Issuu on Google+

Northern Grid for Learning Firewall Security As part of the Northern Grid connectivity solution all sites will be configured behind a Checkpoint Firewall located in easynet’s Middlesbrough Point of Presence. This firewall will secure the Northern Grid WAN and all traffic will be explicitly denied unless specifically requested otherwise. This also relates to internal traffic i.e. all INTRA LEA traffic is denied. A default ruleset suggested by the Northern Grid and easynet is listed below: Customer Activity

Mail

Service/ Protocol/ Port

SMTP

Internet Source of incoming traffic to School LAN

Incoming Destination on School LAN

Any

Any

Outgoing Source of traffic from School LAN Any

Destination of traffic on the Internet from School LAN

Action

Any

Allow

None

None

Any

Any

Allow

None

None

Cachepilot

Any

Allow

Easynet Equiinet Espresso

Cachepilot

None

None

Allow

None

None

Any

Any

Allow

None

None

Any

Any

Allow

Any

Any

Any

Deny

TCP 25

POP3 TCP 110

Name service Cachepilot Server

DNS UDP 53

HTTP TCP 80

HTTPS TCP 443

FTP TCP 20 TCP 21

Filtering TCP 4000

Cachepilot Server Support

HTTP TCP 80

HTTPS TCP 443

SSH TCP 22

FTP TCP 20 TCP 21

FTP

FTP TCP 21 TCP 20

Browsing

HTTP TCP 80 TCP 8080

HTTPS TCP 443

RealPlayer TCP 554 TCP 7070

Any

Any

Any

NB. Return traffic on the same connection will also be allowed. Access for Easynet administration is not shown, but will be included for the support of the firewalls and routers. Easynet will have access to Any and All services from our secure NOC IP range.


In order to fully utilise the functionality of the firewall and Broadband connectivity it is preferable that all sites have rulesets that suit their usage requirements for the Northern Grid Broadband connection.

After installation of the connection, rulesets can be altered and updated as requested by the LEA (or by the site with LEA approval) by use of a Firewall Modification Request (Appendix 2). Requests will not be accepted without an authorised signature from the appropriate LEA. To help with this process, Northern Grid together with easynet and other partners have created a Common Ruleset Requirement listing (Appendix1). If there are other solutions you wish to add to this shared list please send details to northerngrid@uk.easynet.net, the Project Team will ensure that the list is updated and the information shared between all LEA Partners.


Appendix 1

Common Ruleset Requirements

Please note that entries in Red will require the IP address of the server or equipment concerned being entered on the ruleset request. Where required Static Public IP’s will be allocated by easynet as part of the ruleset set up and will be confirmed to both the LEA and the site concerned This listing is not definitive and additions/corrections may be made at any time. Such additions/corrections will be sent to all LEA partner


Notes

Software

Source

Destination

Protocol Port

Plato

School LAN

212.103.242.160 212.103.242.161 212.103.242.162 212.103.242.163 212.103.242.164 212.103.242.165

HTTP

TCP 80

209.117.210.101 209.117.210.102 209.117.210.103 209.117.210.104 209.117.210.105 209.117.210.106 209.117.210.107 Community Connect 3 Domain controller in School RM Storebox

TCP UDP

1494 1604

HTTP HTTPS TCP

Requires TCP 80 Static TCP 443 Public IP TCP 333 TCP 3389

RM Community Connect 3

Any

RM Storebox

62.171.221.0/24 194.238.48.64/27 213.18.254.0/24 217.180.10.0/24 Any Easymail Server

UDP

UDP 617

Requires Static Public IP

SMTP POP3

TCP 25 TCP 110

Requires Static Public IP

RM NTmail

Any

NTmail server

SMTP POP3

TCP 25 TCP 110

Requires Static Public IP

RM Smartcache

62.171.221.0/24 194.238.48.64/27 213.18.254.0/24 217.180.10.0/24 62.171.221.0/24 194.238.48.64/27 213.18.254.0/24 217.180.10.0/24

Cache Server

SSH

TCP 22

Requires Static Public IP

Gateway Server – Usually on PDC

UDP

UDP 617 UDP 6501 UDP 6502

Requires Static Public IP

SSH TCP

TCP 22 TCP 333 TCP 3389 ICMP Echo Response

RM Easymail Server

RM Remote Support & Management

62.171.221.0/24 PDC 194.238.48.64/27 213.18.254.0/24 217.180.10.0/24

Managed Devices on School Network

62.171.221.0/24 ALL 194.238.48.64/27 213.18.254.0/24 217.180.10.0/24

NB. Return traffic on the same connection will also be allowed.

ALL


The following software will work under the default ruleset: Northern Grid for learning Portals Flood Alert All other ACTIS content Maths Alive RM Easylink1 RM Easymail Plus RM SecureNet RM SecureNet Plus RM Virus Protect All RM Content Products RM Support Online

1

RM Easylink will require a static Public IP address and so should be listed on any firewall ruleset request so that easynet can allocate an address


Appendix 2

Ruleset Modification Request Once this form has been completed and authorised by the LEA advisor, it will need to be faxed to the easynet security team by the LEA. The security team will log, action and confirm completion of the request.


EASYNET MANAGED FIREWALL SECURITY POLICY MODIFICATION REQUEST Company Name: Northern Grid for Learning This form is to be used for all modifications to the easynet managed Northern Grid central firewall solution. Please fill in all the relevant fields and send to your LEA advisor who will authorise your changes and forward the request to the easynet Security Department Where possible please include host names for IP’s or IP ranges. Example below:

source IP

Source Port udp

Destination IP

Destination Port udp or tcp

Action

Note

212.135.61.2 [home user IP]

Any

193.121.63.251 [webserver1]

Allow

For our web developer to get access.

202.158.63.0/24 [head office LAN] Any

Any

193.121.63.128/25 [web server LAN] Any

80[tcp http] 25[tcp smtp] 2231[udp custom port] Any

Allow

Proxy-ftp [21 & 22 udp & tcp]]

Any

443 [https tcp]

Drop incoming “PUT” requests Allow

For our staff to get access. Please call me if you have any questions.

or tcp

Proxy-ftp [21 & 22 udp & tcp]]

193.121.63.253 [publicwebserver1 -> 10.1.1.5 [internal webserver1]

443 [https tcp]

This goes to our internal web server LAN on the 10net.

NB. Return traffic on the same connection will also be allowed.

Enter your requests below: Source IP

Source Port udp

Destination IP

Destination Port udp or tcp

Action

Note

or tcp

Any

Any

82.109.64.92

2001 [tcp]

Allow

If needed please use extra pages and include them with your fax.

To allow staff to access Secure Gateway


Please print all requested information clearly. Site Administrator: Chris Gardner Name:………………………………………………………………………………….

IT Technician Job Title:………………………………………………………………………………

0191 4569121 Contact Number:…………………………………………………………………….

cgardner@st-wilfrids.org E-mail Address:……………………………………………………………………..

cgardner Sign:………………………………..

22/04/10

Date:……………………………………….

LEA Advisor: Name:………………………………………………………………………………….

Job Title:………………………………………………………………………………

Contact Number:…………………………………………………………………….

E-mail Address:……………………………………………………………………..

Sign:………………………………..

Notes:

Date:……………………………………….


Firewall Rules