Corporate network firewalls are well-understood and are becoming
commonplace. These firewalls establish a security perimeter that aims
to block (or heavily restrict) both incoming and outgoing network
communication. We argue that these firewalls are neither effective
nor appropriate for academic or corporate research environments
needing to maintain information security while still supporting the
free exchange of ideas.
In this paper, we present the Stanford University Research Firewall
(SURF), a network firewall design that is suitable for a research
environment. While still protecting information and computing
resources behind the firewall, this firewall is less restrictive of
outward information flow than the traditional model; can be easily
deployed; and can give internal users the illusion of unrestricted
e-mail, anonymous FTP, and WWW connectivity to the greater Internet.
Our experience demonstrates that an adequate firewall for a research
environment can be constructed for minimal cost using off-the-shelf
software and hardware components.