Public Subnet Firewall

October 03

The University of Waterloo Library provides public access to internet resources without requiring a patron to logon. Besides the students, faculty and staff of the university, the library also provides service to the local community. This is actually a legal obligation in one area because the Library operates as a full repository library for Canadian government publications. The contract includes an obligation of open access. Open access to educational resources is also a tenent of quality Library service.

In order to offer unauthenticated access to the Internet, certain constraints must be in place. Since 1995 the Library, with the assistance of IST, has maintained a router/web proxy server firewall to constrain the use of these unauthenticated machines. Many changes have been implemented over the years and the firewall system has been reviewed. In one area, increased security requirements for the public machines have become essential.

The purpose of this document is to outline the current operation of the Library's public firewall system for Library Systems staff. This firewall is a critical component of the security of these public workstations and their use. It can also affect new services brought on-line requiring adjustments to the firewall configuration.

Basic Information Flow:

All requests for network services from public workstations must pass through the Library's firewall router. Only services (protocols and ports) validated in the router's configuration file are allowed to pass through. All http, https, ftp and gopher requests, unless noted in the browser's configuration file, are directed through the router to the Library's proxy server running on pilot.uwaterloo.ca. These requests are passed through the proxy server unless restricted by proxy directives in the proxy configuration file.

Through the use of the router access list and the proxy directives in the proxy servers configuration file, the Library is able to constrain the use of the public workstations in a way that allows them to operate without requiring patron logon.

Firewall Components:

There are three configuration components to the Library's firewall system: the public workstation, the router and a Library's web server which serves as the proxy server.

Workstations:

It is beyond the purpose of this document to describe in detail the software and security configuration used on the public machines. The workstations run DeepFreeze, which restores the computer to its original state at each reboot. Only software deemed required by our clients is installed on these computers. Since most network services are web based, the configuration of the web browsers on the public workstations is critical to the firewall operation.

All browsers on the public workstations are set to operate in proxy mode. All http, https, ftp and gopher requests, unless explicitly stated in an exceptions list, must pass through the Library's firewall proxy server. The web server is Apache and runs on the Library's computer, "pilot.uwaterloo.ca."

Exceptions have been required in some instances to ensure the proper operation of some services. Currently only the following web services, as listed in the browser's configuration file, are allowed to by-pass the proxy server.

Proxy Exceptions:
www.scholarly-societies.org (alias for library.uwaterloo.ca)
proquest.umi.com
pqdweb.umi.com
www.ereserves.uwaterloo.ca (alias for testtube.uwaterloo.ca)
65.220.22.201 (virtual reference services)
65.220.22.205 (virtual reference services)
secure.watcard.uwaterloo.ca

Firewall Router:

All network service requests from the public workstations pass through the firewall router. Only services explicitly authorized are allowed to pass. These services are identified in the router's access list (See Router Access List - September 16, 2003 in the Appendix.). Services are identified by protocol and port.

To increase the security of the public subnet from attack from outside computers, a similar restriction list has been established. This list denies access to potentially troublesome protocols except if issued from library servers.

The out-going router access list is set up to deny all protocols and ports unless specifically allowed within the access list. The specific services authorized are:

Applied to the subnet side (services that the public workstations can access)

• Allow established TCP sessions
• Allow DNS, DHCP requests
• Allow PING replies (for network connectivity tests from outside subnet)
• Allow NetBIOS access to library, pilot and snap4100 servers (for samba connections)
• Allow Web access to the Library Web servers (library, pilot and testtube), to pqdweb.umi.com and proquest.umi.com (UMI commercial services), to lssi.com (65.220.22.*) (virtual reference service) and to the 2 university SUS servers
• Allow HTTPS access to various campus servers. Although https is validated through the proxy server, some services will not work through a proxy and direct access is required ( ego, brawny, blanc, etna, dynamites, and snap4100)
• Allow NNTP access to campus news server (news.uwaterloo.ca)
• Allow printing from a single workstation (129.97.71.175) within the subnet to two printers within Library subnet 58.
• Allow XFIRE access for the Beilstein client which accesses the Beilstein information service
• Allow Z39.50 client access to a couple of information services
• Allow access to the Watcard service through https using port 4667
• Allow telnet and ssh to anywhere
• Deny access to all other ips and ports

Applied to the external side of the router (services allowed to enter the subnet from the outside)

• A temporary block on Microsoft protocols to rebuild compromised systems
• Allow netbios (udp -netbios-ns, udp - netbios-dgm, tcp -port 130) services from pilot, library and snap4100
• Deny tcp access on ports 135 and 139, udp access on 135, 139 and tcp on port 445 from any other external computers
• Allow other accesses

Firewall Proxy-Server:

The Library operates an Apache web server on the computer, pilot.uwaterloo.ca, validated for proxy requests only from the public subnet. This restricts the use of the proxy by other machines on the internet. This prevents, for example, access to commercial resources restricted only to University of Waterloo faculty, staff and students through IP control. Using the proxy would allow requests from the remote machines to appear to have originated from on campus.

Aside from this general restriction on use of the Library's firewall proxy, additional resources can be restricted within proxy directives in the web servers configuration file. These restrictions can be applied for any number of reasons. Restrictions are recorded through regular expression matches and care must be taken that the regular expressions do not match with valid resources. The following specific restrictions are in place:

http://camera1.city.north-bay.on.ca/*
http://www.city.north-bay.on.ca/Bay-cam/*
http://ftp.blizzard.com/*
http://download.windowsupdate.com/*
http://windowsupdate.microsoft.com/*
http://v4.windowsupdate.microsoft.com/*
http://wustat.windows.com/*

Appendix

University of Waterloo Library
200 University Avenue West
Waterloo, Ontario, Canada N2L 3G1
519 888 4883

contact us | give us feedback | privacy statement | © 2011 University of Waterloo