<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hi John,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
We had a meeting to discuss the next steps for UCC, the action items to be undertaken are.</div>
<div><br style="color: inherit; font-family: inherit; font-size: inherit; font-style: inherit; font-variant-caps: inherit;">
<ul>
<li><span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; background: var(--white);">ucc.gu.uwa.edu.au and </span><span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; background: var(--white);">ucc.guild.uwa.edu.au
delegation </span></li></ul>
<ul>
<li><span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; background: var(--white);">ucc.asn.au domain</span></li></ul>
<ul>
<li><span style="color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; background: var(--white);">Inbound ports on 22, 53, 80, and port 443 to the COGLD</span><br>
</li></ul>
</div>
<div id="appendonsend"></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
1) All sub delegations of the uwa.edu.au domain are being remediated and any zone records hosted outside of the main Cloudflare account will need to be updated into UWA's cloudflare zone. Completion date for this is scheduled for Friday the 1st of May. 10:30am</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
2) For the ucc.asn.au domain we would ask you create a free account with Cloudflare under your administrative control. UWA are accepting traffic from all affiliates via a TLS authenticated channel with Cloudflare only for https traffic on the perimeter origin
F5's</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
UCC will need to create an origin cert (15 Years) and have someone delegated to update the cert at short notice if required. I've attached the CSR for the request.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
You can create as many subdomains one level deep under the ucc.asn.au via api and they will be routed to a nominated IP. To support additional IP's you will need to supply a 1 to 1 url mapping of as many server IP's as you require. Additional IP's moving forward
will be via a Service Request. I've given an example of how the url routing is configured on the F5 CF Origin.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
3) Inbound ports on <span style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; text-align: left; background-color: rgb(255, 255, 255); display: inline !important">22, 53, 80, and port 443 to the COGLD vrf will be restricted
to UWA Campus and VPN on Scheduled 8th May 2020 10:30am. If you are using SSH for automated inbound data transfer, it will be reviewed and provision for proxy will be made available.</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; text-align: left; background-color: rgb(255, 255, 255); display: inline !important"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; text-align: left; background-color: rgb(255, 255, 255); display: inline !important">For the rest of the services currently in operation a solution to maintain these
inline with Cyber Security requirements of UWA is still in progress.</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; text-align: left; background-color: rgb(255, 255, 255); display: inline !important"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; text-align: left; background-color: rgb(255, 255, 255); display: inline !important">Thanks</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; text-align: left; background-color: rgb(255, 255, 255); display: inline !important">Paul</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; text-align: left; background-color: rgb(255, 255, 255); display: inline !important"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; text-align: left; background-color: rgb(255, 255, 255); display: inline !important"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; text-align: left; background-color: rgb(255, 255, 255); display: inline !important"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; text-align: left; background-color: rgb(255, 255, 255); display: inline !important"><span>-----BEGIN CERTIFICATE REQUEST-----<br>
</span>
<div>MIIC6DCCAdACAQAwaTELMAkGA1UEBhMCQVUxEzARBgNVBAoTCkNsb3VkRmxhcmUx<br>
</div>
<div>HTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYwJAYDVQQDEx1DbG91ZEZs<br>
</div>
<div>YXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC<br>
</div>
<div>AQoCggEBAKT9VAUpPJ7PuTuDP3Wm4yYvzUAgkRsh8sDVO1gD2V7wwqW7o6oqnAsX<br>
</div>
<div>wuxBkPRCGY8Yv+LC2Q4HRRx8XwdxFxqQcqD175Rb4Ct9JZRb/wf+uoqZhkaldbCd<br>
</div>
<div>ByxXMweOPYzRsNulFxpBEkIA9H8xW34Vn59GclTm+MZae7TgsfEwVry/EO0pMs97<br>
</div>
<div>nuJg5fLjr0garXqxTL3s8m05qojdfyDhiuPjAabKsDnHfU5A2FGNZOOr8aggAFxR<br>
</div>
<div>L/YExg86fy8YTumO/Jd2JKzaNYY+m/0+8juFJ3zCtQvj9ZoadSKi4NO6nvhRxD7H<br>
</div>
<div>7glrMEI1iHVhaw4mp303qPm9k5qXkw8CAwEAAaA6MDgGCSqGSIb3DQEJDjErMCkw<br>
</div>
<div>JwYDVR0RBCAwHoIOKi5yY3N3YS5lZHUuYXWCDHJjc3dhLmVkdS5hdTANBgkqhkiG<br>
</div>
<div>9w0BAQsFAAOCAQEAXZobpC5a3rv6xAi8Hl9Pa0aBeJkVJglAaaD/E6XBfmFcvyWZ<br>
</div>
<div>Qowy+19m6aIT6PSYaTuvtMpJxoog5VIcGX1vYodIEavZqp/qXJCYknDNCl8Krm8g<br>
</div>
<div>vvycsat/9IdpbATqYvQHvEnn8C88FvH13MkKpi5xUHlwjmGrO4tD2b0pDSF8iqpa<br>
</div>
<div>h6A9MCjkljorlFta9+RTPVMpvb1y9mW7jZ1PFJlkEiqu7pu6tHJpXgpprm6GGib/<br>
</div>
<div>hatMTwkKgdZoOV7Fyd5BY0tLO3t/kA/78k6WNvg3FZG3GbY1i9WG/m2Icpd5BVxs<br>
</div>
<div>yqRqCA1a1xkDBfX/dwrem+MrYABqtj1GUhQb+Q==<br>
</div>
<div>-----END CERTIFICATE REQUEST-----<br>
</div>
<span></span><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; text-align: left; background-color: rgb(255, 255, 255); display: inline !important"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica, sans-serif; text-align: left; background-color: rgb(255, 255, 255); display: inline !important"><span> "webdav.rcswa.edu.au"<br>
</span>
<div> {<br>
</div>
<div> pool ip_130.95.169.196_443<br>
</div>
<div> set usessl 1<br>
</div>
<div> }<br>
</div>
<div> "*rcswa.edu.au"<br>
</div>
<div> {<br>
</div>
<div> pool ip_130.95.169.205_443<br>
</div>
<div> set usessl 1<br>
</div>
<div> }<br>
</div>
<span></span><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> John Hodge <tpg@ucc.asn.au><br>
<b>Sent:</b> Sunday, 19 April 2020 9:29 PM<br>
<b>To:</b> Paul Fisher <paul.fisher@uwa.edu.au><br>
<b>Cc:</b> Geoff Costello <geoff.costello@uwa.edu.au>; tech@ucc.asn.au <tech@ucc.asn.au>; wheel@ucc.asn.au <wheel@ucc.asn.au>; Jack Bryant <Jack.Bryant@uwa.edu.au><br>
<b>Subject:</b> Re: Clarification of requirements and plan of action</font>
<div> </div>
</div>
<div>Paul,<br>
<p><br>
Sorry for the delay in answering, my small bits of free time have been taken up with adjusting to this social distancing thing (and I maybe spent too much effort on this email, trying to avoid confusion).<br>
<br>
Your email has raised some more questions, and doesn't seem to have really addressed our queries.</p>
<p><br>
</p>
<p>From what I can glean, there's two primary tasks that your team is trying to address.<br>
</p>
<ul>
<li>UWA wants central control and approval of all subdomains of .uwa.edu.au</li><ul>
<li>Nick's email on 2020-04-17 12:10 covers parts of this relatively well, so I won't be addressing it in this email.</li></ul>
<li>There should be no externally-accessible services on the 130.95.0.0/16 network that aren't either proxied through Cloudflare (For HTTP/HTTPS) or explicitly whitelisted.</li></ul>
<p><b><br>
</b></p>
<p><b>Addressing your questions</b><br>
</p>
<p><b><br>
</b></p>
<p><b>> You might consider the we are going to running the whole university on less than that.</b></p>
<p>Do you mean that UWA plan on exposing less than 64 hosts to the public internet? Does this count various faculty services (e.g. the computer science department's user servers).</p>
<p><br>
</p>
<b>> </b><b><i>Are we in a position to alter the firewall rules from anything about 130.95.13.32/26 now? (Ed:
</i></b><b><i>130.95.13.0/26)</i></b>
<p>What particular changes are you referring to? As Nick covered in his email - we still don't have a working Cloudflare setup, so blocking port 443/80 will break all websites hosted within the UCC network. Additionally, blocking port 53 will have similar impacts
(including preventing our SSL certificates from updating).</p>
<p><br>
</p>
<p>If you mean blocking any access to addresses outside 130.95.13.0/26, then that is also not yet possible as we have services scattered throughout the address range.</p>
<p>Some context: We've separated our range into four regions: trusted hosts ("machine room" - physically isolated network), semi-trusted ("clubroom" - wired network in a semi-public space), member virtual machines, and then the upper quarter for misc services
(e.g. NAT and VPN). There are public services (see the list below) that live in many parts of this range for various reasons.<br>
</p>
<br>
<br>
<b>> </b><b><i>If you could have a look at the scan list provided and give a brief description of the hosts and there purpose from an educational purpose.</i></b><br>
<p>I've included at the end of this email a (maybe not too-brief) summary of each host on your list, and what services they provide. Many of those hosts were just exposing SSH (port 22), used for authenticated remote access.</p>
<p><br>
</p>
<p>However - while the individual computers provide some assistance towards the club's primary objective (which, according to the constitution, is "for the advancement of computer science and technologies") by facilitating the development of interesting projects
(e.g. the iodine VPN server, dropbear ssh server, and compute power for several PHD projects) - it is the role of the UCC network as a whole is the most relevant to this discussion.</p>
<p><br>
</p>
<p>The UCC network in its current form (minimally fire-walled, overseen by "old guard") provides an enterprise-like environment for aspiring system administrators to develop and practice skills that would otherwise only be available via expensive training courses
or years of industry experience. The services hosted by the UCC (e.g. a library catalog for the science-fiction club) assist the greater UWA community, and provide a set of clients who are (usually) understanding when things break due in this learning process.</p>
<p><br>
</p>
<p><i>Short version</i>: It's the network itself that provides the largest educational benefit, without that we're just a computer lab.<br>
</p>
<br>
<p><br>
</p>
<p><b>Further Questions:</b></p>
<ul>
<li>Is there any progress/possibility of UCC continuing to run a minimally fire-walled network segment (as we have done for over 20 years).</li><ul>
<li>We use our own border firewall, which is rather selective in what ports are opened for each host.</li><li>Historically, it's only port 25 (SMTP) that has been blocked at the UWA border, to prevent students from sending spam.<br>
</li></ul>
<li>If not: What size network segment can be left for us to firewall? You seem to be implying that a /26 is acceptable?</li><ul>
<li>It'll take a few weeks to reorganize our network to move all public hosts into one block, see above comments about the network layout.</li></ul>
<li>What network ports are intended to be wholesale blocked?</li></ul>
<br>
<br>
<p><b>A summary of each host with open ports</b></p>
<ul>
<li>.1 (murasoi) is our primary router, it (like all other servers) exposes SSH for remote management. All publicly accessible SSH servers are protected by fail2ban to prevent brute-force attacks</li><li>.3 (mailauesi) is a proxy host for our mail services - exposing authenticated SMTPS, IMAPS, and POP3S</li><li>.6 (gitlab) is our source control server, running SSH (for both management and "git push") and HTTPS (for the web interface)</li><li>.7 (motsugo) is our primary user shell server (hence ssh & ident) and mail retrieval server (IMAPS and POP3S)</li><li>.8 (flame-tunnel) is firewall magic that forwards traffic on any port to the "Flame" chat service on port 4242. We're looking into decommissioning this one.<br>
</li><li>.9 (mooneye) is our DNS and mail server, also used to run our wiki (HTTP/HTTPS, it's been moved in the last few weeks).</li><li>.10 (myxine) is the machine that hosts our OCS Inventory system. This operates over HTTPS, hence that port responding.</li><li>.11 (ssh) is also firewall magic, this time forwarding all ports to SSH on port 22</li><li>.12 (ext-mx) is a legacy alias for mooneye, so responds on the same ports.</li><li>.18 (mussel) is our secondary shell server, and main web server (host user websites and the club's website)</li><li>.28 (secure) is firewall magic to distribute services to multiple computers (from before SSL certificates were free)</li><li>.34 (uccmonitor) is our monitoring dashboard, public so members can check up on system health</li><li>.36 (uccportal) is our member signup system</li><li>.38 (meetings) is our video/voice conferencing system, set up as the COVID situation evolved for use for tech talks. This server also uses UDP for video feeds.</li><li>.48 (titan) is a user server (An ARM architecture machine), hence SSH</li><li>.66 (heathred) is our general games server, often a new admin's first learning ground.</li><li>.72 (maaxen) is a Windows server (running a web server for windows-only web services)</li><li>.68 (unisfa-koha) is the library system for a neighboring club (web service)</li><li>.109 (eggman) is our clubroom music system.</li><li>.111 (evil) is a co-located machine run by a life member, does lightweight monitoring of the machine room and network (showing these results on a static webpage).</li><li>.137 (workhorse) is another shell machine (for doing heavy-duty computation)</li><li>.138 (chordata) is a member VM. Runs ssh and a web server</li><li>.146 (enemy-territory) is a game server VM, gets quite a bit of exercise now that we can't be on-campus to play together</li><li>.148 (experiments) is another member VM</li><li>.174 (diamond) is a member VM running a minecraft server</li><li>.177 (minecraft2019) is a club-operated minecraft VM</li><li>.185 (frekk-ucc) is a member VM with just ssh</li><li>.187 (james1-server) another member VM, just hosts a silly and static website (and ssh)</li><li>.189 ("Livorno") is another member VM</li><li>.190 (bluering) is another member VM.</li></ul>
<p>Note: We're in a flurry of upgrades and restructuring at the moment (Bored admins looking for things to do), leading to services being shuffled between hosts. (E.g. the wiki being moved off mooneye)<br>
</p>
<ul>
</ul>
<pre class="x_moz-signature" cols="72">John Hodge [TPG]
UCC Wheel Member</pre>
<div class="x_moz-cite-prefix">On 14/4/20 10:58 am, Paul Fisher wrote:<br>
</div>
<blockquote type="cite">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Hi John,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
My apologies.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important">130.95.13.0/26 is on the 64 boundary.</span><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><br>
</span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important">Anything above <span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important">130.95.13.64
can be restricted?</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><br>
</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important">You might consider
the we are going to running the whole university on less than that.</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><br>
</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important">If you could
have a look at the scan list provided and give a brief description of the hosts and there purpose from an educational purpose.</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><br>
</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important">It doesn't have
to be in great detail, just something that provides a value proposition for education within the UWA core business setting.</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><br>
</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important">Something I can
use to justify maintaining the services published in the UWA network space.</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><br>
</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important">Thanks</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><br>
</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><br>
</span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><br>
</span></span></div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Paul Fisher
<a class="x_moz-txt-link-rfc2396E" href="mailto:paul.fisher@uwa.edu.au"><paul.fisher@uwa.edu.au></a><br>
<b>Sent:</b> Tuesday, 14 April 2020 10:31 AM<br>
<b>To:</b> John Hodge <a class="x_moz-txt-link-rfc2396E" href="mailto:tpg@ucc.asn.au">
<tpg@ucc.asn.au></a><br>
<b>Cc:</b> Geoff Costello <a class="x_moz-txt-link-rfc2396E" href="mailto:geoff.costello@uwa.edu.au">
<geoff.costello@uwa.edu.au></a>; <a class="x_moz-txt-link-abbreviated" href="mailto:tech@ucc.asn.au">
tech@ucc.asn.au</a> <a class="x_moz-txt-link-rfc2396E" href="mailto:tech@ucc.asn.au">
<tech@ucc.asn.au></a>; <a class="x_moz-txt-link-abbreviated" href="mailto:wheel@ucc.asn.au">
wheel@ucc.asn.au</a> <a class="x_moz-txt-link-rfc2396E" href="mailto:wheel@ucc.asn.au">
<wheel@ucc.asn.au></a>; Jack Bryant <a class="x_moz-txt-link-rfc2396E" href="mailto:Jack.Bryant@uwa.edu.au">
<Jack.Bryant@uwa.edu.au></a><br>
<b>Subject:</b> Re: Clarification of requirements and plan of action</font>
<div> </div>
</div>
<div dir="ltr">
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Hi John,</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
It's good to hear from you, how are you?</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Things have been very busy for us working on the <a class="x_moz-txt-link-freetext" href="https://unidesk.uwa.edu.au">
https://unidesk.uwa.edu.au</a> solution.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
I've created the ucc.asn.au domain. I was waiting for you to give me one or two pheme accounts that I can have access provisioned.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
I see 2 subdomains under uwa.edu.au delegated to ucc.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
ucc.guild.uwa.edu.au and ucc.gu.uwa.edu.au, I have created these as subdomains in the account however it is unlikely from the discussion I've had these will be able to be maintained as delegated subdomains.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
I've attached the zone files I have for these zones, if you can check these for accuracy. I'll have the records added to the parent zone and delegation removed.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
I will confirm a date with you before proceeding.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Moving forward any records under uwa.edu.au are part of the corporate brand and an approval process will be required to have names allocated in the uwa.edu.au domain.</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
I can see additional domains registered in the 130.95.13.0/24 address space.<span></span></div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<span>didcoe.id.au <br>
</span>
<div>shmookey.net <span style=""> </span></div>
<div>unisfa.asn.au <br>
</div>
<div> <br>
</div>
<div>Are these required moving forward?</div>
<div><br>
</div>
<div>From out discussions we talked about <span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important">130.95.13.0/26 being route to the perimeter firewall.</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important">Is this the desired outcome for UCC?</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><br>
</span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important">I've attached a network scan for the <span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span> </span>130.95.13.0/24
network. Are we in a position to alter the firewall rules from anything about <span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important">130.95.13.32/26 now?</span></span></span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><br>
</span></span></span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important">Thanks</span></span></span></div>
<div><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important"><span style="font-family:Calibri,Arial,Helvetica,sans-serif; background-color:rgb(255,255,255); display:inline!important">Paul</span></span></span></div>
<span></span><br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> John Hodge
<a class="x_moz-txt-link-rfc2396E" href="mailto:tpg@ucc.asn.au"><tpg@ucc.asn.au></a><br>
<b>Sent:</b> Thursday, 9 April 2020 8:27 AM<br>
<b>To:</b> Paul Fisher <a class="x_moz-txt-link-rfc2396E" href="mailto:paul.fisher@uwa.edu.au">
<paul.fisher@uwa.edu.au></a><br>
<b>Cc:</b> Geoff Costello <a class="x_moz-txt-link-rfc2396E" href="mailto:geoff.costello@uwa.edu.au">
<geoff.costello@uwa.edu.au></a>; <a class="x_moz-txt-link-abbreviated" href="mailto:tech@ucc.asn.au">
tech@ucc.asn.au</a> <a class="x_moz-txt-link-rfc2396E" href="mailto:tech@ucc.asn.au">
<tech@ucc.asn.au></a>; <a class="x_moz-txt-link-abbreviated" href="mailto:wheel@ucc.asn.au">
wheel@ucc.asn.au</a> <a class="x_moz-txt-link-rfc2396E" href="mailto:wheel@ucc.asn.au">
<wheel@ucc.asn.au></a><br>
<b>Subject:</b> Clarification of requirements and plan of action</font>
<div> </div>
</div>
<div>Paul,
<p>I haven't seen an update from our discussion several weeks ago, so I thought I'd put to paper some notes and queries about the move towards Cloudflare proxying.</p>
<p>My understanding is that UWA has decided (in response to one of the steps in the ANU data breach) that websites hosted on 130.95.0.0/16 (UWA's IP range) should not be open to the general internet, and instead should be protected by a reverse proxy (in this
case, Cloudflare). To this end, DNS is being pointed at Cloudflare (I assume because the DNS service comes with the web proxy service?) and eventually ports 443 and 80 inbound will be closed at the border firewall (with an exception for the Cloudflare proxies).<br>
</p>
<p>Queries:</p>
<ul>
<li>What is the progress on getting access to the Cloudflare dashboard? We would like to start on migration of services before ports 443 and 80 start being blocked.</li><li>Are there any other ports (apart from 80/443) that will be blocked at the border?<br>
</li><li>Is there any progress towards treating 130.95.13.0/24 as "outside" in the core firewall (and thus side-stepping the need to place UCC services behind Cloudflare)?</li></ul>
<p><br>
</p>
<p>Examples of services that cannot work with the Cloudflare setup (running both HTTP and non-HTTP on the same hostname):</p>
<ul>
<li>GitLab (source control server): This runs both a web server (for viewing source code, and managing permissions) and a SSH server (used for uploading code in a secure manner). Neither of these services support DNS "SRV" records (which would permit different
IP addresses for HTTP/HTTPS and other services).<br>
</li><li>"Big Blue Button" (Video conferencing system): This sends its video streams over UDP to a collection of high ports (audio is sent over websockets). This system has been used to great effect by the clubs impacted by the COVID-19 Cameron Hall shutdown, to
host their normal events in a virtual space.</li><li>We currently have `secure.ucc.asn.au` that "hosts" a whole range of encrypted services (IMAP, POP3, webmail, VPN).</li></ul>
<p><br>
</p>
<pre class="x_x_x_moz-signature" cols="72">--
John Hodge [TPG]
UCC Wheel Member</pre>
</div>
</div>
</blockquote>
</div>
</body>
</html>