91福利

91福利 operates a firewall at the gateway between the university and the Internet, as well as firewalls within 91福利 to segment 91福利's network and to protect its data centres. By default these firewalls block inbound connections.

The deny-by-default practice is not intended to make it difficult for departments to run their own servers or research networks. It is intended to protect systems from being scanned and attacked that do not need to be accessible from outside the networks the firewalls protect.

Register Your Server or Network With CCS

IT service providers at 91福利 must register their servers or networks with CCS in order to make them accessible from the Internet. To do so, please complete the .

In order to complete the form, you鈥檒l need the following information:

1. IP addresses and ports that must be visible from outside 91福利.
2. What services are running on each system.
3. Owner of each system (department or other information).
   • Please include email address and full name and position of the owner within the department.
4. Technical contact for each system (must include email address and full name).

IT service providers must ensure that:

• each server is hardened against attack;
• server OS, middleware and applications are all patched regularly (not just occasionally);
• each server is constantly monitored for attacks and compromises including compromised accounts - detailed logging is required.

Blocking Malicious IP Addresses

Firewalls are also used to block all inbound and outbound traffic for IP addresses that have consistently exhibited extremely malicious behavior or that are involved in ongoing security incidents. These are normally blocked at the Internet gateway.

If you are an IT service provider at 91福利 or have a system that is being persistently probed or attacked by a remote system, you can report the problem and work with CCS to block the attacking IP addresses. Please start by filling in the .

If you need to prevent an IP address from being blocked, please complete the .

Some IP addresses such as proxy servers and anonymization networks, that are used in attacks may not be blocked at 91福利鈥檚 gateway to the Internet but may be blocked from 91福利鈥檚 data centres and some administrative networks.

If this causes a problem for a service you are responsible for, please use the appropriate form to report the problem.

Web Address Filtering

The gateway firewall also provides a dangerous URL warning service. If you are using 91福利's network and select on or enter a URL to a site suspected of hosting malware or having another security issue, a message will appear in your browser warning you of the danger.

When the warning appears you can still choose to continue to the site by clicking the continue button. CCS maintains logs that include the occurrence of this event, the URL in question, and your choice to proceed.

CCS does not examine personal information in logs except as part of a security or other type of investigation. In some cases the continue button will not be available when URLs are blocked due to a specific incident.

The firewall uses a regularly updated database of potential threat sites that is maintained by the firewall vendor鈥檚 security team. The vendor鈥檚 Security Analytics team scans the Internet looking for malicious websites. 

Once a potential threat site is identified, the information is passed on to their Threat Research Team. This team conducts further research into the website by looking for suspicious behavior, embedded malware and links to other problematic sites. From this research the site is classified for its threat potential, and if appropriate, added to the database. Database updates are transmitted from the vendor to 91福利's firewalls at regular intervals.

References

• 罢惭鲍鈥檚&苍产蝉辫;Network and Server Security Management Policy (opens in new window) 
  
• 91福利's Network and Server Security Management Procedure and Annex (opens in new window) .
  
•  - Recommendations of the National Institute of Standards and Technology