[committee] UCC Services and UWA's implementation of Cloudflare
Geoff Costello
geoff.costello at uwa.edu.au
Tue Mar 24 10:26:31 AWST 2020
Attention: John Hodge and UCC committee
A week ago, you put in a service desk ticket regarding why resolving the domain `mooneye.ucc.gu.uwa.edu.au` via a recursive lookup returns Cloudflare’s IPs instead of 130.95.13.9.
This is because UWA has moved all its domain hosting to Cloudflare.com and is in the process of protecting all web servers and computers exposed to the internet with the wide range security features available for paid domain hosting.
During the week between Monday 30 March and Friday 3 April, we plan to lock down the services in the network segment used to host servers for the Guild and UCC so that the only external access is via Cloudflare as a DNS and internet protection service. This is essential as each server exposed to the internet represents a target for a broad range of cyber attacks such as the one that impacted the ANU last year.
Please reply to this email urgently with your contact details so we can work with you to address any issues that may disrupt the operation of important UCC services. We want to work with you to make the transition as smooth as possible.
Implications for UCC Services
The following summarises what this means to the UCC services.
* UCC Services that are subdomains of ucc.gu.uwa.edu.au – These already have the DNS hosted by Cloudflare (as per your service ticket). We will be enabling SSL certificates and Cloudflare security services for these in the same way as for any other UWA subdomain.
* UCC Services that are subdomains of ucc.asn.au – The DNS for this domain appears to be hosted on the mooneye server and point to server IP address in the UWA address space. In short, we will be blocking access the mooneye DNS server, and would like to move the DNS hosting for the domain ucc.asn.au to Cloudflare using their “Pro” account to protect services on that domain. This will allow UWA to secure traffic to services for ucc.an.au, while still giving the UCC the flexibility to create subdomains as needed within the ucc.asn.au space. New sub-domains can be created as required via a service request to University IT. More instructions and information on how to rehost the DNS for ucc.asn.au in Cloudflare are given below.
* Public DNS hosted on mooneye.ucc.gu.uwa.edu.au -This will be blocked from internet access as Cloudflare will be the only DNS service supported allowing access into servers hosted on the UWA network.
* If there are any sites on this related to UWA operations (including the student guild), please let us know urgently so we can put in place arrangements to have the DNS hosted by Cloudflare and traffic protected by Cloudflare.
* Information on other services is covered below.
* Other External Domains pointing at UWA Servers - There are a number of external services such as experiments.tecosaur.com that are hosted on servers operating in UWA’s address space. Some of these are have their DNS records hosted in external services such as namecheap.com, others appear to have their DNS records hosted on mooneye.ucc.gu.uwa.edu.au. Many of these sites appear to be legacy sites and potentially inactive, however each represent a security exposure as traffic is being allowed into these sites to UWA’s servers. External access to these servers will be blocked, unless they can be justified as a UWA related organisation, in which case their DNS hosting needs to be moved to Cloudflare under a pro account, as per Guild and Affiliate Sites, or a UCC related site, in which care the site needs to become a subdomain of ucc.asn.au.
* If there are any UCC related sites on other domains that require continued external access please let us know urgently so we can put in place arrangements to have the DNS hosted by Cloudflare and traffic protected by Cloudflare, either as part of ucc.asn.au or (in special circumstances) its own domain.
* Legacy non UWA related Services – There appear to be a number of legacy non UWA services with external access that are hosted on UWA servers via a series of IP addresses in the Guild / UCC segment of the UWA IP range. Access to these services will be deactivated unless there is a legitimate UWA related requirement, in which case we need to move them to a UWA controlled protected DNS and Cloudflare account. While most of these services appear to be legacy and inactive, if there are non UWA externally facing services are still required by their operators, both the DNS and the hosting for these need to be moved to one of many external hosting services before Friday 3 April when access will be suspended.
Guild Services
Please note we have separately contacted the UWA Guild over the DNS for UWAstudentguild.com and any other guild services to ensure they are also migrated to Cloudflare for protection.
Rehosting the DNS for ucc.asn.au in Cloudflare
Rehosting the DNS for ucc.asn.au in Clouflare is as simple as:
1. Confirming with Paul Fisher (paul.fisher at uwa.edu.au 0420 755 194) that you are ready to move the DNS to Cloudflare and he will have the DNS entries setup in advance for you in Cloudflare.
2. Logging in to your current domain registar
3. Removing the current name servers:
* ns1.dnspackage.com
* ns2.dnspackage.com
* ns3.he.netns2.afraid.org
* ns2.he.netns4.he.net
* mooneye.ucc.gu.uwa.edu.au
4. Replacing with:
* ainsley.ns.cloudflare.com
* carter.ns.cloudflare.com
5. Saving your changes
We will then work to implement security protections against things like Denial of service and cyber attacks on uwastudentguild.com
If you have any questions on this process, please get back to Paul Fisher or Matthew DeGois.
The ucc.gu.uwa.edu.au domain will be protected by Cloudflare anyway as we have control over all subdomains in uwa.edu.au.
Summary and Conclusion
We trust you understand the need for appropriate cyber security protections for all internet exposed services on the UWA network. An attack on a single server could potentially compromise significant parts of the network, so we need o ensure that only authorised services are exposed to the internet and they are all appropriately protected. We need to complete this transition by Friday 3 April, and want to work with you to make this a smooth process.
We apologise for any effort this may require, but we believe the proposed approach will still allow the UCC to operate and provide effective services to its many members.
Regards
Geoff Costello
Programme Architect
University Information Technology • M463, Perth WA 6009 Australia
M +61 0415 554 819 • E geoff.costello at uwa.edu.au<mailto:scott.obrien at uwa.edu.au>
[cid:image001.gif at 01D38872.AA7E75A0]<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.uwa.edu.au%2Funiversity-campaigns-resources%2Femailsig2015%2Fuwa-logo%2F&data=02%7C01%7Cgeoff.costello%40uwa.edu.au%7C8fd54b54e25e44d3697908d79e4837f7%7C05894af0cb2846d8871674cdb46e2226%7C1%7C0%7C637151905320694195&sdata=CSWWHGNNt2VtYZmmbvXpUVtZCiSY3%2FG%2BLqLX9rVc%2Fis%3D&reserved=0>
[cid:image002.gif at 01D38872.AA7E75A0]<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.uwa.edu.au%2Funiversity-campaigns-resources%2Femailsig2015%2Fpursue&data=02%7C01%7Cgeoff.costello%40uwa.edu.au%7C8fd54b54e25e44d3697908d79e4837f7%7C05894af0cb2846d8871674cdb46e2226%7C1%7C0%7C637151905320704182&sdata=oXQKKQ9EZZBan6WyBCtgcBQCiYWtcQgzJtMa24dB%2BVk%3D&reserved=0>[cid:image003.gif at 01D38872.AA7E75A0]<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.uwa.edu.au%2Funiversity-campaigns-resources%2Femailsig2015%2Ffacebook&data=02%7C01%7Cgeoff.costello%40uwa.edu.au%7C8fd54b54e25e44d3697908d79e4837f7%7C05894af0cb2846d8871674cdb46e2226%7C1%7C0%7C637151905320704182&sdata=tn6yoma0OTSpF22f7vyv0vJMeoNsXFujizZvmo0xQA4%3D&reserved=0>[cid:image004.gif at 01D38872.AA7E75A0]<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.uwa.edu.au%2Funiversity-campaigns-resources%2Femailsig2015%2Ftwitter&data=02%7C01%7Cgeoff.costello%40uwa.edu.au%7C8fd54b54e25e44d3697908d79e4837f7%7C05894af0cb2846d8871674cdb46e2226%7C1%7C0%7C637151905320714180&sdata=9gKJcgedeV5eRvhgZb6NePGqrSKVIgTpob75Mcy1s2s%3D&reserved=0>[cid:image005.gif at 01D38872.AA7E75A0]<https://aus01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.uwa.edu.au%2Funiversity-campaigns-resources%2Femailsig2015%2Fyoutube&data=02%7C01%7Cgeoff.costello%40uwa.edu.au%7C8fd54b54e25e44d3697908d79e4837f7%7C05894af0cb2846d8871674cdb46e2226%7C1%7C0%7C637151905320714180&sdata=o7qwRG1PmQWB24OXMlqpe5Z%2B7ufKzDWbVcJD9iq6jCE%3D&reserved=0>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/committee/attachments/20200324/2681411a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-cid_image0.png
Type: image/png
Size: 12885 bytes
Desc: Outlook-cid_image0.png
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/committee/attachments/20200324/2681411a/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-cid_image0.png
Type: image/png
Size: 5028 bytes
Desc: Outlook-cid_image0.png
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/committee/attachments/20200324/2681411a/attachment-0001.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-cid_image0.png
Type: image/png
Size: 915 bytes
Desc: Outlook-cid_image0.png
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/committee/attachments/20200324/2681411a/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-cid_image0.png
Type: image/png
Size: 1046 bytes
Desc: Outlook-cid_image0.png
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/committee/attachments/20200324/2681411a/attachment-0003.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Outlook-cid_image0.png
Type: image/png
Size: 1672 bytes
Desc: Outlook-cid_image0.png
URL: <https://lists.ucc.gu.uwa.edu.au/pipermail/committee/attachments/20200324/2681411a/attachment-0004.png>
More information about the committee
mailing list