Secure Device Networking

The BU networks are protected by the Campus Firewall that allows normal internet access, but restricts potentially harmful traffic. For the vast majority of devices, this is sufficient to provide a safe, easy-to-use experience for browsing the web.

However, for those vulnerable devices with additional security, integrity, or access needs, Engineering IT can help to set up secure network configurations. This allows devices to retain access to any and all necessary resources (e.g. research shares, backup services, web browsing, etc.) while providing stricter protections against unwanted connections.

Configuration of Secure Device Networking is appropriate for the following use cases:

  • Computers running old, unsupported operating systems (i.e. Windows 7)
  • IoT devices with vulnerable firmware (i.e. instruments, cameras, etc.)

The most common type of these requests calls for only allowing connections from within the BU network and blocks all internet access. For “standard” requests such as these, we can place these devices onto that building’s private subnet. A good example of where this is appropriate would be printers, which should only receive print jobs from BU systems.

This solution is not always appropriate or best suited for your device’s needs. For those more complex situations, ENG IT utilizes a Tailscale network overlay that offers a greater level of control and can be set up at any on-campus location. It can also provide secure point-to-point remote vendor access from anywhere without requiring a service account.

Currently we offer one overlay network configuration, which can be individualized as necessary. The target device is connected to a VPN Gateway (e.g. Brume 2) which connects the device to the overlay network (i.e. the tailnet). The Gateway can be set to only allow traffic on the overlay network, or it can allow the target device to also communicate with other devices via a Network Address Translation (NAT) table. This NAT allows communication for updates, CrowdStrike, etc. that originate with target device, but blocks all externally originated requests.

Overlay Network IP Space

  • Devices directly on the tailnet have IP address in 100.x.y.z. For example, a gateway may have an IP of 10.241.55.2 on BU’s network, but when connected to the tailnet it would also have an IP starting with 100. (e.g. 100.43.23.132) which can securely provide services like SSH, RDP, http(s), file sharing, etc.
  • The VPN Gateways can share their internal subnets with other systems on the tailnet. We’ve chosen 172.16.20.0/24, because it’s a private subnet defined by rfc1918 that is not in use at BU.

In order for the secure networking to work, please ensure the following:

  • System remains connected to the assigned Ethernet port or VPN Gateway
  • ENG IT is notified of any errors that occur by submitting a ticket

To enroll a system for Secure Device Networking, please use the Sensitive Computer form.