Access Control

1.0 Overview

Because the University does not have a firewall, it is necessary to use Access Control Lists (ACLs) to filter certain types and sources of network traffic.

2.0 Purpose

This policy is designed to provide the framework for configuring and applying Access Control Lists to network convergence points.

3.0 Scope

This policy impacts OIT staff members who are responsible for the design and implementation of the data network.

4.0 Policy

Access control lists should be configured in such a way that they are able to block as much malicious traffic as possible, while being as transparent as possible to the end user.  The ACLs applied at the network edge should filter, at minimum, the following types of network traffic:

Outbound:

  • Allow all ICMP
  • Allow DNS: TCP/UDP 53 out
  • Tunnels
  • Allow IPsec out
  • Allow GRE out
  • Allow PPTP out
  • Allow NTP: UDP/123 out
  • Allow SNMP: UDP/161 out

Inbound:

  • Allow all ICMP
  • DNS: Allow TCP/UDP 53 inbound to authorized DNS servers
  • SSH: Allow TCP/22 inbound to authorized hosts only
  • Remote Desktop
  • Allow TCP/3389 inbound to authorized hosts only
  • HTTP/HTTPS
  • Allow TCP/80,443,8080,8443 inbound to authorized web servers
  • Email
  • Allow SMTP TCP/25,465,587 inbound to authorized email servers
  • Allow POP/IMAP TCP/110,143,993,995 inbound to authorized email servers
  • Tunnels
  • Allow IPsec in
  • Allow GRE in
  • Allow PPTP in
  • FTP
  • Allow FTP TCP/20,21 inbound to authorized FTP servers
  • LDAPS
  • Allow LDAPS TCP/636 inbound to authorized directories
  • NTP
  • Allow NTP inbound to authorized time servers
  • VoIP
  • Allow SIP TCP/UDP 5060,5070 inbound to all
  • Allow UDP/1025-65535 to ResNet

Games:

  • Allow League of Legends TCP/80,443,2099,5000-5500,5222,5223,8088,8393-8400 to ResNet
  • Allow World of Warcraft TCP/80,443,1119,1120,3724,4000,6112-6114,6881-6999 to ResNet
  • Allow Teamspeak 3 TCP/10011,30033 to ResNet
  • Allow Steam Client TCP/27000-27050 to ResNet
  • Allow Battlefield 3 TCP/9988,17502,20000-20100,22990,42127 to ResNet
  • Allow Call of Duty TCP/3074,28960 to ResNet
  • Allow Starcraft TCP/1119-1120,3724,4000,6112-6114,6881-6999 to ResNet
  • Allow Xbox Live UDP/88 to ResNet

Miscellaneous Applications:

  • Allow Ventrilo TCP/3784,6100 to ResNet
  • Allow Viber UDP/5243,9785 to Wireless & ResNet

Because of our desire to remain transparent to the end user, all ACLs will be posted for campus viewing.

5.0 Enforcement

Failure to follow this policy will result in the offender(s) being subject to disciplinary action up to and including a formal written letter of corrective action.

6.0 Definitions

128.153.49.0/24 – The administrative subnet used for privileged access to IT resources

7.0 Revision History

Draft Policy v0.1 – 06 June 2005 – jfiske

Draft Policy v0.2 – 09 January 2006 – jfiske

Draft Policy v0.3 – 10 February 2006 – jfiske

Approved Policy v1.0 – 4 November 2013 – jfiske