Using the Campus Network Portal (CNP)

Data Center administrators use the Campus Network Portal (CNP) to add new netblocks/VLANs, manage hosts and DNS records, and request inbound network traffic firewall exceptions.

• Managing netblocks/VLANs, hosts, and DNS records
• Accessing the "Hosts" page
• Selecting the appropriate managing group
• Requesting a new netblock/VLAN
• Adding a new host and DNS registration
• Viewing host details
• Removing a DNS registration (A and PTR record)
• Adding a Canonical Name (CNAME)
• Deleting a CNAME
• Deleting a host
• Firewall management
• Managing host groups
• Accessing the "Host Group" page
• Adding internal host groups
• Adding external host groups
• Viewing host group details
• Updating host groups
• Deleting host groups
• Managing firewall policies
• Accessing the "Policy" page
• Adding a new firewall policy
• Viewing policy details
• Updating policies
• Deleting policies
• Firewall change request approval process

Managing netblocks/VLANs, hosts, and DNS records

From the "Hosts" page in the CNP, you can add new netblocks/VLANs and hosts, and manage their DNS records. The "Hosts" page works only with hosts within the Data Center; hosts outside the Data Center (or its security zone) can be added when you create a new firewall policy.

• Accessing the "Hosts" page: In the CNP menubar (at the top), click Hosts.
• Selecting the appropriate managing group: You must have at least one existing ADS security group set up with members assigned (group members should not be nested within an ADS group). To manage netblocks/VLANs, hosts, host groups, or firewall policies in the CNP, you first select the ADS security group (i.e., managing group) with which they are associated:
1. In the CNP menubar (at the top), select Home.
2. On the right, near the top, under "ADS Group", click Select an ADS group and then, select the appropriate group/entity.
3. If prompted to verify your selection, click OK to continue.

If the "ADS Group" drop-down list does not include the proper group(s), email the Network Operations Center (NOC). The ADS groups were assigned during the VLAN/subnet creation process. A Campus Networks engineer will help you to verify that the group(s) and membership(s) are assigned properly.

• Requesting a new netblock/VLAN: The ADS security group you select should have an associated netblock/VLAN in the IU Bloomington or IUPUI Data Center. If you do not already have a netblock/VLAN set up in one of the Data Centers, or if you need to create another one:
1. In the CNP menubar (at the top), select Hosts.
2. On the "Hosts" page, click Actions (on the right, near the top), and then select Request New Netblock.
3. In the "Request New Netblock" window:
1. Under "Virtual Domain", use the drop-down list to select the proper firewall security zone for your netblock/VLAN. To learn more about IU Data Center firewall security zones, see section 7.12 of the Data Center Standards.
2. In the text boxes provided, enter the number of hosts you expect to need over the next five years, and a brief description of the group and/or the purpose for the netblock/VLAN.
3. Under "Public or Private Address?", use the drop-down list to specify whether the netblock/VLAN will have public or private IP addresses.
4. Click Save.

You will receive a FootPrints notification in email verifying your request has been received; a Campus Networks engineer will complete your request.

• Adding a new host and DNS registration:
  Note:

  If you want to use a top- or second-level domain, send your request to dns-admin@iu.edu. For more, see At IU, what are the DNS policies?

  On the "Hosts" page, click Actions (on the right, near the top), and then select Add new Hosts. Then:

1. In "Allocate new address" window, select the appropriate netblock/VLAN and IP address.
Note:
IP addresses will be checked against subnets assigned to the selected ADS group. You cannot add an IP address that already exists in the system, nor add a host the selected ADS group does not manage.
2. In the box provided, enter a hostname, and then use the Select Options drop-down to select a domain.
   Note:

   If you don't see the domain you need in the pull-down menu, send your request to dns-admin@iu.edu.
3. Click Save.

Combined, the hostname and domain create the host's fully qualified domain name (FQDN). Your IP address and DNS assignment will be active within 30 minutes. Updates to the DNS servers occur at the top (#:00) of each hour as well as the middle (#:30) of each hour.

• Viewing host details: On the "Hosts" page, all hosts and netblocks/VLANs currently managed by the selected managing group are listed:
1. If you need help finding a particular entry, in the search box (under "Filter"), enter a hostname or IP address (or some segment of either).
2. To view the details of a particular host, including associated firewall policies and DNS entries, click the host's entry in the "Hosts" table to open its "Hosts Details" page.
• Removing a DNS registration (A and PTR record): Before submitting a request to remove a DNS registration, remove all associated firewall policies. Then, to send an automated request to remove the DNS records linked to a specific host:
1. On the "Hosts" page, find the appropriate host, right-click its entry in the table, and then select Send request to delete this host.
2. When prompted to confirm removal, type yes in the text box, and then click OK.
• Adding a Canonical Name (CNAME) to an existing DNS record: On the "Hosts" page, find the appropriate host, and then click its entry in the table to open its "Host Details" page. Then:
1. On the "Host Details" page, click Actions (on the right, near the top), and then select Add CNAME.
2. In the "Add a CNAME DNS Record" window:
1. Under "A Record", use the drop-down menu to select the host.
2. Under "Alias", in the text box provided, enter an alias for the canonical domain.
3. Use the drop-down list on the right to select the domain.
4. Click Save.

Combined, the hostname and domain create the host's fully qualified domain name (FQDN). Your IP address and DNS assignment will be active at the top of the following hour.

• Deleting a CNAME: On the "Hosts" page, find the appropriate host, and then click its entry in the table to open its "Host Details" page. Then:
1. On the "Host Details" page, right-click the host, and then select Delete Record.
2. When prompted to confirm removal, type yes in the text box, and then click OK.
• Deleting a host: On the "Hosts" page:
1. Find the host you want to delete, right-click on its entry in the table, and then select Send request to delete this host.
2. When prompted to confirm removal, type yes in the text box, and then click OK.

Firewall management

Web proxy policies are visible within CNP but are read-only. Continue to submit new requests via the form at https://telecom.iu.edu or changes to existing policies via email to noc@iu.edu.

Following are instructions for using the Campus Network Portal (CNP) to set up and manage:

• Host groups (internal and external)
• Firewall policies (for your hosts and host groups)

For IU Data Center networking policies and standards, see the Data Center Standards. Section 7 is specific to Data Center firewall standards and guidelines.

Managing host groups

A host group is a collection of hostnames and/or IP addresses grouped together under one name. You can use host groups to simultaneously add multiple objects to a firewall policy. From the "Host Group" page in the CNP, you can create and manage internal (destination) and external (source) host groups:

• Accessing the "Host Group" page: In the CNP menubar (at the top), mouse over Firewall Management, then Host Group, and then select View/Update Active Host Groups.
• Adding internal host groups: Internal host groups comprise hosts managed by your group that reside inside the Data Center, behind the firewall. Internal host groups cannot be used as sources in UNTRUST-to-TRUST access policy rules.

To add an internal host group:

1. On the "Host Group" page, click Actions (on the right, near the top), and then select Add an Internal Host Group.
2. In the "Host Group Details" window, enter a name for the host group. The name can have between 4 and 35 alphanumeric characters, plus hyphens and underscores, but may not include white spaces or special characters (e.g., !, @, #, $, %, and ?).
3. To add a host to the host group, under "Look up host", enter at least four characters from the host's hostname or IP address, find the host in the list of search results (which appears as you type), and then click the desired host. Once selected, the host will appear in the "Members as Host" field. To add another host to the host group, repeat this step.

To add other groups as members, click in the "Members as Host" window and select the host group name that you wish to add. You can only select Global Groups and your groups.

4. When you are finished adding hosts to the host group, click Save.

The CNP will save your new host group and redirect you to its "Host Group Details" page. When you return to the "Host Group" page, the new host group will be listed in the "Internal Host Groups" table.

• Adding external host groups External host groups comprise IP addresses that reside outside the Data Center firewalls. These may be free-form entries for any objects that reside either outside the Data Center firewall security zones or outside the IU network in general. External host groups cannot be used as destinations in UNTRUST-to-TRUST access policy rules.

To add an external host group:

1. On the "Host Group" page, click Actions (on the right, near the top), and then select Add an External Host Group.
2. In the "External Host Group Details" window, enter a name for the host group. The name can have between 4 and 35 alphanumeric characters, plus hyphens and underscores, but may not include white spaces or special characters (e.g., !, @, #, $, %, and ?).
3. Under "IP Addresses", enter the IP addresses (for hosts and/or subnets) you want added to the group.
4. When you are finished, click Save.

The CNP will save your new host group and redirect you to its "Host Group Details" page. When you return to your "Host Group" page, the new host group will be listed in the "External Host Groups" table.

• Viewing host group details: On the "Host Group" page, all internal and external host groups managed by the selected ADS group are listed in two tables:
1. For help finding a particular entry, in the search box (under "Filter"), enter all or part of the host group's name, and then press Enter or Return.
2. When you locate the desired host group, click its entry in the table to open its "Host Group Details" page.
• Updating host groups: On the "Host Group" page, find the host group you want to update, and then click its entry in the table to open its "Host Group Details" page. Then:
1. On the "Host Group Details page", click Actions (on the right, near the top), and then select Update Host Group.
2. In the window that opens, add or delete host and/or host group members, and then click Save.
• Deleting host groups: On the "Host Group" page, locate the host group you want to delete, right-click its entry in the table, and then:
1. Select Send request to delete this host group.
Note:
Before you delete a host group, make sure you remove it from any firewall rules that reference it.
2. When prompted to confirm removal, type yes in the text box, and then click OK.

Managing firewall policies

From the "Policy" page in the CNP, you can manage active firewall policies and create new ones:

• Accessing the "Policy" page: In the CNP menubar (at the top), mouse over Firewall Management, then Policies, and then select View/Update Active Policies.
• Adding a new firewall policy: On the "Policy" page, click Actions (on the right, near the top), and then select Add a new Policy. Then, in the "Policy Details" window:
1. Under "Destination Firewall Zone", use the drop-down list to select the firewall security zone (virtual domain) in which your host resides. (If you are uncertain, you can find this information on the host's "Host Details" page (see Viewing hosts above).
2. Under "Source Zone", use the drop-down list to choose either UNTRUST or TRUST. The default UNTRUST source zone represents all IP addresses external to your firewall security zone.
Note:
By default, to permit users on the IU network to access the Internet, the firewall allows all outbound TRUST-to-UNTRUST traffic. Consequently, you do not need to create policies that allow traffic from the TRUST source zone.
3. Under "Destination Zone", use the drop-down list to choose either UNTRUST or TRUST. The default TRUST destination zone represents the hosts within your security zone (i.e., your hosts in the Data Center).
4. Under "New Source Hosts", enter IP addresses for any external hosts and/or subnets to which the policy should apply:
• IP addresses must be properly formatted.
• For multiple IP addresses, enter one address per line.
• To apply the policy to all external hosts, enter 0.0.0.0.
5. To indicate TRUST zone hosts to which the policy should apply, under "Look up host", enter at least four characters of a hostname or IP address to find and select a host you added previously (in the instructions above).
Note:
Only hosts in the selected destination firewall zone will be available. If you cannot find a particular host, make sure the proper destination firewall zone is selected.
6. Under "Source Host Groups" and "Destination Host Groups", click inside the Select Options fields to select the host group(s) to which the policy should apply. For access control policies in which the source zone is UNTRUST, you can:
• Add external host groups you created previously (using the instructions above) as source host groups.
• Add internal host groups, including global groups (e.g., ALL_IU_Networks), as well any you created previously (using the instructions above), as destination host groups.
7. To add ports (services) to which the policy should apply:
1. Under "Protocol", use the drop-down list to select the protocol you wish to add. (To allow HTTP, select TCP.)
2. Under "Source Port", keep the default value (1-65535 unless your service specifically calls for restricting the source port.
3. Under "Destination Port", enter the destination port you want opened to your server. (To allow HTTP, enter 80.)
4. Click Add Ports.

Repeat this process for any additional ports (services) to which the policy should apply.

Note:
To remove a port (service), click to select the table entry (to select multiple entries, use Ctrl-click in Windows or Command-click in OS X), and then click Delete Selected Ports.
8. When you are finished entering policy information, click Save. If your group uses the approval process, this will forward the request to your manager for approval.
• Viewing policy details: On the "Policy" page, all firewall policies managed by the selected ADS group are listed in a table:
1. For help finding a particular entry, in the search box (under "Filter"), enter all or part of the policy's name, and then press Enter or Return.
2. To view a policy's details, click its entry in the table to open its "Policy Details" page.

Policy details available here include the policy's ID number, firewall zone (virtual domain), and source and destination zones, the action (e.g., Accept, Deny, or Reject) taken on rules that match the requisite criteria, the status (i.e., whether or not the policy is enabled, and the hosts and hosts groups with which the policy is associated.

• Updating an existing policy: On the "Policy" page, click the desired policy to open its "Policy Details" page, and then:
1. Click Actions (on the right, near the top), and then select Update Policy.
2. Make the desired modifications (adding or removing hosts, host groups, and ports), and then click Save.
• Deleting a policy: On the "Policy" page:
1. Find the policy you want to delete, right-click on its entry, and then select Send request to delete this policy.
2. When prompted to confirm removal, type yes in the text box, and then click OK. If your group is using the approval process, this will forward the request to your manager for approval.
• Firewall policy change request approval process: By default, all firewall policy requests require approval from the managing ADS group's designated approver(s). All of the managing group's approvers are notified anytime a firewall policy change request is submitted. Approvers can review and act on firewall policy change requests in the CNP:
1. In the CNP menubar (at the top), mouse over Requests, and then select Approve or Disapprove Pending Requests.
2. Under "Pending Policy Requests", right-click a request, and then select whether to approve or deny the policy change. (Alternatively, left-click a request to open its "Policy Details" page and view the full details of the request.)
3. An approved firewall policy change request generates a FootPrints ticket for the Campus Networks firewall engineer. FootPrints will send an automatic reply to the approver, confirming the request was received.
4. The firewall engineer will follow up with the submitter via the FootPrints ticket.

Approvers are assigned during the initial netblock/VLAN creation, and must be full-time faculty or staff members. To request a change to your group's firewall approver list, email the Network Operations Center (NOC).

To opt out of the firewall policy change request approval process, your director must email a request to the Network Operations Center (NOC) that specifies the managing group(s) that should be permitted to override the approval process. If you opt out, firewall policy change requests will be forwarded directly to the Campus Networks firewall engineer.