Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
cdr:university_security [2017/03/23 07:48] jamesdro Dual-Homed machines |
cdr:university_security [2019/10/26 20:37] (current) sjames5 Fix section ordering |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| ===== Traffic Rules ===== | ===== Traffic Rules ===== | ||
| - | [Firewall Rules](firewall) | + | Our [firewall rules page](firewall) has detailed information regarding specific rules, as well as the "idea" behind them. A high level overview is that we block all publicly announced UB IP Ranges (announced by AS3685), and whitelist only specific subnets / IPs that are required to operate. As we route all our internal traffic going out to the internet through our firewall, we can ensure there is no traffic leakage. |
| ===== Dual-Homed Machines ===== | ===== Dual-Homed Machines ===== | ||
| - | `ubnetdef.org` webserver; Jump boxes. | + | We aim to have a very limited amount of dual-homed machines, which are machines that have interfaces for both the [CSE Uplink](/cdr/networks/management) and [Red Team Network](/cdr/networks/blue_red). We have divided our dual-homed machines into two separate categories. |
| + | |||
| + | ==== Web Server ==== | ||
| + | Our public webserver (the server that hosts ubnetdef.org, and all subdomains) is a dual-homed machine. The main reason this machine is dual-homed is so that it can proxy some requests to some of our internal machines. These proxy requests are a one-way connection. | ||
| + | |||
| + | To ensure the security of this server, we have placed additional firewall rules on this machine. More details on this machine can be found on [this page](/cdr/vms/web-server). | ||
| ==== Jump Boxes ==== | ==== Jump Boxes ==== | ||
| - | [cdr-analyst](/cdr/servers/cdr-analyst) | + | We also operate a Windows Server 2012 RDP Jump Box. This server is behind the CSE Production firewall, limiting access from non-UB IP ranges. |
| + | |||
| + | More details on this machine can be found on [this page](/cdr/vms/cdr-analyst). | ||
| + | |||
| + | ==== MGS 650 bastion ==== | ||
| + | `cdr-netscan` is a Debian VM used by MGS 650. These students are not given access to vCenter, so they connect to this machine via SSH. This machine is connected to the [Cloud network](/cdr/networks/cloud). | ||
| ===== User Accounts ===== | ===== User Accounts ===== | ||
| - | Not many. | + | We currently have vCenter joined to UB's Active Directory, reducing the needs for additional accounts for the majority of UBNetDef. |
| + | |||
| + | To handle our internal infrastructure management (storage servers, routers, monitoring), we have an additional centralized authentication server. This machine is only accessible while on our internal networks. | ||