The model we have chosen to adopt (partly as it is expedient, but also because it is a very flexible model), is one of "least privilege". If we assume that we are not going to limit access to the Private Network, then we must take steps to ensure that our Departmental network, with all its services, backups, data, email and critical services is adequately protected.
Therefore, anyone can request access to the Private Network, and provided they are "sponsored" by a member of the Department prepared to vouch for them or authorise their access, then we will simply give them access.
Now, because the NAT acts as a "many-to-one" map (the many systems on the Private Network mapping to the single external IP address managed by the NAT), this means that by default all access through the NAT is blocked and has to be specifically opened and granted. Because there are a very great many ways in which a virus-infected laptop can propogate its dangerous payload, we have decided to limit what the NAT will translate. The list of available services is as follows:
- FTP download from anywhere.
- Outbound SSH (from laptop to) anywhere. No inbound SSH.
- Mail client protocols. One can use IMAP, IMAPS, POP and POP3D to read email.
- HTTP and HTTPS to anywhere except https://internal.stats.ox.ac.uk.
- Printing (both IPP and LPD) to the Departmental print services.
- VPN to any permitted VPN service, including the Departmental one.