CUMC Home | Columbia University | Jobs at CUMC | Contact CUMC | Find People
     
Columbia University Medical Center logo, Columbia University Medical Center Information Technology
 
 
For support: call extension 5-Help (212-305-4357), email us, or instantly connect to a technician with CUMC IT eSupport

CUMC Firewall Exception Request Procedure
(Outgoing NetBIOS/Bidirection SMTP) (April 2004)

Procedure:

(a) For NetBIOS traffic, CUMC is blocking outgoing access from CUMC network to CU Morningside Campus and to the Internet. (b) For SMTP traffic, CUMC is blocking outgoing access from CUMC network to the Internet, except to the CU Morningside Campus.

To permit legitimate institutional business functions, however, some access must be permitted. Owners of computers that need such access for a business reason must provide specific information to determine eligibility.

If requests are legitimate, CUMC firewalls will be configured by Core Resources/Information Security Group at CUMC to permit (or deny) access as needed.

  1. Owners (and their designated administrators) at CUMC must maintain "Network Access Restriction" information for hosts in their custody, as part of formal system documentation. At the bottom of this document is the form that should be submitted to the CUMC Help Desk for consideration and followup action to open specific outgoing ports, and may be used for documentation.

  2. Submit requests only for hosts in your custody. For new submissions, submit only for the new hosts. For changes, indicate that it is a change.

  3. Specify only exceptions for OUTGOING connections (for NetBIOS), or BIDIRECTIONAL connections (for SMTP mail). For exceptions to INCOMING NetBIOS connections, see 'CUMC Firewall Exception Request Procedure.' Note: no direct communication using NetBIOS is permitted over the Internet; use VPN as an alternative, to tunnel NetBIOS.

  4. Description of fields:

    1. IP Address of your system. Specify the internal IP address(es) for which exclusion is being requested. This could be a subnet specification (such as for NetBIOS access).

    2. DNS Name of your system. Indicate the DNS name for the IP address(es) -- not aliases -- as appropriate.

    3. Owner and Custodian group or name. You can put a administrative group name, if appropriate. Multiple names are permitted; separate them by a comma. Owner must be a Director-level or above person, or a Department or Division administrator (or a designated Departmental or Divisional System Administrator), or a senior faculty member. All requesters must be institutional employees.

    4. Owner and Custodian email address, title, department, phone. A specific institutional email address for the group or the individual. Multiple emails are permitted; separate them by a comma.

    5. Application Name. Name of the application or application group. Be consistent if you have multiple lines for the same application by duplicating the same name.

    6. Date. Date of submission, use MM/DD/YYYY

    7. Outbound Port Number. This must be one or more of these: 25, 135, 137, 138, 139, 445, 1433, and 1434. Do not mix a request for port 25 (SMTP) -- which would be both inbound and outbound for mail service -- with any other request. Port 25 traffic outbound to Morningside networks will be open by default.

    8. External IP specification ("i" for "Internet" or specific network addresses). Possible values are "i" for all Internet access (only used for port 25 mail service), or a list of specific addresses (comma separated, in n.n.n.n/b format) at the Morningside campus, for NetBIOS related ports.

    9. Reason/Comment. The reason must reflect the institutional business need: Care, Research and Education. Please provide as much detail as necessary to determine eligibility. For port 25, mention how that system is a mail server for a specific division/department/center/institute/administrative unit.

  5. The CUMC Security Officer may initiate a discussion if the desired openness/restriction has specific security or technical issues. The decision to accept or reject a request is with the Security Officer, and the final decision is with the Institutional Leadership. In the case of immediate and possible threats, Core Resources and the Security Officer are authorized to address the threat by any means necessary, including change of policy, but with continuity of Clinical Care as the highest priority.

CUMC Firewall Exception Request Procedure (Outgoing NetBIOS/SMTP)

The request must be made by the owner who must be a Director-level or above person, or a Department or Division administrator (or a designated Departmental or Divisional System administrator), or a senior faculty member.



| TOP |

Last updated 6/16/2008

  
 
bullet Home                bullet Getting Started                bullet Getting Help                bullet Email                bullet Quick Links                bullet About CUMC IT
CUMC Home | © Columbia University | Affiliated with New York-Presbyterian Hospital | Comments | Text-Only Version