Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Open Ports to Github and Google Cloud

I work at a school district and we have a Robotics club.  The teacher has requested the following:

 

"We need port 22 opened to GitHub for code updates.  Also, port 3306 needs to be opened to the databases on the Google Cloud (<IP Address 1> and <IP Address 2>)."

 

This seems like a big risk to have it wide open, even if it is only outbound.  Any thoughts on how to allow this and still keep things as secure as possible?  We are required to filter the student's traffic, so I am concerned they will just use this to bypass our filter (we use Sophos XG for firewall and web filter).



This thread was automatically locked due to age.
  • Hi,

    your question is a little wide ranging. Please provide details about source eg is it multiple or just the server in the robotic club?

    You can limit destinations in firewall rules along with allowed users and limit applications etc. The school firewall admin must have built some rules that restrict student and teacher access?

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Sorry...got a chance to have a talk with the teacher and have some more details:

     

    Google Cloud - resolved.  He was able to give enough specifics that allowed me to create a rule that keeps it pretty well locked.

     

    GitHub - They want to use a combination of BYOD and school computers to connect to GitHub using port 22 (SSH) for programming updates.  Please see here if you are curious about the GitHub info for SSH connections:

    https://help.github.com/articles/connecting-to-github-with-ssh/

    This will be done at various times (the club does not always meet on the same day/time) and all the students need the access, so I can't restrict it to a dedicated source computer.  They do not have a specific IP or server that they will be connecting to and GitHub has a constantly changing list of IPs, so I can't restrict it to a specific destination.

    Currently, it appears they are able to connect with SSH over HTTPS.  Since there doesn't seem to be a good way to securely use port 22, I think it may just need to stay closed.

  • You could try a rule that is only to the GITHUB FQDN and lock the protocol to SSH.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hello!  Actual GitHub employee here.  I'm a Solutions Engineer who also has a kid in a robotics class that needs access to GitHub.  What a crazy coincidence, I stumbled on this post Googling something completely unrelated.  So GitHub supports communication over TLS (SSL), but that requires the kids to configure Git with usernames and passwords and is more clunky to use.  We do not run SSH over TLS, they're separate protocols, thus the separate ports.  SSH is pretty secure, can you elaborate a bit on why you want to keep port 22 locked down?  Literally 1000s of very security conscious companies and gov't entities worldwide use this method exclusively, as do we at GitHub.  I'd be happy to discuss this in more detail if you'd like and provide whatever info/support you need.  

    I'm pushing the kids in my daughters club to use GitHub because it's become such a foundational element of any developer's personal brand, and it's a great skill to have if any of them choose to pursue software as a career.  It also makes it tons easier for them to keep their code safe and collaborate.  At the moment my kid and her teammates are emailing code back and forth.  

    Thanks for doing what you do to help our kids and our schools.  I really appreciate it!!

  • Hi  

    As rightly said by  you may configure FQDN host for GitHub URLs required to access the data from GitHub and allow SSH and HTTPS service only.

     It would be great if you could share the list of URLs required to access the data as requested.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • I can try :) . GitHub URLs use the account holder or an organization as their root.  So for example, if my GitHub userid is johndoe, all my stuff is going to be under https://github.com/johndoe/*.  If the robotics team has an organization (which I recommend but it's not necessary), then it'd be the name of the org, e.g., https://github.com/roboteam/.  The homepage, https://github.com, is the user landing page and provides a feed of events, notifications, and handy links.  

    Let me know if you need anything else.  If I can't provide answers myself I've got access to folks who can.  As a company we're _extremely_ supportive of education, so we'll definitely work with you.  Thanks again.  Happy to hop on a call if that would be quicker/more efficient.  -- Bryan

  • Hi  

    Thank you very much for your response. Much appreciated!

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link