Skip to main content
Computing at CornellCIT Contact Center (HelpDesk)

CIT Network Firewall Service

(formerly, the Edge ACL Service)

[ Introduction | Frequently Asked Questions | Related Links ]

Network administrators can request Access Control Lists (ACLs) for their subnets. These ACLs allow functionality similar to that of firewalls. They are capable of restricting traffic flowing to individual subnets based on individual IP addresses or IP address ranges; TCP or UDP ports; or ICMP message type.

The Cornell IT Security Office will work with local support providers to create Edge ACLs designed to enable legitimate network traffic while limiting traffic that may be malicious or unnecessary for the business activities of the users on that subnet.

To obtain more information regarding the CIT Firewall Service, contact the Cornell IT Security Office at security-services@cornell.edu.

Frequently Asked Questions

What are some examples of what you can do with Edge ACLs?

  1. Block specific IP addresses, ports, and protocols to protect specific systems or applications from unintended remote access.
    • Benefits: Reduces the exposure specific systems and applications may have from hosts outside the Cornell network or outside your subnet
    • Caveats: Requires a complete understanding of what systems, protocols, and applications run on your subnet and who needs access to them.

  2. Block all Windows Networking (NetBIOS) from the Internet (non-Cornell network) or from everywhere.
    • Benefits: Blocks ports TCP and UDP 135, 137, 138, 139, and 445. Reduces the number of scans your networks get by viruses and hackers.
    • Caveats: Your users will be unable to access any Windows shares from outside campus (or your subnet, if you block Windows Networking from everywhere). Also, this will stop users from being able to log into your domain from off-campus. We would need to explicitly allow traffic to your domain servers to allow access to the domain.

  3. Block all inbound TCP connections not established by systems on your subnet.
    • Benefits: Blocks almost all scans from viruses and hackers. Makes it very difficult for hackers to target your subnet. Also makes peer-to-peer filesharing harder for your users to do.
    • Caveats: If you run any servers, you will need to explicitly allow traffic to reach those servers.

  4. Restrict access between specific on-campus subnets.
    • Benefits: Keeps unintended traffic off your subnets.
    • Caveats: Depending on the number of networks, this may not be administratively doable. For example, as ResNet has over 100 subnets that change each year, we cannot "block ResNet" from your subnets. Instead, for example, we could restrict access from all of Cornell's networks except those you control since this would be much easier to maintain.
Can I exclude certain IP addresses or networks from these blocks?
Yes, since we can control access based on source and destination IP address, we can configure the Edge ACLs to permit traffic to or from certain IP addresses that might be blocked by another ACL rule.

Where are the Edge ACLs configured?
Edge ACLs are configured in the edge routers of the Cornell network. These routers are Cisco 6500 series routers running IOS.

How are ACLs configured in the routers?
Cisco ACL Example shows how Cisco ACLs are built on the command line.

How many departments are using Edge ACLs?
As of November 2006, over 100 departments are using Edge ACLs. Out of the 700 VLANs on campus, over 350 have Edge ACLs applied to them.

How do I make requests for new Edge ACLs or make changes to existing Edge ACLs?
In either case, send e-mail to security-services@cornell.edu with your request. Whenever a new set of Edge ACLs are to be created, the process begins with a personal consultation with the IT Security Office.

What information do I need about my subnet to make implementing Edge ACLs successful?
You will need to know what information on what systems (by IP address) is being accessed by hosts outside your subnet. You will also need to know how that information is being accessed (i.e., via the web, FTP, ssh, etc.). The Security Office can work with you to find this information.

Where can I look up the Edge ACLs currently in effect for my area?
The IT Security Office has created a web-based viewer that allows registered network administrators to view the current and previous Edge ACL rulesets running on their subnets.

http://berring.cit.cornell.edu/cgi-bin/aclviewer/viewer.pl

How long will it take for changes to be made after I request them or if I have made a mistake?
It may take up to two business days for a change to be made. Since changes must be made manually, and since the Security Office is often involved with incident response, changes cannot be guaranteed to be done as soon as they are requested. Typically, change requests will be fulfilled within a few hours after they are received, though.

Edge ACLs are not appropriate for responding to incidents in an ad hoc manner. Incident response would be best dealt with by the Network Operations Center (NOC) or by other mechanisms on your subnet.

Can a block be removed if there is an emergency?
Yes, an Edge ACL can be removed by the Network Operations Center (NOC) at any time, but this means removing all the rules assigned to a subnet. The NOC cannot make changes to or create new Edge ACLs. Any requests for changes or new ACLs will be passed onto the Security Office, which will fulfil the requests within two business days.

How much does this service cost my department?
There is no cost for this service.

How does this service differ from implementing a firewall on my network?
Much of the functionality one can get from a firewall can be obtained from Edge ACLs. Still, firewalls do offer some advanced functionality that Edge ACLs cannot reproduce, such as complex UDP state monitoring or application-level packet inspection. Depending on the requirements you have for your network, a firewall may be a better solution, but most networks' requirements can be satisfied by Edge ACLs.

Related Links

You might also want to review: