Networking and Telecommunications - Missouri State University Computer Services Missouri State University Networking and Telecommunications
Skip search and site index

Firewall Exceptions

Firewall Exceptions

By default, a firewall blocks all network traffic coming in to the network it is protecting.  For the campus firewall this means that no traffic from the Internet can get on the Missouri State campus network without explicit permission.  To permit traffic through the firewall we create exceptions (or rules) that allow certain traffic on the network.  The rules are defined by the IP addresses of the sender and receiver of the traffic as well as the type of traffic (e.g. web or SSH). 

Policies for Firewall Exceptions

Firewall exceptions are tightly regulated to protect the University network.  Every exception is a potential security vulnerability so we limit them to only those that are absolutely needed.  All University affiliates (students, faculty, staff and emeritus) have access to use the VPN External to connect to on-campus resources when they are off-campus.  For this reason, only services that are intended for people not affiliated with the university will be allowed firewall exceptions.


Most services (e.g. HTTP and SSH) will be approved provided sufficient justification.  There are, however, at least two exceptions.  Telnet and FTP are both considered "insecure protocols" and will not be approved as firewall exceptions.  These protocols do not encrypt the user ID or password making it much easier for an attacker to compromise the security of the server and the University network.


Only a computer functioning as a server will be considered for a firewall exception. A computer being used as an individual's workstation does not qualify as this is more vulnerable to malware, virus infections, and other programs that can impact the security of the University network.

Requesting a Firewall Exception

E-mail with the following information to request an exception in a firewall:


  • Server Owner(s)
  • Owner Contact Information (phone and e-mail)
  • Server Name
  • Server IP Address
  • Services Offered
  • Audience of Services
  • Ports needed (including protocol e.g. TCP and/or UDP)
  • Length of time needed
  • Is the server handling any credit card information, health information, or other potentially protected data?
  • Explanation of why a firewall exception is required.

Descriptions of Requested Information

Server Owner(s)
The server owner is the primary contact for the server for which the exception will be made. A secondary contact person is preferred but not required. At least one contact should be technically familiar with the server and have administrator access. All contacts should be full-time faculty or staff at the university.  It is very important that our records are updated in the event of an owner change.  If we cannot contact anyone about an exception we will eventually remove it.
Owner Contact Information
Periodically we will need to contact someone with regards to the firewall exception.  Usually this will be to verify that the exception is still needed.  Most communication will be by e-mail but occasionally we will call the owner(s) if no e-mail response is received or the issue is time-sensitive.
Server Name
The DNS name of the server is used for convenience when discussing the exception.  It is not absolutely necessary.
Server IP Address
The IP address of the server is used by the firewall to create the exception so it is vital that it is correct and not change over time.  For this reason it must be a DHCP reservation or a hard-coded address.  We will work with the owner to set this address so that it will never change.  Usually setting up the address requires changing the IP address. A workstation for individual use does not qualify for a DHCP reservation and is ineligible for a firewall exception for security reasons.
Services Offered
List the services that the server will be offering.  These might be web, SSH or proprietary.
Audience of Services
Who will be accessing the server from off-campus?  Usually we aren't interested in the individuals but rather a description of the demographic.
Ports Needed
These are part of the definition of the exception in the firewall so it is very important that they are correct. We need both the protocol and the port numbers.  Here are some common ports:
HTTP
TCP/80
SSL (HTTPS)
TCP/443
SSH
TCP/22
Length of Time
If this is a temporary exception, please indicate when we can remove it.  Rules may exist for up to a year before they must be renewed - there is no such thing as a permanent rule.  Rules not renewed are subject to deletion after warnings are sent to the registered server owner.
Protected Data Information
There are a number of policies that the server and network must adhere to if any personal credit card information (PCI) is being transferred or stored.  If this server has or will have any contact with PCI data then we need to know.  We can also help the owner in PCI compliance.
Explanation
This section is for any additional information about the server, the services it offers and/or the intended audience that might be relevant in justifying the firewall exception.

Additional Questions

For additional information please contact Mark Harsen or Josh Stuppy or you can e-mail .