Policy: Firewall and Network Access for Physical and Virtual Machines (VMs)
To maintain the security and integrity of the CSIM Network, all physical machines and Virtual Machines (VMs) must adhere to the following firewall and connectivity guidelines. These measures are in place to prevent network breaches and ensure the CSIM network is not used as a source for external attacks.
1. Classroom VM Restrictions
For all instructional and classroom-related VMs, inbound and outbound traffic is restricted as follows:
-
Web Traffic: Only HTTP and HTTPS protocols are permitted.
-
SSH Access: Direct SSH access to classroom servers from external networks is prohibited. Users must first connect to the CSIM gateway/jump host before initiating an SSH session to the server.
2. Prohibited Services and Ports
To protect the network from being used as a routing source for attacks or unauthorized tunneling, the following services are strictly prohibited from running or opening ports:
-
Email Servers (SMTP/IMAP/POP3)
-
Remote Desktop Protocol (RDP)
-
VPN Services
-
Tunneling Protocols (SSH Tunneling, GRE, etc.)
3. SSH Connectivity Rules
-
Internal Only: SSH access is only permitted within the AIT Subnet.
-
External Access: Any SSH connection originating from outside the AIT network must use the designated CSIM access points (VPN or Jump Server) as per department security protocols.
4. Internet Egress (Outbound Access)
Servers and VMs generally do not require direct, unrestricted internet access. To ensure monitored and secure updates:
-
All outbound internet traffic must be routed through the CSIM Proxy Server.
-
Proxy URL:
http://squid.cs.ait.ac.th:3128
5. Compliance and Requests
Failure to comply with these settings may result in the immediate suspension of the VM or network port. If your specific project requires an exception to this policy, a formal justification must be sent to the CSIM IT Administration for review.
Mr.Jirapas Sangsue | Lab Supervisor
Email: