General Networks Protected and Unprotected
What Is Changing on General Networks and When?
By default, all devices on campus Wi-Fi and wired General Networks are set to the “Protected” network profile, which enables additional firewall protection from other on-campus devices.
To improve security, ITS plans to change the firewall policies for "Protected" network profile on July 9, 2023, to remove the bypass allowing devices connected through the Client Virtual Private Network (VPN) service to connect to devices on the General Networks (GN). Most people will not notice this change. The "Unprotected" GN profile will continue to allow devices connected through the VPN to connect to GN Unprotected devices.
Action Required
If VPN connections to GN devices are required, implement an alternative noted below:
- Unit IT support (registration tool) or individuals (portal) may register a device for the Unprotected* profile.
- For Windows users requiring Remote Desktop Protocol connections to GN Protected devices, use the ITS Remote Desktop Gateway (RDG) service which is on the management DMZ, an allowed bypass.
- Units may establish bastion hosts on the management DMZ (with ISO review and oversight) and utilize those to connect to GN Protected devices. Note, the Next Generation Network Program proposes Common Services with these capabilities and Units may be required to move to those when funded.
Additional Details for Technical Support Staff
VPN Bypass for "Protected" profile:
- As a security measure, unsolicited connections are blocked to all devices on the GN Protected profile except for two allowed bypasses: 1) devices on the management DMZ in the data center and 2) devices on the VPN. This change will remove the VPN from that bypass increasing the security for GN Protected devices. Devices on GN Protected will still be able to use the VPN for outbound services. This change does not impact GN Unprotected profile devices.
- The VPN bypass was created several years ago to foster migration to the GN from unsecured unit networks by enabling remote access to GN devices (e.g. Remote Desktop Protocol, SSH, VNC, etc). However, devices connecting through the VPN may not be secured or managed which places all GN devices at risk. As the university continues to improve its security profile, that weakness is being removed.
- Remote access via VPN connection to Wi-fi/wired connected devices on GN
- Wi-Fi/wired connected printer: devices sending print outs must be able to reach the printer, unless the printer is connected more securely to a print server on the special management network.
- Wi-Fi/wired connected Raspberry Pi: where student labs connect to the Raspberry Pi across Wi-Fi as opposed to a console or USB cable, or wired Ethernet.
- Wi-Fi/wired connected robot: where researcher must SSH to the robot, unless the robot establishes its own more secured connections to the researcher’s environment.
- AirPlay to a Wi-Fi/wired connected AppleTVs: devices sharing content must be able to reach the AppleTV. Generally AppleTVs are connected to a wired port on a unit’s A/V network so this is not an issue.
- Wi-Fi/wired connected P2P gaming: some online games require peer-to-peer connections, and selecting the "Unprotected" profile for that device may allow such games to work.
Security Requirement for "Protected":
The “Protected” profile setting on the General Networks will meet Class 3 requirements as defined in the Network Security Classifications, but the “Unprotected” setting will not. When the Information Security Office begins to enforce the classifications, any university owned device with the “Unprotected” profile will likely require a security exception filed.
End users and TSCs may change their device's default network profile using the registration tools:
- For personally owned devices / end users: https://network.utexas.edu
- For university owned devices / TSCs: https://xmp.gw.utexas.edu
- To determine which tool is right for you and to learn more about network registration: https://wikis.utexas.edu/display/networking/Device+Registration+for+Network+Access