Firewall concepts

Basically, there are different concepts for implementing a firewall.

Firewalls mostly used are combining port / packet filters on the end devices (so-called personal firewalls). Since the introduction and improvement of "personal firewalls" on end devices (for example, Windows Firewall after XP SP2), they are no longer part of the SCC portfolio.
 
On the other hand, the communication of whole network segments with other networks (campus network, Internet) is controlled by various rules, which take place either on routers or on firewalls. Depending on the security requirements, there are different security levels, which are offered and implemented by the SCC in a kind of a modular system. These safety levels divide the KIT network into four network zones (A - D).

Security level “Base Protection”:

On the router systems, default security settings are defined that are configured according to the following classification:
 
• Internet uplink;
• User networks;
• Server networks on the SCC
 
A black list is configured on the Internet uplink, which allows full accesses from the outside to the KITnet to pass through with a few exceptions. Access to the following protocol ports is not permitted:

TCP 25, 53, 135, 137, 138, 139, 445, 593
UDP 25, 53, 69, 135, 137, 138, 139, 161, 445

For outgoing connections from KITnet, the following protocol ports are not permitted:

TCP 25
UDP -

Exceptions are been strongly regulated to individual cases, e.g. for central mail and DNS servers.
On the Internet uplink, incoming and outgoing rules for anti-spoofing are implemented according to RFC 2827.
Anti-spoofing is basically configured on the router interfaces for user and server networks.
Additional service-specific filters exist at router interfaces of the server networks in inbound direction.

Security Level 1

The goal of level 1 is the foreclosure of systems against the Internet. The basic principle is that connections initiated internally can be answered from the outside. A connection-initiation from the Internet is not possible. This principle applies equally to private and public IP addresses.
Since private addresses are only valid within an enterprise, the use of application gateways or an address translation is necessary to allow communication between these systems and the Internet. In case of application gateways, SCC offers web proxies and mail servers as gateways. For all other protocols and applications an address translation (PAT / NAT, port / network address translation) is been used to allow an internal node using a private IP address to communicate with the Internet. This service is centralized at the firewall level 1.

Exceptions for accessing internal systems from the Internet can be realized in two ways:

If a service must be accessible from all source IP addresses world-wide, the implementation can be made via NATVS +, an application self-developed by SCC. NATVS + has a user interface, which allows the DNSVS administrators of the respective address range to independently manage their firewall rules. Attempts to open ports listed above as “generally blocked at the Internet” uplink are ineffective. The activation of changes to the firewalls made in NATVS + is automated every second hour at the even hours.
Requests for opening firewall rules with restrictions on specific source IP addresses must be addressed through the responsible IT officer (IT-Beauftragter) by e-mail to the firewall team at SCC (firewall∂scc.kit.edu).

Security Level 2

Security Level 2 corresponds to the implementation of security level 1 with the difference that here a group of systems is additionally protected against unwanted accesses from other parts of the KIT network. The systems to be protected must be in a separate VLAN. Exceptions for worldwide access from the Internet are been defined similar to Security Level 1 through NATVS+. The responsible IT officer must request limited exceptions by e-mail to firewall∂scc.kit.edu.