OIT will be changing the campus’ default network configuration for all campus devices, servers, and desktop machines to prevent them from being accessed from off campus. This new configuration is known as “Default Deny”.
This means that by default all machines, when connected to the UMBC network, will not be able to be reached from off campus, except by logging into the campus VPN first. The use of the campus VPN http://vpn.umbc.edu (Click Here for Installation Instructions) will bypass the firewall blocks thus allowing access to on campus machines. This will dramatically reduce the potential security risks to UMBC. The good news is that most machines on the UMBC network do not need to be open to the outside world. Therefore, the “Default Deny” configuration will in no way affect the overwhelming majority of machines on campus.
However, there are some machines, servers and network devices that may have a need to be reached from outside the UMBC campus (e.g. Web Servers, File Servers etc.). To accommodate these exceptions OIT is developing a web interface, known as “NetAdmin”, which faculty and staff can access. NetAdmin will allow a faculty or staff member to open the necessary server ports on the campus Firewall to make the machine “visible” from off campus. The NetAdmin interface can be found at http://noc.umbc.edu
Timeline:
• May 17th NetAdmin Interface Released to Faculty and Staff
• May 17th to June 25th Machines Can be Excluded from the network block by entering them into NetAdmin.
• June 26th Entire UMBC network is switched to “Default Deny” via campus Border Firewall
NOTE: The actual network blocks will not go into effect until June 26th in order to provide faculty and staff sufficient time to exclude machines from the network blocks.
FAQ:
Will the Default Deny Network Configuration Cause Any Problems on Campus?
No, this new configuration only affects the campus’ border firewall. Once the changes go into effect only machines that have been excluded via the NetAdmin interface will be visible from off campus.
Can I Open Access to Any Machine?
No. Machines that are on the Dynamic Client Static Client and Legacy DHCP Pooled networks can not be opened using the NetAdmin interface. If someone tries to open access to any of the aforementioned networks they will receive an error message saying it can’t be added and a form will be presented that will allow the user to submit a request to have that machine moved to a network that will support this. Only machines on the Departmental Server Network or the Legacy Static Address can be opened to the outside world using NetAdmin.
How Does the NetAdmin Interface Work?
Faculty and Staff will need to launch a web browser from the machine(s) that they wish to exclude from this block. Once a machine has initially been entered the user that added that particular machine will be able to manage further changes (e.g. add/remove ports) by logging into NetAdmin from any location. Just visit http://noc.umbc.edu from the machine that you want to modify your network security from.
My Network Device Does Not Have A Web Interface.
In cases where a device or machine does not have a Web browser you will not be able to open network access on your own. Instead you will need to contact the OIT help desk to request this.
Why Are You Making These Changes?
Over the past few years there has been a very liberal “Default Open” network policy for all machines on campus. Unfortunately, the reality is that most machines do not require this open access and many times the machine owners do not even realize that there machine is accessible from the outside world. With all of the security problems and data loss issues plaguing businesses it is prudent that OIT take steps to further protect and secure our data and networks. Additionally by requiring machine owners to open access to their machines via NetAdmin OIT will now have a responsible contact in the event of a security breach.