An nmap scan has revealed the following Internet-exposed service on 129.74.246.103 (njcoast1.virtual.crc.nd.edu):
HTTP (TCP/80)
It is recommended that this service not be exposed to the Internet since it may place at risk a development/testing environment for the CyberEye-NJ project. If there is a need to enable off-campus access to this service, then it is recommended that it be protected by the University's VPN or be configured with appropriate authentication measures (e.g., HTTP BASIC authentication protected by TLS may be reasonable). It is further recommended that host firewall rules be used to restrict access to this service; preferably, in a point-to-point fashion.
The University's VPN supports both ND and (appropriately vetted) non-ND users. When a VPN is employed, host firewall rules should be configured to permit traffic only from trusted, campus IPs. Example campus subnets may be found in the CRC Best Practices wiki at:
An nmap scan has revealed the following Internet-exposed service on 129.74.246.103 (njcoast1.virtual.crc.nd.edu):
HTTP (TCP/80) It is recommended that this service not be exposed to the Internet since it may place at risk a development/testing environment for the CyberEye-NJ project. If there is a need to enable off-campus access to this service, then it is recommended that it be protected by the University's VPN or be configured with appropriate authentication measures (e.g., HTTP BASIC authentication protected by TLS may be reasonable). It is further recommended that host firewall rules be used to restrict access to this service; preferably, in a point-to-point fashion.
The University's VPN supports both ND and (appropriately vetted) non-ND users. When a VPN is employed, host firewall rules should be configured to permit traffic only from trusted, campus IPs. Example campus subnets may be found in the CRC Best Practices wiki at:
https://redmine.crc.nd.edu/redmine/projects/bestpractice/wiki/General_Security_Approach#Noteworthy-Subnets Finally, all network services should protect their communications with appropriate, strong encryption. E.g., TLS 1.2 or better without any known, weak cipher suites. Please refer to the CRC's Best Practices wiki for an Apache-related example configuration:
https://redmine.crc.nd.edu/redmine/projects/bestpractice/wiki/General_Security_Approach#Suggested-Cipher-Configuration For more detail, please review the nmap report at
https://baldin.crc.nd.edu/CRC-Restricted/ScanResults/CyberEye-NJ/2018/nmap_external_CyberEyeNJ_2-20-18.html
https://redmine.crc.nd.edu/redmine/issues/9582