Network based security systems
Protection against unauthorized access to network segments inside the KIT (firewall).
The service is important for the protection of end devices in the KIT data network from unauthorized access.
The access protection has a multi-level structure and is oriented towards the protection requirements of the systems desired by the customer:
- Protection against unauthorized access from the Internet (“Central Firewall” – level 1)
- Additional protection against unauthorized access from other network segments of the KIT (“decentral firewall” – level 2)
- Additional protection against unauthorized end devices in the network segment (“Network Access Control (NAC)”)
The firewall is called “central”, because it protects all devices in the KIT Intranet from the Internet. Organization units with more security requirements can additionally use the service “Decentral Firewall”
- Protection against unwanted access from the Internet
- Opening ports of servers for the access from the Internet
- Restriction of the Internet access
Not included services
- Protection against unwanted access from the Intranet
- Restriction of the Intranet access
The decentralized firewall regulates the communication between the wired network segment of an institute/ an organization unit of the KIT and the intranet. The Firewall works in both directions:
- It limits the possibility to have access from computers in other parts of the Intranet to computers of the institute/ organization unit.
- It limits the access from computers of the institute/ organization unit to services in the Intranet.
- It restricts the access of computers in other parts of the intranet to access computers of the institute/org unit.
- It restricts the access of computers of an institute/org unit to services on the intranet.
- Protection against unwanted access from the Internet
- Release of server services for the access from the Internet
- Limitation of the Internet access
Services not included
- Protection against unwanted access from the same network segment
- Restriction of access to other network segments
Basically, there are different concepts for implementing a firewall.
Firewalls mostly used are combining port / packet filters on the end devices (so-called personal firewalls). Since the introduction and improvement of "personal firewalls" on end devices (for example, Windows Firewall after XP SP2), they are no longer part of the SCC portfolio.
On the other hand, the communication of whole network segments with other networks (campus network, Internet) is controlled by various rules, which take place either on routers or on firewalls. Depending on the security requirements, there are different security levels, which are offered and implemented by the SCC in a kind of a modular system. These safety levels divide the KIT network into four network zones (A - D).
Security level “Base Protection”:
On the router systems, default security settings are defined that are configured according to the following classification:
• Internet uplink;
• User networks;
• Server networks on the SCC
A black list is configured on the Internet uplink, which allows full accesses from the outside to the KITnet to pass through with a few exceptions. Access to the following protocol ports is not permitted:
TCP 25, 53, 135, 137, 138, 139, 445, 593, 2745, 5554, 9996
UDP 25, 53, 69, 135, 137, 138, 139, 161, 445, 2745, 5554, 9996
For outgoing connections from KITnet, the following protocol ports are not permitted:
TCP 25, 2745, 54040
UDP 2745, 4000, 7871, 54040
Exceptions are been strongly regulated to individual cases, e.g. for central mail and DNS servers.
On the Internet uplink, incoming and outgoing rules for anti-spoofing are implemented according to RFC 2827.
Anti-spoofing is basically configured on the router interfaces for user and server networks.
Additional service-specific filters exist at router interfaces of the server networks in inbound direction.
Security Level 1
The goal of level 1 is the foreclosure of systems against the Internet. The basic principle is that connections initiated internally can be answered from the outside. A connection-initiation from the Internet is not possible. This principle applies equally to private and public IP addresses.
Since private addresses are only valid within an enterprise, the use of application gateways or an address translation is necessary to allow communication between these systems and the Internet. In case of application gateways, SCC offers web proxies and mail servers as gateways. For all other protocols and applications an address translation (PAT / NAT, port / network address translation) is been used to allow an internal node using a private IP address to communicate with the Internet. This service is centralized at the firewall level 1.
Exceptions for accessing internal systems from the Internet can be realized in two ways:
If a service must be accessible from all source IP addresses world-wide, the implementation can be made via NATVS +, an application self-developed by SCC. NATVS + has a user interface, which allows the DNSVS administrators of the respective address range to independently manage their firewall rules. Attempts to open ports listed above as “generally blocked at the Internet” uplink are ineffective. The activation of changes to the firewalls made in NATVS + is automated every second hour at the even hours.
Requests for opening firewall rules with restrictions on specific source IP addresses must be addressed through the responsible IT officer (IT-Beauftragter) by e-mail to the firewall team at SCC (firewall∂scc.kit.edu).
Security Level 2
Security Level 2 corresponds to the implementation of security level 1 with the difference that here a group of systems is additionally protected against unwanted accesses from other parts of the KIT network. The systems to be protected must be in a separate VLAN. Exceptions for worldwide access from the Internet are been defined similar to Security Level 1 through NATVS+. The responsible IT officer must request limited exceptions by e-mail to firewall∂scc.kit.edu.