Networking, Firewall, Fully Closed + Remote Administration + UI Group Details
Summary
Note: As of July of 2019, there are no longer Fully Closed + RA and Fully Closed + RA + UI groups. Therefore, this information is now considered legacy. However, the information on this page is still useful to highlight the difference between the Fully Closed and the Fully Closed + UI groups.
The Fully Closed + Remote Administration + UI group is designed for desktops and for servers that serve only University of Illinois users (at any of the three campuses). It allows traffic to leave the computer without restriction, and allows responses to the user's requests. It blocks nearly all incoming traffic from outside the University that is not in response to the user's request. It's too restrictive for a server with off-campus users.
The difference between the Fully Closed group and a group with the RA designation is that this group was intended to allow users and administrators to remotely administer the computer from off campus. In this group, ports used to be allowed for remote administration.
Note, in 2017 the Chief Privacy and Information Security Officer placed significant restrictions on inbound traffic for Remote Administration services. As such, the only remaining ports allowed by the +RA modifier are ports 3283 and 5988.
The difference between the Fully Closed + Remote Administration group and this group is that this group allows unrestricted access among all three University campuses. (The Remote Administration-only group will only allow unrestricted access to users at the same campus.
In
this firewall group, IP ranges belonging to the University of Illinois
(including the Springfield and Chicago campuses) are given full access.
UI IP ranges will not be subject to the same firewall restrictions as IP
ranges from the external Internet. For a list of the IP ranges that this firewall group considers a part of the University of Illinois network, see Guide to University of Illinois IP Spaces.University of Illinois IP ranges given full access
Internet: Services allowed in
From computers that are not part of the University network:
The permitted ports are 3283, and 5988.Internet: Services allowed out
To computers that are not part of the University network:
All (except the ports that are always blocked in both directions)
Advantages
- Computers in this group are at very low risk from attacks from outside the university.
- Traffic to other University locations is unaffected, so a department that wants to offer services only to other University affiliates can do so easily.
- Power users and administrators can access the computer from outside the firewall for administration purposes.
Disadvantages
- Computers in this group are still vulnerable to other machines at any of the University campuses, so a department must still be concerned with security patches on these machines.