized probes from off campus have been blocked, or roughly 12 million per day.

A more complete description of this service and how to use it can be found on the server registration web page.

Server Registration

NACS is always looking for new ways to protect users on UCInet from network-based attacks. One upcoming strategy is to deny inbound connections to campus computers except the ones that have been approved in advance by faculty and staff. This will protect most campus systems from unauthorized access while preserving off-campus connectivity wherever it is needed.

The process of allowing authorizing specific off-campus connections is called “server registration” although it is not limited to servers in the traditional sense. If you own or manage one of the relatively few computers that needs to accept network connections from off campus, you can specify what kind of access is needed on the server registration form: http://www.nacs.uci.edu/network/servers/registration.php .

The form offers a simplified process for common situations, such as remote access (SSH & Remote Desktop Protocol), or systems that really are servers and are already protected by firewalls. If you manage a large number of systems, you can register them as a group by email request to security@uci.edu .

A more complete description of this service, and frequently asked questions can be found at: http://www.nacs.uci.edu/network/servers/ .

Register your Server

As the number and severity of security challenges continues to grow, NACS works hard to ensure that UCInet remains a useful, robust, and safe place to work. Towards that end, NACS now offers campus units the opportunity to block incoming network connections to their systems. Connections initiated from systems on your network will continue to work, so typical usage such as web browsing, email, instant messaging, and so forth, will be unaffected.

In order to support those services on your systems that do rely on incoming connections (such as web servers), NACS offers server registration. Using a simple form, you can identify which systems, and which services on those systems, need to be accessible from off-campus.

A number of departments are already using server registration in conjunction with inbound connection blocking in order to improve the security of their environments with great success. It is a good idea to begin using server registration, even if you are not yet contemplating inbound connection blocking. To learn more, or to get started, please visit:

http://www.nacs.uci.edu/network/servers/

Registering Computer Names

Computers on UCI’s network (and thus the Internet) have two kinds of identities: a numerical Internet Protocol (IP) address, such as 128.200.222.100, and a “host name,” such as www.uci.edu. Computers tend to use numbers to find and talk to one another, but human beings prefer names, finding them both more memorable and more descriptive. The association between the host name and the IP address is mediated by a world-wide hierarchy of servers collectively providing the Domain Name Service (DNS).

Technically, it is not necessary to have a host name in order to function on the network. However, it has long been campus practice to “register” host names whenever a computer is connected to UCInet. This has many benefits: the name of the machine helps people who use it understand its role, and the registration process records its ownership, its location, and who is responsible for it. Furthermore, an increasing range of network services at UCI and at other Universities is restricted to registered hosts. Using an unregistered host is thus an unnecessary risk; you might find you need a restricted service after hours or under deadline when it is very difficult to correct promptly.

Responsibility for a computer becomes very important whenever situations regarding network security, copyright violation, or network traffic arise. Without registering a system, NACS and campus departments have no way to find the system’s owner to correct the problem, and the only way to protect all the other computer users on campus is to deny that system access to UCInet until someone comes forward requesting that service be restored — an awkward and unfortunate situation for everyone. Presently there are almost 1,000 unregistered computers connected to UCInet. Although it has not been well documented or enforced, it is NACS policy that all computers connected to UCInet be registered in DNS. If you suspect your system may not be registered, or that our records regarding responsibility for your system may be out of date, please contact NACS.

Check to see if you’re registered at:
http://www.nacs.uci.edu/tools/ipaddress.php

Register your host name at:
http://www.nacs.uci.edu/communication/ip_address_app.html