Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Open Ports to Github and Google Cloud

I work at a school district and we have a Robotics club.  The teacher has requested the following:

 

"We need port 22 opened to GitHub for code updates.  Also, port 3306 needs to be opened to the databases on the Google Cloud (<IP Address 1> and <IP Address 2>)."

 

This seems like a big risk to have it wide open, even if it is only outbound.  Any thoughts on how to allow this and still keep things as secure as possible?  We are required to filter the student's traffic, so I am concerned they will just use this to bypass our filter (we use Sophos XG for firewall and web filter).



This thread was automatically locked due to age.
Parents
  • Hi,

    your question is a little wide ranging. Please provide details about source eg is it multiple or just the server in the robotic club?

    You can limit destinations in firewall rules along with allowed users and limit applications etc. The school firewall admin must have built some rules that restrict student and teacher access?

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • Hi,

    your question is a little wide ranging. Please provide details about source eg is it multiple or just the server in the robotic club?

    You can limit destinations in firewall rules along with allowed users and limit applications etc. The school firewall admin must have built some rules that restrict student and teacher access?

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

Children
  • Sorry...got a chance to have a talk with the teacher and have some more details:

     

    Google Cloud - resolved.  He was able to give enough specifics that allowed me to create a rule that keeps it pretty well locked.

     

    GitHub - They want to use a combination of BYOD and school computers to connect to GitHub using port 22 (SSH) for programming updates.  Please see here if you are curious about the GitHub info for SSH connections:

    https://help.github.com/articles/connecting-to-github-with-ssh/

    This will be done at various times (the club does not always meet on the same day/time) and all the students need the access, so I can't restrict it to a dedicated source computer.  They do not have a specific IP or server that they will be connecting to and GitHub has a constantly changing list of IPs, so I can't restrict it to a specific destination.

    Currently, it appears they are able to connect with SSH over HTTPS.  Since there doesn't seem to be a good way to securely use port 22, I think it may just need to stay closed.

  • You could try a rule that is only to the GITHUB FQDN and lock the protocol to SSH.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.