Understanding the U’s default protect firewall policy

Let’s face it: Some IT terminology and concepts can be difficult to understand, especially for an average user with limited technical knowledge. (It’s me, hi.) Recently, there’ve been some questions about the “default protect” firewall policy that UIT is expanding as part of the University of Utah Cybersecurity Program mandated by President Taylor Randall (login required).

Jake Johansen, director for Enterprise Security in the U’s Information Security Office (ISO), hopes to clarify a bit.

“This is not an effort to filter the websites the university community can access while browsing the internet,” he said. “It’s about protecting the University of Utah from internet-sourced threats.”

A firewall is a device that monitors and controls incoming and outgoing network traffic, based on a set of IT security rules. UIT, Johansen said, is modifying the U’s firewall policy to block all incoming traffic to university networks from the public internet, and expose only IT applications or systems with approved exceptions to the public internet. Approved exceptions must have an academic, institutional, or research purpose and meet certain IT security criteria, including compliance with the vulnerability management rule, use of the ISO’s multifactor authentication solution, and up-to-date operating systems.

Here’s another way to look at it. Let’s say you have an appointment at University Hospital. Certain areas in the hospital are open to the public, including patients, and other areas are open only to hospital employees. Default protect works the same way: Public IT resources are open to everyone, while only authorized individuals can access internal IT resources.

“The default protect firewall policy does not interfere when a University of Utah user or IT system communicates with a service on the internet. Only systems and users coming from the internet to the University of Utah would be prohibited, unless a U of U IT staff member has made a request to expose an IT application or system on a specific service to the internet,” Johansen said. “For instance, the system that houses www.utah.edu. The site will always be accessible from the internet, but a lot of that system is not exposed to the internet. It’s secured, or protected, by default.”

Default protect, he noted, isn’t new to the university or users. University of Utah Health has used default protect for about 20 years without significant issues, and certain portions of campus have also implemented the default protect firewall policy successfully. Additionally, the cybersecurity measure mirrors most home network setups, which use a router to block unwanted incoming traffic.

Johansen said the change will not affect the average user, although it will impact users who have been accessing custom university resources remotely without using Citrix, the virtual private network (VPN), or another secure remote access method provided by UIT or U of U Health’s Information Technology Services (ITS). Primarily, though, the firewall policy will affect IT service owners who want to publish a service to the internet as they’ll need to follow a process to do so.

The goal is to block malicious traffic from entering U networks, manage vulnerabilities, and reduce potential IT security threats at the university.

“We've had some issues over the years where unpatched IT systems were exploited because they were visible to the internet,” he said. “Under a default protect methodology, they wouldn't be. We'd have time to find and patch them before they were exploited.”

 

Node 4 Search