Rules Hierarchy

Firewall rules are based on the following hierarchy.

• Department rules: Apply to all projects and servers. Example: Windows RDP open to campus (TCP 3389).
• Project rules: Apply to all servers. Example: Web ports to the world (TCP 80 and 443).
• Server specific rules: Apply to individual servers. Example: Management rules for my application (such as TCP Port 8443).

Cornell IP Ranges

Firewall rules are based on IP addresses. Cornell has the following IP ranges:

• 10.0.0.0/8
• 192.35.82.0/25
• 132.236.0.0/16
• 128.253.0.0/16
• 128.84.0.0/16

Default Configuration

• Default outbound: All outbound traffic is allowed.^**In the Extra Tier, to increase security, outbound traffic is determined on an as-needed basis.
• Default inbound: All traffic is denied. Standardized rules are defined to allow things such as monitoring, backups, inventory, and others.

When the server is initially configured, all department and project rules are automatically applied.  (There are no server-specific rules by default.) 

Best Practices

• Set rules that are as restrictive as possible, while still being functional.
• After you change firewall rules, test the new configuration.

Apply Firewall Rules to a Server

Important:

• Do not attempt to disable the Windows firewall service. This will drop all connections to the host, requiring a sysadmin to intervene to remedy the problem
• Denies override all allows. This means setting a deny may accidentally block traffic necessary for monitoring and managing your server. Systems Support recommends that you only set allows.

• Server specific rules: Feel free to apply the rules yourself. You'll need administrative access.
• Department and Project rules: Send an email to systems-support@cornell.edu.

If you need assistance:

• Documentation is available from Microsoft at: http://technet.microsoft.com/en-us/library/cc730971(WS.10).aspx. 
• You can also send an email to systems-support@cornell.edu.