This page provides information that’s useful in the situation where you have equipment (computers or other devices) in your research lab that needs to be remotely accessible to some degree beyond the default.
Important note: ECE Computing strongly discourages and resists research groups opening up ssh to the world, since too many ECE research groups have gotten their servers hacked through wide-open ssh ports. Use Husky OnNet, and leave your machines accessible only from campus!
ECE’s Network Structure
Our network is divided into two segments – departmental subnets (“ECE”) and research subnets (“ECE-RES”).
Wired network traffic within each segment is unrestricted. This means you can make pretty much any type of connection from one device to another, even from one room to another – as long as both devices are plugged into network wall jacks on the same segment.
By default, SSH and RDP (Microsoft Remote Desktop) connections are allowed to computers and devices on either segment from anywhere on campus. Any other type of connection requires we create a firewall rule addition before any external connection can be successful.
Information we need before opening a firewall hole
If you are requesting the creation of an opening in the department’s firewall, please email all of the following information to help@ece.uw.edu. Note that adding a firewall rule requires we assign your device a fixed IP address (see How to Request a Static / Fixed IP Address for more info).
- We will need to know what network ports need to be opened (e.g. TCP 443, UDP 7000)
- We also need to know where the connections to the device will be coming from – meaning is the external connection going to be from a specific campus address/addresses; from any campus address; from a specific range of addresses off campus; or from any possible address anywhere.
- Let us know the name of the relevant lab and its faculty PI.
- Please also include the name and email address of the person we should contact with any questions that might crop up!
Caveats
- A person with a NetID can make a “campus” connection, even from the other side of the world, by connecting to the Husky OnNet VPN.
- We typically do not open ports up “to the world” unless there’s a compelling reason to do so – too many research lab machines have been hacked in the past. Note that “we don’t want to have to use the VPN every time we connect” is not a compelling reason.
- In the case where you need to give access to a non-UW individual (or small number of individuals), an alternative to opening your device up “to the world” is – you have the option of sponsoring a NetID for these users and provisioning them for OnNet. One big advantage to this approach is you keep the potential attack surface of your devices small, limiting access to just the UW network versus reachable by anyone from anywhere on earth.