Default Deny Campus Firewall

Enhanced Internet Firewall Posture

Effective July 9, 2021

To better protect systems and data which resides on the University of Regina campus network, Information Services has enhanced its approach to external firewall protection. Work began on this initiative in 2019, with completion occurring in mid-2021. University of Regina network-connected devices will now be subject to a strengthened border firewall poster known as “default-deny.” This best practice approach to securing enterprise environments means that only approved network services, such as applications or websites will be exposed to the internet. This approach better protects endpoints from threats originate on the internet.

Users who require hosting of publically exposed services, such as websites, can request a firewall rule exception through a new form in UR Source located at https://ursource.uregina.ca/is/forms/openport.html (log in required).  This process is only required for new firewall rules. Existing service owners have been contacted, and ports which are required to remain externally exposed have been permitted.

This approach is supported by the introduction of a Network Firewall Standard. This document provides specific expectations around external network posture. The Network Firewall Standard can be accessed via the Security Policies and Standards Index, as well.

Frequently asked Questions (FAQs):

What does default-deny mean?

Default-deny means that network traffic, which is not specifically allowed, will be denied. At the firewall level, it involves defining permissible ports and protocols and turning everything else off.

This change impacts the internet (border, edge, or perimeter) firewall, which stands between the University of Regina's internal network and the public internet. Firewalls protecting the campus network control incoming network traffic. Firewalls use security rules to determine which traffic is allowed.

Why is this change being made?

Secure network services are essential for the University's operational goals. Firewalls are the first line of defense against cyber-attacks and are a critical component of information security. Also, firewalls provide a point where security controls can be implemented across the campus computing environment.

Default-deny firewall rules will limit internet traffic into the campus network to traffic which an internal system has requested. Unsolicited traffic of an external origin will not be permitted to cross the network perimeter to reach internal systems. This approach helps protect internal systems from vulnerability exploits, denial of service attacks, and password guessing attacks. 

The outcomes of this change include:

• Reduces malicious and anomalous or unusual traffic, reducing information security risks and network/hardware utilization.
• Many information security standards suggest alignment with border perimeter controls as a means to reduce the attack surface of internal systems.
• Improves the ability to audit firewall rules and validate internet exposure to internal networks.
• Provides clarity on how a service owner can submit a request for a network port to be exposed on the internet.

This initiative aligns with several prior changes to allow remote access services and applications only available on campus by default.

I run a service on campus to provide externally accessible service. Will my service be impacted?

Owners of existing services have been contacted, and exceptions have been established to permit the service to remain accessible. Existing services should not be impacted. 

How do I access my systems from off campus?

Remote access to on-campus systems will typically require a VPN connection. Resources to assist with VPN connectivity are available at:

• https://www.uregina.ca/is/common/ur/network-connectivity.html
• https://www.uregina.ca/is/common/ur/technotes/569.html

Will this impact my ability to reach external services from my endpoint located on campus?

No, devices on the campus network will still be connected to the internet and able to access external services as usual. For example, web browsing will not be affected. Most users will not notice any change. This is thanks to the implementation of ‘stateful firewalling,’ which allows known active connections originating from a device connected to the campus network to pass the firewall.

What protocols are impacted by this change?   

This change in firewall posture impacts both TCP (Transmission Control Protocol) and UDP (User Datagram Protocol).

Will services hosted in the data centre be impacted?

No, services located in the network zones corresponding to data centres are not impacted.

This change impacts only subnets which provide connectivity to endpoints such as desktops and wireless.

I have questions. Who do I contact?

Please feel free to contact Information Services via the Information Technology Support Centre:

• Email: IT.Support@uregina.ca
• Phone: 306-585-4685
• Toll-free in Canada: 1-844-585-4685