Procedure: CUMC is blocking default open access from the Internet into CUMC network.

To permit legitimate institutional business functions, however, some access has to be permitted. Owners of computers that need such access for a business reason must provide a set of information to determine eligibility.

If eligible, institutional firewalls will be configured by Core Resources/Information Security Group at CUMC to permit (or deny) access to the hosts on institutional networks.

Default network access. The default access implemented by the firewalls is:

"No external computer is permitted to connect to a computer within CUMC network directly unless explicitly included on specific ports. The list of open ports must be minimized for specific business functions. In general, users are encouraged to use VPN for access.

"All computers with public IP addresses (156.111.x.x or 156.145.x.x) are permitted to connect to a computer outside CUMC network directly except on a specific list of ports and protocols which are blocked (see 7 below)."

Specific computers may be blocked at the firewall bidirectionally if a security incident warrants the block.

1 Owners (and their designated Administrators) at CUMC must maintain "Network Access restriction" information for all hosts in their custody as part of formal documentation. On the last page is the form that should be submitted to CUMC Help Desk for consideration and followup action to open specific incoming ports, and may be used for documentation.

2 Submit only for the hosts in your custody. For new submissions, submit only for the new hosts. For changes, indicate that it is a change.

3 Do not submit for hosts for which default network access (see above) applies.

4 For each host that has a port for which the access needs to be modified, fill in fields as required. The request must include all information, especially contact information.

5 Make one line per IP address, duplicating line contents as necessary.

6 Description of fields:

6.1 IP Address. Specify internal IP address for which exclusion is being requested. Pay attention to "virtual/floating IP addresses" you may have and their underlying real hosts. You should specify an access policy that is minimal for the correct function of the application on both virtual and real IP addresses.

6.2 DNS Name. Corresponding DNS name for the IP address (not aliases), with domain name stripped. Take the opportunity to register your host in the Asset database and DNS if it does not have a DNS name; contact Helpdesk for procedure for registration.

6.3 Owner and Custodian group or name. You can put a administrative group name, if appropriate. Multiple names are permitted; separate them by a comma. Owner must be a Director-level or above person, or a Department or Division administrator (or a designated Departmental or Divisional System Administrator), or a senior faculty member. All requesters must be institutional employees.

6.4 Owner and Custodian email address, title, department, phone. A specific institutional email address for the group or the individual. Multiple emails are permitted; separate them by a comma.

6.5 Application Name. Name of the application or application group. Be consistent if you have multiple lines for the same application by duplicating the same name.

6.6 Owned by? (CUMC/NYP). Primary institution that owns the data in the application.

6.7 Date. Date of submission, use MM/DD/YYYY

6.8 Inbound Port Number. Specific port numbers you want to be opened or further restricted, but must see 8 below.

6.9 Permit access from Internet (I/M/specific addresses). Possible values are I for all Internet access, M for all Columbia University Morningside campus, and list of specific addresses (comma separated, n.n.n.n/b format).

6.10 Is access Encrypted? (Y/N).

6.11 Encryption Protocol. Fill in the encryption protocol such as ssh, SSL, etc. if 6.10 is Y.

6.12 Reason/Comment. The reason must reflect the institutional business need: Care, Research and Education. Please provide as much detail as necessary to determine eligibility.

7 There are specific ports that will not be opened to the Internet which have posed significant threats in the past. These include the Microsoft suite of protocols (ports 135, 137-139, 445, 1433, 1434), snmp suite (161, 162, 199, 1993), tftp (69), and additional ports as deemed appropriate. Future possible candidates for such ports include printer (515) and p2p ports such as Kazaa, eDonkey, etc., and unencrypted host access protocols such as telnet, ftp, rsh family, PC Anywhere, etc. The process to determine these protocols will be in consultation with user groups in the institution, institutional risk management policies and best practices employed by similar institutions.

8 The CUMC Security Officer may initiate a discussion if the desired openness/restriction has specific security or technical issues. The decision to accept or reject a request is with the Security Officer, and the final decision is with the Institutional Leadership. In the case of immediate and possible threats, Core Resources and the Security Officer are authorized to address the threat by any means necessary, including change of policy, but with continuity of Clinical Care as the highest priority.

CUMC Network Access Exclusion Request Form (a firewall hole)

The request must be made by the owner who must be a Director-level or above person, or a Department or Division administrator (or a designated Departmental or Divisional System administrator), or a senior faculty member.