• McMaster
  • McMaster A-Z Index
• Academics
  • Undergraduate Studies/Programs
  • Graduate Studies/Programs
  • Part-Time Studies & Continuing Education
  • Departments & Faculties
• Alumni
  • About the Alumni Association
  • Alumni Events
  • Services & Benefits
  • Programs for Alumni
  • Alumni Networking
  • Keep in Touch
  • Homecoming
  • Alumni Weekend
  • Students & Young Alumni
  • Giving to McMaster
• Discover McMaster
  • About the Campus
  • Fast Facts
  • Governance
  • History of McMaster
  • How to Get to McMaster
  • Policies, Procedures & Guidelines
  • President's Message
  • Provost & Vice-President (Academic)
  • Strategic Plan
  • Teaching and Learning at McMaster
• Future Students
  • Undergraduate
  • Graduate Studies
  • MBA Program
  • Continuing Education
  • Parents
  • Student Services
  • Virtual Tour
• Library
  • About the Libraries
  • Contact Us
  • Course Reserves
  • Library Catalogue
  • Library Services
  • My Account / Book Renewal
• Research
  • Canada Research Chairs
  • Endowed & Industrial Chairs
  • Ethics in Human Research
  • McMaster Innovation Park
  • Office of International Affairs
  • Partnership Opportunities
  • Research Centres & Institutes
  • Research Policies & Procedures
  • Science in the City
• Current Students
  • Student Affairs
  • Student Resources
    • Chaplaincy
    • Human Rights & Equity
    • Information Technology
    • Office of Academic Integrity
    • Ombuds
    • Parking & Transit
    • Registrar
    • Safety & Security
    • Student Financial Aid & Scholarships
    • Student Accounts
  • Student Government
    • Graduate Students
    • Part-time Students
    • McMaster Students Union
  • Campus Life
    • Clubs
    • Events

University Technology Services

• Does McMaster use a firewall? If so, why?
• Does the firewall affect network traffic?
• UTS Home

The term "firewall" originates from the term used to describe a structure intended to keep a fire from spreading. Brick firewalls are used within buildings to completely divide sections of the building. In a car, the firewall is the metal wall separating the engine components from the passenger compartment. The term "firewall" is also used to describe a network device that is designed to protect, or "shield" a network from undesirable, unauthorized access.

Does McMaster use a firewall? If so, why?

Yes. The campus firewall is intended to provide general, blanket protections that apply (almost) universally to members of the McMaster community.You individually, or your department as a group, may have more specific requirements for security controls that a small firewall or VPN (device and/or software in your PC) of your own could satisfy, and you're encouraged to consider adding that extra layer of security, tailored to your needs, in front of the specific machines that require extra protection: Those are specific application requirements, however, and not part of the general campus network backbone infrastructure that is supplied to everybody, and supported by UTS.

The campus firewall is used to implement generic rules and controls - rules and controls that were previously implemented using access control lists (ACLs) on the backbone routers. The firewall device adds a degree of efficiency, simplifies maintenance of the various ACL lists, and allows an extra degree of universality in the application of the rules that is required as our network becomes more complex and the number of outside 'attacks' from the Internet increase and become more persistent.

The campus firewall was deployed on May 26, 2002.

Does the firewall affect network traffic destined to - or sent from - my workstation or server?

Firewalls are generally configured to block traffic originating from the "outside" network (such as the Internet) to the "inside" network (such as the McMaster Campus Network) , but allow systems on the "inside" to access systems "outside". This helps to block attacks on internal network resources from the outside network. The campus firewall has been configured to enforce this default behaviour: workstations that are on the off-campus access list are allowed to connected to external sites, but external sites are not allowed to originate connections to these workstations.

An exception to this basic rule is made for servers that are intended to be Internet-accessible. For these servers, traffic must be able to originate from the "outside" network, to access servers on the "inside" network.

The campus firewall may or may not have an affect on network traffic destined for your system, depending on the role your system currently serves (workstation or server). There are four basic situations that one needs to consider ... each of these cases is listed below:

1. Workstations that are on the off-campus access list
If your workstation currently has off-campus access (can access Internet sites directly, without using the campus web proxy server), the firewall does not affect any traffic originating from the workstation but does prevent external (eg. Internet) resources from attempting to originate connections to the workstation. For example, external systems will not be able to "port-scan" (probe the workstation for vulnerable ports), or "attack" the workstation directly.

See the Firewall FAQ for more details:
http://netman.cis.mcmaster.ca/firewallfaq.htm

2. Workstations that cannot currently access external (eg. Internet) sites directly
The firewall does not affect these workstations whatsoever.

If you use a workstation that does not currently have off-campus access, and you want to allow the workstation to access off-campus (Internet) sites directly, you will need fill out the appropriate request form. Public-access workstations (eg. in public lab areas) will not be permitted direct access to external networks, in order to comply with the membership Terms and Conditions of McMaster's external network service providers. Indirect access, such as through the campus web proxy server, can be arranged for public-access workstations.

Please read the "Request For Off-Campus Access At McMaster University" form and related documentation carefully:

The documentation and form are available at:
http://www.mcmaster.ca/uts/network/vpn/AnyConnect.html .

3. Servers that are accessible from external networks, such as the Internet
If you administer or own a system that is currently accessible from external networks, the system is considered a server, and is listed in the firewall server access list. Typical servers include, but certainly are not limited to: e-mail, web, and ftp servers. Please note that any system that accepts any type of traffic originating from external sources (outside of the campus network) is considered, for all "firewall intents and purposes", to be a server.

If you haven't done so already, UTS recommends that you fill out a Server request form to ensure that your server remains listed on the firewall server access list, thereby ensuring that your server remains accessible from the Internet. If you have never submitted a server request form, UTS may remove your server from the server access list as a security precaution (especially if only a small amount of network traffic is observed, destined to your server: UTS wants to ensure that only "real" servers - servers that are intended to be servers - remain accessible from external networks).

4. Servers that are not accessible from the Internet
The firewall will not affect traffic to and from a server that is not on the campus firewall server access list. That is, if the systems that access the server are strictly systems that are within the campus network ("local" systems), and these systems are not intended to be accessible from external networks, the firewall does not affect network traffic to or from these local servers. It simply blocks undesirable external traffic from reaching these servers, just as it does for campus workstations.

If you administer a server that does not accept connections from external (Internet) systems, and you wish to allow the server to acceptconnections originating from external systems, please read the the "Request For Server Access From External Networks" form and related documentation carefully.

Please note that each server owner/administrator - not UTS - must accept the responsibility for implementing appropriate security measures for their server(s).

Please refer to the Firewall FAQ for more details regarding firewall implementation. More information regarding the campus web proxy service, and UTS accounts for access to network services, is available at: http://www.mcmaster.ca/uts/policy/qacct.htm

NOTE: The terms "off-campus", "external", and "Internet" are used interchangeably throughout various UTS network documents. Any "external" or "off-campus" system is considered to be a system that is not connected directly to the McMaster Campus Network.