Versions Compared

Old Version 8

changes.mady.by.user user-29411

Saved on

compared with

New Version Current

changes.mady.by.user user-29411

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • https://transproxy.cit.cornell.edu:9443/Proxied/
  • Service is managed by IT Security Office (ITSO).
  • This service is running on really old hardware, and Oliver understands that it also has some scaling limitations so adding new allowed services
  • Question: What is the proxy service being used by RedRover/ eduroam, if different? And if different, what services are be proxied?
    • Answer: 2/16/16, per Michael's email conversation with GlennFFL: Yes, "proxy" service used by RedRover/ eduroam is different:
      • Traffic from EduRoam, RedRover, dorm networks, Access Nets, and a few other places is sent through a different Fortinet firewall infrastructure, and run through a NAT where it goes off-campus.
        Since *all* off-campus traffic is handled this way, there's no need for proxying, let alone the selective proxying provided by Transproxy.
        CIT Infrastructure provides this service - if you have issues or questions about the service, the IT Service Desk (itsd@, x5-5500) is probably the place to start.
  • Question: Couldn't one just use the new proxy-cabable devices currently being used by RedRover/ eduroam, etc., and get rid of old Transproxy hardware?
    • Answer: 2/23/16, per Oliver's brief phone conversation with LaurieC: Yes, services are redundant at a technical level. ITSO to consider migrating service to new Fortinet hardware, to our edge. Nothing scheduled yet, since migrating from ACLs to Managed Firewall is currently a key project they are focusing on, understandably. Long-term, such a change will put the Transproxy on a robust, scalable service platform. (ed. And 10-space can then continue to be relied on as a safe place to put vulnerable computers that need updates or file share access, but don't need full internet access.)

Used primarily for two reasons:

...

  • Simpler and more bomb-proof network protection than a firewall.
  • 10.Space systems are blocked from accessing general internet / web sites. This minimizes risks of malware or data breaches from these systems.
  • Computers still get:
    1. network access to group file shares.
    patching
    1. Active Directory and other campus computing management access
    2. Patching and updates: OS, apps, anti-virus.
    3. Network-based anti-virus reporting.
  • Printing from RedRover/ eduroam, which is not normally allowed in, is enabled by opening port 9100.
    • No VPN required.
  • Small Routers on 10 space used to isolate clusters and systems with obsolete OS from other network devices, while allowing network access.

On occasion the device may need a public IP temporarily. Such a change requires modifying the DNSDB record.

...

  • All (100%) of Chemistry and Physics networked printers: 129
    • 87 of those are on Research networks.
  • Many, many computers hooked up to instrument systems and most servers: 74
    • 49 of those are on Research networks.
  • 10 Space routers, allowing access for multiple systems

For context. other numbers:

...

Affords twice the number of IPs on a network than if 10-space numbers were converted to public IP addresses (and presumably similarly blocked at the network layer via firewall or ACL).

  • Many of our computers are outdated, and will never be able to utilize ipV6.

 

Caution: Ensure CU's proxy server configured with necessary off-campus access

...