When was the firewall installed and why?
The OIT department purchased its first firewall based on the approval of the Faculty Security Policy Proposal. It was installed between February 5–8, 2004. The main reasons were:
- defense against the increasing number of compromised computers at the faculty
- protection of faculty servers and services
Currently, the successor to the Cisco PIX Firewall is deployed — the so-called NextGeneration Firewall with a Firepower engine, which also includes an IPS probe.
In 2023, the existing perimeter firewall was replaced with two new perimeter firewalls. This step modernized the infrastructure and ensured high availability (HA) of Internet connection services.
FAQ
How does the firewall work?
Firewalls are security products that protect internal computer networks. They are installed at the interface between the internal LAN and the Internet. The primary function of a firewall is to protect against unauthorized network access, hacker attacks leading to denial of service (Denial of Service, DoS), and to assess access rights for remote users (VPN). The firewall inspects all traffic passing through and, based on so-called access lists, decides whether a connection between computers is allowed or not.
What does the firewall allow me to do and what not?
The firewall sits between the Internet and the faculty network, performing address translation (NAT or PAT), and blocks all incoming connections initiated from the Internet. Your computer is thus hidden behind the firewall, preventing attacks from the Internet. However, this also means you cannot connect to your computer directly from home.
On the other hand, your computer can initiate outgoing connections without restriction (except for SMTP TCP port 25 and Windows sharing SMB TCP ports 445, 139, 138, and 137). The firewall handles return traffic automatically.
What does address translation mean?
Address translation means that private IPs (not routable on the Internet) like 10.x.y.z from faculty computers are translated on the firewall to public IPs from the ranges 195.113.47.1–254, 195.113.58.1–254, and 195.113.59.1–254 when accessing the Internet. Each computer initiating outbound connections is assigned a free IP from this range — this is NAT. If there are no free IPs available, PAT is used, where multiple private IPs are translated to a single public one.
I have a Linux machine at the faculty and I need to manage it remotely. Is that possible?
Yes, you can manage your computer via tunneling over port 22 (SSH) through our mail server. Or you can connect via SSH directly to our mail server and from there manage your faculty computer. Another option is to request VPN access — available only to employees and postgraduate students.
I want to offer services to the Internet — for example, a personal web server. What should I do?
If the server services cannot be provided through central faculty servers, you can request a public IP from the range 195.113.57.0/24. The server will then be "exposed" outside the firewall, and the user will be fully responsible for any hacking and associated issues.
The application form for a public IP address is available here.