<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html;
      charset=windows-1252">
  </head>
  <body>
    <p>Hi Paul,</p>
    <p><br>
    </p>
    <p>Sorry (again) for the delay in answering, but thanks for the
      solid timelines.</p>
    <p><br>
    </p>
    <p>We have been waiting for someone to contact either James or Tim
      with access to the cloudflare dashboard for ucc.gu.uwa.edu.au, so
      we can get it configured with the required hostnames before the
      cutover date.<br>
    </p>
    <p><br>
    </p>
    <p>We are currently in the process of setting up a cloudflare
      account to host our non-UWA domains, which should work as a
      temporary measure while progress is made towards treating the UCC
      network as separate to the rest of campus.</p>
    <p><br>
    </p>
    <p>Regarding ports to be blocked, thank you for providing the list.
      We do make heavy use of port 22 to most hosts (often using port
      forwarding), so would want that to continue to work in some form.<br>
    </p>
    <p><br>
    </p>
    <pre class="moz-signature" cols="72">John Hodge [TPG]
UCC Wheel Member</pre>
    <div class="moz-cite-prefix">On 22/04/2020 5:38 pm, Paul Fisher
      wrote:<br>
    </div>
    <blockquote type="cite"
cite="mid:SYCPR01MB39037ADDED783664BA5FE97EDCD20@SYCPR01MB3903.ausprd01.prod.outlook.com">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
      <div style="font-family: Calibri, Arial, Helvetica, sans-serif;
        font-size: 12pt; color: rgb(0, 0, 0);"> Hi John,</div>
      <div style="font-family: Calibri, Arial, Helvetica, sans-serif;
        font-size: 12pt; color: rgb(0, 0, 0);"> <br>
      </div>
      <div style="font-family: Calibri, Arial, Helvetica, sans-serif;
        font-size: 12pt; color: rgb(0, 0, 0);"> We had a meeting to
        discuss the next steps for UCC, the action items to be
        undertaken are.</div>
      <div><br style="color: inherit; font-family: inherit; font-size:
          inherit; font-style: inherit; font-variant-caps: inherit;">
        <ul>
          <li><span style="color: rgb(0, 0, 0); font-family: Calibri,
              Arial, Helvetica, sans-serif; font-size: 12pt; background:
              var(--white);">ucc.gu.uwa.edu.au �and�</span><span
              style="color: rgb(0, 0, 0); font-family: Calibri, Arial,
              Helvetica, sans-serif; font-size: 12pt; background:
              var(--white);">ucc.guild.uwa.edu.au delegation�</span></li>
        </ul>
        <ul>
          <li><span style="color: rgb(0, 0, 0); font-family: Calibri,
              Arial, Helvetica, sans-serif; font-size: 12pt; background:
              var(--white);">ucc.asn.au domain</span></li>
        </ul>
        <ul>
          <li><span style="color: rgb(0, 0, 0); font-family: Calibri,
              Arial, Helvetica, sans-serif; font-size: 12pt; background:
              var(--white);">Inbound ports on 22, 53, 80, and port 443
              to the COGLD</span><br>
          </li>
        </ul>
      </div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <br>
      </div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <br>
      </div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> 1) All sub delegations of the
        uwa.edu.au domain are being remediated and any zone records
        hosted outside of the main Cloudflare account will need to be
        updated into UWA's cloudflare zone. Completion date for this is
        scheduled for Friday the 1st of May. 10:30am</div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <br>
      </div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <br>
      </div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> 2) For the ucc.asn.au domain
        we would ask you create a free account with Cloudflare under
        your administrative control. UWA are accepting traffic from all
        affiliates via a TLS authenticated channel with Cloudflare only
        for https traffic on the perimeter origin F5's</div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <br>
      </div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> UCC will need to create an
        origin cert (15 Years) and have someone delegated to update the
        cert at short notice if required. I've attached the CSR for the
        request.</div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <br>
      </div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> You can create as many
        subdomains one level deep under the ucc.asn.au via api and they
        will be routed to a nominated IP. To support additional IP's you
        will need to supply a 1 to 1 url mapping of as many server IP's
        as you require. Additional IP's moving forward will be via a
        Service Request. I've given an example of how the url routing is
        configured on the F5 CF Origin.</div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <br>
      </div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> 3) Inbound ports on�<span
          style="caret-color: rgb(0, 0, 0); font-family: Calibri, Arial,
          Helvetica, sans-serif; text-align: left; background-color:
          rgb(255, 255, 255); display: inline !important">22, 53, 80,
          and port 443 to the COGLD vrf will be restricted to UWA Campus
          and VPN on Scheduled 8th May 2020 10:30am. If you are using
          SSH for automated inbound data transfer, it will be reviewed
          and provision for proxy will be made available.</span></div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
          rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
          sans-serif; text-align: left; background-color: rgb(255, 255,
          255); display: inline !important"><br>
        </span></div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
          rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
          sans-serif; text-align: left; background-color: rgb(255, 255,
          255); display: inline !important">For the rest of the services
          currently in operation a solution to maintain these inline
          with Cyber Security requirements of UWA is still in progress.</span></div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
          rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
          sans-serif; text-align: left; background-color: rgb(255, 255,
          255); display: inline !important"><br>
        </span></div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
          rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
          sans-serif; text-align: left; background-color: rgb(255, 255,
          255); display: inline !important">Thanks</span></div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
          rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
          sans-serif; text-align: left; background-color: rgb(255, 255,
          255); display: inline !important">Paul</span></div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
          rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
          sans-serif; text-align: left; background-color: rgb(255, 255,
          255); display: inline !important"><br>
        </span></div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
          rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
          sans-serif; text-align: left; background-color: rgb(255, 255,
          255); display: inline !important"><br>
        </span></div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
          rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
          sans-serif; text-align: left; background-color: rgb(255, 255,
          255); display: inline !important"><br>
        </span></div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
          rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
          sans-serif; text-align: left; background-color: rgb(255, 255,
          255); display: inline !important"><span>-----BEGIN CERTIFICATE
            REQUEST-----<br>
          </span>
          <div>MIIC6DCCAdACAQAwaTELMAkGA1UEBhMCQVUxEzARBgNVBAoTCkNsb3VkRmxhcmUx<br>
          </div>
          <div>HTAbBgNVBAsTFENsb3VkRmxhcmUgT3JpZ2luIENBMSYwJAYDVQQDEx1DbG91ZEZs<br>
          </div>
          <div>YXJlIE9yaWdpbiBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC<br>
          </div>
          <div>AQoCggEBAKT9VAUpPJ7PuTuDP3Wm4yYvzUAgkRsh8sDVO1gD2V7wwqW7o6oqnAsX<br>
          </div>
          <div>wuxBkPRCGY8Yv+LC2Q4HRRx8XwdxFxqQcqD175Rb4Ct9JZRb/wf+uoqZhkaldbCd<br>
          </div>
          <div>ByxXMweOPYzRsNulFxpBEkIA9H8xW34Vn59GclTm+MZae7TgsfEwVry/EO0pMs97<br>
          </div>
          <div>nuJg5fLjr0garXqxTL3s8m05qojdfyDhiuPjAabKsDnHfU5A2FGNZOOr8aggAFxR<br>
          </div>
          <div>L/YExg86fy8YTumO/Jd2JKzaNYY+m/0+8juFJ3zCtQvj9ZoadSKi4NO6nvhRxD7H<br>
          </div>
          <div>7glrMEI1iHVhaw4mp303qPm9k5qXkw8CAwEAAaA6MDgGCSqGSIb3DQEJDjErMCkw<br>
          </div>
          <div>JwYDVR0RBCAwHoIOKi5yY3N3YS5lZHUuYXWCDHJjc3dhLmVkdS5hdTANBgkqhkiG<br>
          </div>
          <div>9w0BAQsFAAOCAQEAXZobpC5a3rv6xAi8Hl9Pa0aBeJkVJglAaaD/E6XBfmFcvyWZ<br>
          </div>
          <div>Qowy+19m6aIT6PSYaTuvtMpJxoog5VIcGX1vYodIEavZqp/qXJCYknDNCl8Krm8g<br>
          </div>
          <div>vvycsat/9IdpbATqYvQHvEnn8C88FvH13MkKpi5xUHlwjmGrO4tD2b0pDSF8iqpa<br>
          </div>
          <div>h6A9MCjkljorlFta9+RTPVMpvb1y9mW7jZ1PFJlkEiqu7pu6tHJpXgpprm6GGib/<br>
          </div>
          <div>hatMTwkKgdZoOV7Fyd5BY0tLO3t/kA/78k6WNvg3FZG3GbY1i9WG/m2Icpd5BVxs<br>
          </div>
          <div>yqRqCA1a1xkDBfX/dwrem+MrYABqtj1GUhQb+Q==<br>
          </div>
          <div>-----END CERTIFICATE REQUEST-----<br>
          </div>
          <span></span><br>
        </span></div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
          rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
          sans-serif; text-align: left; background-color: rgb(255, 255,
          255); display: inline !important"><br>
        </span></div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <span style="caret-color:
          rgb(0, 0, 0); font-family: Calibri, Arial, Helvetica,
          sans-serif; text-align: left; background-color: rgb(255, 255,
          255); display: inline !important"><span>�
            �"webdav.rcswa.edu.au"<br>
          </span>
          <div>� � �{<br>
          </div>
          <div>� � �pool ip_130.95.169.196_443<br>
          </div>
          <div>� � �set usessl 1<br>
          </div>
          <div>� � �}<br>
          </div>
          <div>� �"*rcswa.edu.au"<br>
          </div>
          <div>� � �{<br>
          </div>
          <div>� � �pool ip_130.95.169.205_443<br>
          </div>
          <div>� � �set usessl 1<br>
          </div>
          <div>� � �}<br>
          </div>
          <span></span><br>
        </span></div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <br>
      </div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <br>
      </div>
      <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
        font-size:12pt; color:rgb(0,0,0)"> <br>
      </div>
      <hr tabindex="-1" style="display:inline-block; width:98%">
      <div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
          face="Calibri, sans-serif" color="#000000"><b>From:</b> John
          Hodge <a class="moz-txt-link-rfc2396E"
            href="mailto:tpg@ucc.asn.au">&lt;tpg@ucc.asn.au&gt;</a><br>
          <b>Sent:</b> Sunday, 19 April 2020 9:29 PM<br>
          <b>To:</b> Paul Fisher <a class="moz-txt-link-rfc2396E"
            href="mailto:paul.fisher@uwa.edu.au">&lt;paul.fisher@uwa.edu.au&gt;</a><br>
          <b>Cc:</b> Geoff Costello <a class="moz-txt-link-rfc2396E"
            href="mailto:geoff.costello@uwa.edu.au">&lt;geoff.costello@uwa.edu.au&gt;</a>;
          <a class="moz-txt-link-abbreviated"
            href="mailto:tech@ucc.asn.au">tech@ucc.asn.au</a> <a
            class="moz-txt-link-rfc2396E" href="mailto:tech@ucc.asn.au">&lt;tech@ucc.asn.au&gt;</a>;
          <a class="moz-txt-link-abbreviated"
            href="mailto:wheel@ucc.asn.au">wheel@ucc.asn.au</a> <a
            class="moz-txt-link-rfc2396E" href="mailto:wheel@ucc.asn.au">&lt;wheel@ucc.asn.au&gt;</a>;
          Jack Bryant <a class="moz-txt-link-rfc2396E"
            href="mailto:Jack.Bryant@uwa.edu.au">&lt;Jack.Bryant@uwa.edu.au&gt;</a><br>
          <b>Subject:</b> Re: Clarification of requirements and plan of
          action</font>
        <div>�</div>
      </div>
      <div>Paul,<br>
        <p><br>
          Sorry for the delay in answering, my small bits of free time
          have been taken up with adjusting to this social distancing
          thing (and I maybe spent too much effort on this email, trying
          to avoid confusion).<br>
          <br>
          Your email has raised some more questions, and doesn't seem to
          have really addressed our queries.</p>
        <p><br>
        </p>
        <p>From what I can glean, there's two primary tasks that your
          team is trying to address.<br>
        </p>
        <ul>
          <li>UWA wants central control and approval of all subdomains
            of .uwa.edu.au</li>
          <ul>
            <li>Nick's email on 2020-04-17 12:10 covers parts of this
              relatively well, so I won't be addressing it in this
              email.</li>
          </ul>
          <li>There should be no externally-accessible services on the
            130.95.0.0/16 network that aren't either proxied through
            Cloudflare (For HTTP/HTTPS) or explicitly whitelisted.</li>
        </ul>
        <p><b><br>
          </b></p>
        <p><b>Addressing your questions</b><br>
        </p>
        <p><b><br>
          </b></p>
        <p><b>&gt; You might consider the we are going to running the
            whole university on less than that.</b></p>
        <p>Do you mean that UWA plan on exposing less than 64 hosts to
          the public internet? Does this count various faculty services
          (e.g. the computer science department's user servers).</p>
        <p><br>
        </p>
        <b>&gt; </b><b><i>Are we in a position to alter the firewall
            rules from anything about 130.95.13.32/26 now? (Ed: </i></b><b><i>130.95.13.0/26)</i></b>
        <p>What particular changes are you referring to? As Nick covered
          in his email - we still don't have a working Cloudflare setup,
          so blocking port 443/80 will break all websites hosted within
          the UCC network. Additionally, blocking port 53 will have
          similar impacts (including preventing our SSL certificates
          from updating).</p>
        <p><br>
        </p>
        <p>If you mean blocking any access to addresses outside
          130.95.13.0/26, then that is also not yet possible as we have
          services scattered throughout the address range.</p>
        <p>Some context: We've separated our range into four regions:
          trusted hosts ("machine room" - physically isolated network),
          semi-trusted ("clubroom" - wired network in a semi-public
          space), member virtual machines, and then the upper quarter
          for misc services (e.g. NAT and VPN). There are public
          services (see the list below) that live in many parts of this
          range for various reasons.<br>
        </p>
        <br>
        <br>
        <b>&gt; </b><b><i>If you could have a look at the scan list
            provided and give a brief description of the hosts and there
            purpose from an educational purpose.</i></b><br>
        <p>I've included at the end of this email a (maybe not
          too-brief) summary of each host on your list, and what
          services they provide. Many of those hosts were just exposing
          SSH (port 22), used for authenticated remote access.</p>
        <p><br>
        </p>
        <p>However - while the individual computers provide some
          assistance towards the club's primary objective (which,
          according to the constitution, is "for the advancement of
          computer science and technologies") by facilitating the
          development of interesting projects (e.g. the iodine VPN
          server, dropbear ssh server, and compute power for several PHD
          projects) - it is the role of the UCC network as a whole is
          the most relevant to this discussion.</p>
        <p><br>
        </p>
        <p>The UCC network in its current form (minimally fire-walled,
          overseen by "old guard") provides an enterprise-like
          environment for aspiring system administrators to develop and
          practice skills that would otherwise only be available via
          expensive training courses or years of industry experience.
          The services hosted by the UCC (e.g. a library catalog for the
          science-fiction club) assist the greater UWA community, and
          provide a set of clients who are (usually) understanding when
          things break due in this learning process.</p>
        <p><br>
        </p>
        <p><i>Short version</i>: It's the network itself that provides
          the largest educational benefit, without that we're just a
          computer lab.<br>
        </p>
        <br>
        <p><br>
        </p>
        <p><b>Further Questions:</b></p>
        <ul>
          <li>Is there any progress/possibility of UCC continuing to run
            a minimally fire-walled network segment (as we have done for
            over 20 years).</li>
          <ul>
            <li>We use our own border firewall, which is rather
              selective in what ports are opened for each host.</li>
            <li>Historically, it's only port 25 (SMTP) that has been
              blocked at the UWA border, to prevent students from
              sending spam.<br>
            </li>
          </ul>
          <li>If not: What size network segment can be left for us to
            firewall? You seem to be implying that a /26 is acceptable?</li>
          <ul>
            <li>It'll take a few weeks to reorganize our network to move
              all public hosts into one block, see above comments about
              the network layout.</li>
          </ul>
          <li>What network ports are intended to be wholesale blocked?</li>
        </ul>
        <br>
        <br>
        <p><b>A summary of each host with open ports</b></p>
        <ul>
          <li>.1 (murasoi) is our primary router, it (like all other
            servers) exposes SSH for remote management. All publicly
            accessible SSH servers are protected by fail2ban to prevent
            brute-force attacks</li>
          <li>.3 (mailauesi) is a proxy host for our mail services -
            exposing authenticated SMTPS, IMAPS, and POP3S</li>
          <li>.6 (gitlab) is our source control server, running SSH (for
            both management and "git push") and HTTPS (for the web
            interface)</li>
          <li>.7 (motsugo) is our primary user shell server (hence ssh
            &amp; ident) and mail retrieval server (IMAPS and POP3S)</li>
          <li>.8 (flame-tunnel) is firewall magic that forwards traffic
            on any port to the "Flame" chat service on port 4242. We're
            looking into decommissioning this one.<br>
          </li>
          <li>.9 (mooneye) is our DNS and mail server, also used to run
            our wiki (HTTP/HTTPS, it's been moved in the last few
            weeks).</li>
          <li>.10 (myxine) is the machine that hosts our OCS Inventory
            system. This operates over HTTPS, hence that port
            responding.</li>
          <li>.11 (ssh) is also firewall magic, this time forwarding all
            ports to SSH on port 22</li>
          <li>.12 (ext-mx) is a legacy alias for mooneye, so responds on
            the same ports.</li>
          <li>.18 (mussel) is our secondary shell server, and main web
            server (host user websites and the club's website)</li>
          <li>.28 (secure) is firewall magic to distribute services to
            multiple computers (from before SSL certificates were free)</li>
          <li>.34 (uccmonitor) is our monitoring dashboard, public so
            members can check up on system health</li>
          <li>.36 (uccportal) is our member signup system</li>
          <li>.38 (meetings) is our video/voice conferencing system, set
            up as the COVID situation evolved for use for tech talks.
            This server also uses UDP for video feeds.</li>
          <li>.48 (titan) is a user server (An ARM architecture
            machine), hence SSH</li>
          <li>.66 (heathred) is our general games server, often a new
            admin's first learning ground.</li>
          <li>.72 (maaxen) is a Windows server (running a web server for
            windows-only web services)</li>
          <li>.68 (unisfa-koha) is the library system for a neighboring
            club (web service)</li>
          <li>.109 (eggman) is our clubroom music system.</li>
          <li>.111 (evil) is a co-located machine run by a life member,
            does lightweight monitoring of the machine room and network
            (showing these results on a static webpage).</li>
          <li>.137 (workhorse) is another shell machine (for doing
            heavy-duty computation)</li>
          <li>.138 (chordata) is a member VM. Runs ssh and a web server</li>
          <li>.146 (enemy-territory) is a game server VM, gets quite a
            bit of exercise now that we can't be on-campus to play
            together</li>
          <li>.148 (experiments) is another member VM</li>
          <li>.174 (diamond) is a member VM running a minecraft server</li>
          <li>.177 (minecraft2019) is a club-operated minecraft VM</li>
          <li>.185 (frekk-ucc) is a member VM with just ssh</li>
          <li>.187 (james1-server) another member VM, just hosts a silly
            and static website (and ssh)</li>
          <li>.189 ("Livorno") is another member VM</li>
          <li>.190 (bluering) is another member VM.</li>
        </ul>
        <p>Note: We're in a flurry of upgrades and restructuring at the
          moment (Bored admins looking for things to do), leading to
          services being shuffled between hosts. (E.g. the wiki being
          moved off mooneye)<br>
        </p>
        <ul>
        </ul>
        <pre class="x_moz-signature" cols="72">John Hodge [TPG]
UCC Wheel Member</pre>
        <div class="x_moz-cite-prefix">On 14/4/20 10:58 am, Paul Fisher
          wrote:<br>
        </div>
        <blockquote type="cite">
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> Hi John,</div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <br>
          </div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> My apologies.</div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <br>
          </div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              background-color:rgb(255,255,255);
              display:inline!important">130.95.13.0/26 is on the 64
              boundary.</span><br>
          </div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              background-color:rgb(255,255,255);
              display:inline!important"><br>
            </span></div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              background-color:rgb(255,255,255);
              display:inline!important">Anything above�<span
                style="font-family:Calibri,Arial,Helvetica,sans-serif;
                background-color:rgb(255,255,255);
                display:inline!important">130.95.13.64 can be
                restricted?</span></span></div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              background-color:rgb(255,255,255);
              display:inline!important"><span
                style="font-family:Calibri,Arial,Helvetica,sans-serif;
                background-color:rgb(255,255,255);
                display:inline!important"><br>
              </span></span></div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              background-color:rgb(255,255,255);
              display:inline!important"><span
                style="font-family:Calibri,Arial,Helvetica,sans-serif;
                background-color:rgb(255,255,255);
                display:inline!important">You might consider the we are
                going to running the whole university on less than that.</span></span></div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              background-color:rgb(255,255,255);
              display:inline!important"><span
                style="font-family:Calibri,Arial,Helvetica,sans-serif;
                background-color:rgb(255,255,255);
                display:inline!important"><br>
              </span></span></div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              background-color:rgb(255,255,255);
              display:inline!important"><span
                style="font-family:Calibri,Arial,Helvetica,sans-serif;
                background-color:rgb(255,255,255);
                display:inline!important">If you could have a look at
                the scan list provided and give a brief description of
                the hosts and there purpose from an educational purpose.</span></span></div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              background-color:rgb(255,255,255);
              display:inline!important"><span
                style="font-family:Calibri,Arial,Helvetica,sans-serif;
                background-color:rgb(255,255,255);
                display:inline!important"><br>
              </span></span></div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              background-color:rgb(255,255,255);
              display:inline!important"><span
                style="font-family:Calibri,Arial,Helvetica,sans-serif;
                background-color:rgb(255,255,255);
                display:inline!important">It doesn't have to be in great
                detail, just something that provides a value proposition
                for education within the UWA core business setting.</span></span></div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              background-color:rgb(255,255,255);
              display:inline!important"><span
                style="font-family:Calibri,Arial,Helvetica,sans-serif;
                background-color:rgb(255,255,255);
                display:inline!important"><br>
              </span></span></div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              background-color:rgb(255,255,255);
              display:inline!important"><span
                style="font-family:Calibri,Arial,Helvetica,sans-serif;
                background-color:rgb(255,255,255);
                display:inline!important">Something I can use to justify
                maintaining the services published in the UWA network
                space.</span></span></div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              background-color:rgb(255,255,255);
              display:inline!important"><span
                style="font-family:Calibri,Arial,Helvetica,sans-serif;
                background-color:rgb(255,255,255);
                display:inline!important"><br>
              </span></span></div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              background-color:rgb(255,255,255);
              display:inline!important"><span
                style="font-family:Calibri,Arial,Helvetica,sans-serif;
                background-color:rgb(255,255,255);
                display:inline!important">Thanks</span></span></div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              background-color:rgb(255,255,255);
              display:inline!important"><span
                style="font-family:Calibri,Arial,Helvetica,sans-serif;
                background-color:rgb(255,255,255);
                display:inline!important"><br>
              </span></span></div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              background-color:rgb(255,255,255);
              display:inline!important"><span
                style="font-family:Calibri,Arial,Helvetica,sans-serif;
                background-color:rgb(255,255,255);
                display:inline!important"><br>
              </span></span></div>
          <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
            font-size:12pt; color:rgb(0,0,0)"> <span
              style="font-family:Calibri,Arial,Helvetica,sans-serif;
              background-color:rgb(255,255,255);
              display:inline!important"><span
                style="font-family:Calibri,Arial,Helvetica,sans-serif;
                background-color:rgb(255,255,255);
                display:inline!important"><br>
              </span></span></div>
          <hr tabindex="-1" style="display:inline-block; width:98%">
          <div id="x_divRplyFwdMsg" dir="ltr"><font
              style="font-size:11pt" face="Calibri, sans-serif"
              color="#000000"><b>From:</b> Paul Fisher <a
                class="x_moz-txt-link-rfc2396E"
                href="mailto:paul.fisher@uwa.edu.au"
                moz-do-not-send="true">&lt;paul.fisher@uwa.edu.au&gt;</a><br>
              <b>Sent:</b> Tuesday, 14 April 2020 10:31 AM<br>
              <b>To:</b> John Hodge <a class="x_moz-txt-link-rfc2396E"
                href="mailto:tpg@ucc.asn.au" moz-do-not-send="true">
                &lt;tpg@ucc.asn.au&gt;</a><br>
              <b>Cc:</b> Geoff Costello <a
                class="x_moz-txt-link-rfc2396E"
                href="mailto:geoff.costello@uwa.edu.au"
                moz-do-not-send="true">
                &lt;geoff.costello@uwa.edu.au&gt;</a>; <a
                class="x_moz-txt-link-abbreviated"
                href="mailto:tech@ucc.asn.au" moz-do-not-send="true">
                tech@ucc.asn.au</a> <a class="x_moz-txt-link-rfc2396E"
                href="mailto:tech@ucc.asn.au" moz-do-not-send="true">
                &lt;tech@ucc.asn.au&gt;</a>; <a
                class="x_moz-txt-link-abbreviated"
                href="mailto:wheel@ucc.asn.au" moz-do-not-send="true">
                wheel@ucc.asn.au</a> <a class="x_moz-txt-link-rfc2396E"
                href="mailto:wheel@ucc.asn.au" moz-do-not-send="true">
                &lt;wheel@ucc.asn.au&gt;</a>; Jack Bryant <a
                class="x_moz-txt-link-rfc2396E"
                href="mailto:Jack.Bryant@uwa.edu.au"
                moz-do-not-send="true"> &lt;Jack.Bryant@uwa.edu.au&gt;</a><br>
              <b>Subject:</b> Re: Clarification of requirements and plan
              of action</font>
            <div>�</div>
          </div>
          <div dir="ltr">
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> Hi John,</div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> <br>
            </div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> It's good to hear from
              you, how are you?</div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> <br>
            </div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> Things have been very
              busy for us working on the <a
                class="x_moz-txt-link-freetext"
                href="https://unidesk.uwa.edu.au" moz-do-not-send="true">
                https://unidesk.uwa.edu.au</a> solution.</div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> <br>
            </div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> I've created the
              ucc.asn.au domain. I was waiting for you to give me one or
              two pheme accounts that I can have access provisioned.</div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> <br>
            </div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> I see 2 subdomains
              under uwa.edu.au delegated to ucc.</div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> <br>
            </div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> ucc.guild.uwa.edu.au
              and ucc.gu.uwa.edu.au, I have created these as subdomains
              in the account however it is unlikely from the discussion
              I've had these will be able to be maintained as delegated
              subdomains.</div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> <br>
            </div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> I've attached the zone
              files I have for these zones, if you can check these for
              accuracy. I'll have the records added to the parent zone
              and delegation removed.</div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> <br>
            </div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> I will confirm a date
              with you before proceeding.</div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> <br>
            </div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> Moving forward any
              records under uwa.edu.au are part of the corporate brand
              and an approval process will be required to have names
              allocated in the uwa.edu.au domain.</div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> <br>
            </div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> <br>
            </div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> I can see additional
              domains registered in the 130.95.13.0/24 address space.<span></span></div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> <br>
            </div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> <span>didcoe.id.au�<br>
              </span>
              <div>shmookey.net�<span style="">�</span></div>
              <div>unisfa.asn.au�<br>
              </div>
              <div>�<br>
              </div>
              <div>Are these required moving forward?</div>
              <div><br>
              </div>
              <div>From out discussions we talked about�<span
                  style="font-family:Calibri,Arial,Helvetica,sans-serif;
                  background-color:rgb(255,255,255);
                  display:inline!important">130.95.13.0/26 being route
                  to the perimeter firewall.</span></div>
              <div><span
                  style="font-family:Calibri,Arial,Helvetica,sans-serif;
                  background-color:rgb(255,255,255);
                  display:inline!important"><br>
                </span></div>
              <div><span
                  style="font-family:Calibri,Arial,Helvetica,sans-serif;
                  background-color:rgb(255,255,255);
                  display:inline!important">Is this the desired outcome
                  for UCC?</span></div>
              <div><span
                  style="font-family:Calibri,Arial,Helvetica,sans-serif;
                  background-color:rgb(255,255,255);
                  display:inline!important"><br>
                </span></div>
              <div><span
                  style="font-family:Calibri,Arial,Helvetica,sans-serif;
                  background-color:rgb(255,255,255);
                  display:inline!important">I've attached a network scan
                  for the�<span
                    style="font-family:Calibri,Arial,Helvetica,sans-serif;
                    background-color:rgb(255,255,255);
                    display:inline!important"><span>�</span>130.95.13.0/24
                    network. Are we in a position to alter the firewall
                    rules from anything about�<span
                      style="font-family:Calibri,Arial,Helvetica,sans-serif;
                      background-color:rgb(255,255,255);
                      display:inline!important">130.95.13.32/26 now?</span></span></span></div>
              <div><span
                  style="font-family:Calibri,Arial,Helvetica,sans-serif;
                  background-color:rgb(255,255,255);
                  display:inline!important"><span
                    style="font-family:Calibri,Arial,Helvetica,sans-serif;
                    background-color:rgb(255,255,255);
                    display:inline!important"><span
                      style="font-family:Calibri,Arial,Helvetica,sans-serif;
                      background-color:rgb(255,255,255);
                      display:inline!important"><br>
                    </span></span></span></div>
              <div><span
                  style="font-family:Calibri,Arial,Helvetica,sans-serif;
                  background-color:rgb(255,255,255);
                  display:inline!important"><span
                    style="font-family:Calibri,Arial,Helvetica,sans-serif;
                    background-color:rgb(255,255,255);
                    display:inline!important"><span
                      style="font-family:Calibri,Arial,Helvetica,sans-serif;
                      background-color:rgb(255,255,255);
                      display:inline!important">Thanks</span></span></span></div>
              <div><span
                  style="font-family:Calibri,Arial,Helvetica,sans-serif;
                  background-color:rgb(255,255,255);
                  display:inline!important"><span
                    style="font-family:Calibri,Arial,Helvetica,sans-serif;
                    background-color:rgb(255,255,255);
                    display:inline!important"><span
                      style="font-family:Calibri,Arial,Helvetica,sans-serif;
                      background-color:rgb(255,255,255);
                      display:inline!important">Paul</span></span></span></div>
              <span></span><br>
            </div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> <br>
            </div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> <br>
            </div>
            <div style="font-family:Calibri,Arial,Helvetica,sans-serif;
              font-size:12pt; color:rgb(0,0,0)"> <br>
            </div>
            <hr tabindex="-1" style="display:inline-block; width:98%">
            <div id="x_x_divRplyFwdMsg" dir="ltr"><font
                style="font-size:11pt" face="Calibri, sans-serif"
                color="#000000"><b>From:</b> John Hodge <a
                  class="x_moz-txt-link-rfc2396E"
                  href="mailto:tpg@ucc.asn.au" moz-do-not-send="true">&lt;tpg@ucc.asn.au&gt;</a><br>
                <b>Sent:</b> Thursday, 9 April 2020 8:27 AM<br>
                <b>To:</b> Paul Fisher <a
                  class="x_moz-txt-link-rfc2396E"
                  href="mailto:paul.fisher@uwa.edu.au"
                  moz-do-not-send="true"> &lt;paul.fisher@uwa.edu.au&gt;</a><br>
                <b>Cc:</b> Geoff Costello <a
                  class="x_moz-txt-link-rfc2396E"
                  href="mailto:geoff.costello@uwa.edu.au"
                  moz-do-not-send="true">
                  &lt;geoff.costello@uwa.edu.au&gt;</a>; <a
                  class="x_moz-txt-link-abbreviated"
                  href="mailto:tech@ucc.asn.au" moz-do-not-send="true">
                  tech@ucc.asn.au</a> <a
                  class="x_moz-txt-link-rfc2396E"
                  href="mailto:tech@ucc.asn.au" moz-do-not-send="true">
                  &lt;tech@ucc.asn.au&gt;</a>; <a
                  class="x_moz-txt-link-abbreviated"
                  href="mailto:wheel@ucc.asn.au" moz-do-not-send="true">
                  wheel@ucc.asn.au</a> <a
                  class="x_moz-txt-link-rfc2396E"
                  href="mailto:wheel@ucc.asn.au" moz-do-not-send="true">
                  &lt;wheel@ucc.asn.au&gt;</a><br>
                <b>Subject:</b> Clarification of requirements and plan
                of action</font>
              <div>�</div>
            </div>
            <div>Paul,
              <p>I haven't seen an update from our discussion several
                weeks ago, so I thought I'd put to paper some notes and
                queries about the move towards Cloudflare proxying.</p>
              <p>My understanding is that UWA has decided (in response
                to one of the steps in the ANU data breach) that
                websites hosted on 130.95.0.0/16 (UWA's IP range) should
                not be open to the general internet, and instead should
                be protected by a reverse proxy (in this case,
                Cloudflare). To this end, DNS is being pointed at
                Cloudflare (I assume because the DNS service comes with
                the web proxy service?) and eventually ports 443 and 80
                inbound will be closed at the border firewall (with an
                exception for the Cloudflare proxies).<br>
              </p>
              <p>Queries:</p>
              <ul>
                <li>What is the progress on getting access to the
                  Cloudflare dashboard? We would like to start on
                  migration of services before ports 443 and 80 start
                  being blocked.</li>
                <li>Are there any other ports (apart from 80/443) that
                  will be blocked at the border?<br>
                </li>
                <li>Is there any progress towards treating
                  130.95.13.0/24 as "outside" in the core firewall (and
                  thus side-stepping the need to place UCC services
                  behind Cloudflare)?</li>
              </ul>
              <p><br>
              </p>
              <p>Examples of services that cannot work with the
                Cloudflare setup (running both HTTP and non-HTTP on the
                same hostname):</p>
              <ul>
                <li>GitLab (source control server): This runs both a web
                  server (for viewing source code, and managing
                  permissions) and a SSH server (used for uploading code
                  in a secure manner). Neither of these services support
                  DNS "SRV" records (which would permit different IP
                  addresses for HTTP/HTTPS and other services).<br>
                </li>
                <li>"Big Blue Button" (Video conferencing system): This
                  sends its video streams over UDP to a collection of
                  high ports (audio is sent over websockets). This
                  system has been used to great effect by the clubs
                  impacted by the COVID-19 Cameron Hall shutdown, to
                  host their normal events in a virtual space.</li>
                <li>We currently have `secure.ucc.asn.au` that "hosts" a
                  whole range of encrypted services (IMAP, POP3,
                  webmail, VPN).</li>
              </ul>
              <p><br>
              </p>
              <pre class="x_x_x_moz-signature" cols="72">-- 
John Hodge [TPG]
UCC Wheel Member</pre>
            </div>
          </div>
        </blockquote>
      </div>
    </blockquote>
  </body>
</html>