Firewall

Target Audience: Massey University staff

A firewall is a security measure designed to block unauthorised access to a computer's network. All messages entering or leaving a network pass through the firewall. The firewall examines each message to ensure nothing private goes out and nothing malicious comes in.

Firewall bypass / relay

  • Submit a Firewall Bypass/Proxy/Relay Application
  • Once submitted, the approval email will need to be forwarded to the Service Desk by the authorisor.

After approval, the appropriate configuration changes will be made to the relay, proxy or firewall. This will ensure that:

  • All appropriate information has been captured so that the relay or proxy can be configured correctly, or that the bypass requested cannot be implemented using a relay or proxy
  • That the user is aware of and has accepted, the risks, liabilities and conditions that are associated with exposure to the Internet.
 

Application form

Note: Once submitted, the approval email will need to be forwarded to the Service Desk by the authorisor.

Service relays and proxies

Web Servers


Internal hosts are usually exposed to allow web pages to be served to the Internet. Direct exposure is not necessary and not desirable.

If the Web Server can be identified by a network alias, and that alias is used soley for accessing web pages (for example: it is not intended to provide access to any other services),

ITS can provide access using a URL or HTTP Reverse Proxy. If the alias is used to provide access to other services, HTTP access must be provided through a firewall bypass filter.

ITS strongly recommends that appropriate aliases be used for each service. The means by which those services are delivered can be independent; for example: www-chemistry and ftp-chemistry rather than simply 'chemistry'.

The URL / HTTP reverse proxy

All incoming requests for pages can be served by a single server. A secondary backup server can be brought into service in the event of a failure. This server can then remap the request to the appropriate internal server and/or directory.

The mapping functions available will allow an internal server to support multiple web sites in different directories yet present them to the Internet as though each was in fact hosted on its own server.

Examples of possible mappings:A URL to an Internal Server

http://chemistry.massey.ac.nz/
-----> http://it001046.massey.ac.nz
A URL to an Internal Server Directory or Folder http://chemistry.massey.ac.nz/
-----> http://it001046.massey.ac.nz/chemistry
A URL which includes a directory to an Internal Server http://chemistry.massey.ac.nz/courses/
-----> http://it001047.massey.ac.nz

A URL which includes a directory to an Internal Server Directory http://www.massey.ac.nz/Chemistry/
-----> http://it001047.massey.ac.nz/Admin

Ensure that all URLs embedded in the various documents are relative rather than absolute. If they must be absolute, refer to the 'Virtual Server' not to the real one. The Proxy will rewrite inappropriate URLs where it can.

Notes
  • The content of any internal web server that is accessible from the internet must conform to the Requirements for websites

  • Statistics generated by the HTTP server may not be useful.

File Transfer Servers


All incoming FTP requests must be directed to the FTP Proxy ( gatekeeper.massey.ac.nz ). If an internal server has been authorised, the FTP Proxy can establish a connection on behalf of the external client.
The appropriate internal server is identified by using a modified user id. i.e. who@a-server.massey.ac.nz

Example 1: Command Line Client

ftp gatekeeper.massey.ac.nz

Connected to its-relay1.massey.ac.nz.

220-+-------------------------------------------------------------------------+
220-| |
220-| Massey University FTP Proxy |
220-| |
220-| All connections to FTP servers at Massey University are intercepted |
220-| by our FTP Proxy. |
220-| |
220-| To connect to an internal server, it must be identified in the username |
220-| i.e. anonymous@server-name or a-user@server-name |
220-| If a connection can not be established, you will need to contact the |
220-| administrator of that server as all internal servers must be authorised |
220-| |
220-+-------------------------------------------------------------------------+
220 Name (its-relay1.massey.ac.nz:you): username@a-server
331-(----GATEWAY CONNECTED TO a-server.massey.ac.nz----)|
331-(220 a-server.massey.ac.nz FTP server ready.)
331 Password required for username. Password: #####
230 User username logged in. ftp>

If a command based FTP client is not being used, it must still connect to the FTP Proxy first. Ensure that "username@internal-server" is used in the appropriate dialogue box where a User is required and specify the correct password for 'username'.

Once connected, all of the normal FTP commands should work exactly the same as if you had made the connection directly to the server.

Terminal Server


All incoming TELNET requests are must be directed at the TELNET Proxy ( gatekeeper.massey.ac.nz ).
If an internal server has been authorised, the TELNET Proxy can establish a connection on behalf of the external client.

Example 1: Telnet Session telnet gatekeeper.massey.ac.nz

Trying 203.167.237.199...
Connected to its-relay2.massey.ac.nz.
Escape character is '^]'.
+-------------------------------------------------------------------------+
| |
| Massey University TELNET Proxy |
| |
| All connections to TELNET servers at Massey University are intercepted |
| by our TELNET Proxy. |
| |
| To connect to an internal server, a connection must be opened from the |
| proxy. |
| i.e. c server-name |
| |
| If a connection can not be established, you will need to contact the |
| administrator of that server as all internal servers must be authorised |
| |
+-------------------------------------------------------------------------+

MU Telnet Proxy>c a-server
Trying 130.123.123.123 port 23...
Connected to a-server.

Digital UNIX (a-server) (ttyqf)

login: username
password: xxxxxx

X11 Proxy


The default policy allows connections from within the Massey Network to anywhere on the internet; however, some protocols in actual fact work backwards. An example is X11.
The X11 server runs on the local equipment and the X11 client is the application on the remote server. When a remote application is started, it attempts to initiate a connection back through the firewall. Without the use of a proxy these connects would be blocked.


Using the X11 proxy from within the firewall

To run an X11 application on a remote server, you must initiate the application by first connecting through the firewall. You then tell the firewall you wish it to establish an X11 proxy for you.

Example 1: Initiating an X11 Application

xhost +its-relay1
xhost +its-relay2
telnet gatekeeper
Trying 203.167.237.198...
Connected to its-relay1 Escape character is '^]'.
Massey University Telnet Proxy Service
MU Telnet Proxy> x
MU X11 Proxy> display is its-relay1.massey.ac.nz:10
MU X11 Proxy> c remote.site.com
Trying 123.123.123.123 port 23...
Connected to remote.site.com Escape character is '^]'.
Welcome to a REMOTE SITE|
login: username
password: #####
...
...
setenv DISPLAY its-relay1.massey.ac.nz:10
xclock &
... ...


Using the X11 from outside the firewall

To connect to a Massey server, the server must first have been authorised. Assuming that this has been done, you must first connect to the relay itself. You then tell the telnet proxy which Massey server to connect to and it will do so on your behalf.

Example 2: External X11

telnet gatekeeper.massey.ac.nz
Trying 203.167.267.199...
Connected to its-relay2.massey.ac.nz
Escape character is '^]'.
Massey University Telnet Proxy Service
MU Telnet Proxy> its-unix1.massey.ac.nz
Trying 130.123.128.3 port 23...
Connected to its-unix1.massey.ac.nz.
Escape character is '^]'.
Digital UNIX (its-unix1) (ttypf)
login: username
password: #####
...
...
setenv DISPLAY your.server:0.0
xclock &
...
...

Contact the ITS Service Desk

Phone 06-356-9099 ext. 82111 (preferred method)

7:45am - 5pm, Monday to Friday
(excluding Public and University holidays)

Out-of-hours Support


AskIT Self-Service to log a request online (staff)

Email Service.Desk@massey.ac.nz

Full contact details


Other ITS Information

IT Services Dashboard (staff)

Forms

FAQs

Policies

ITS Site Tree


Your Feedback

Please email your comments, suggestions or complaints to us at: Service.Desk@massey.ac.nz.


Massey Contact Centre Mon - Fri 8:30am to 5:00pm 0800 MASSEY (+64 6 350 5701) TXT 5222 contact@massey.ac.nz Web chat Staff Alumni News Māori @ Massey