Next: Request-Response Policy
Up: Designing an Academic
Previous: Introduction
A firewall implements a particular security policy that trades off the
need to support collaborative work by maintaining open Internet
connectivity against the need to provide security by restricting this
connectivity. The security policy is affected by how much trust is
given to internal users and is limited by implementation considerations.
After all, there is little point in adopting a security policy that is
impractical to implement.
Our firewall policy attempts to balance the collaboration and security
concerns better than in traditional corporate firewalls. To achieve
this goal, we trust our users to understand the importance of security
and not intentionally attempt to bypass the mechanisms in place. This
trust is comparable to allowing an individual to participate in a
research group, attend meetings, and have a computer account. By making
the firewall policy as unobtrusive to users as possible, we also
increase this trust by eliminating the temptation to bypass the security
mechanisms.
Our security policy can be stated in three simple rules, summarized in
Figure 2:
: SURF
Design with a Request-Response Security Policy, Expendable Hosts,
and Bastion Hosts Supporting Remote Access for Trusted Users
- All outbound packets are allowed to travel outside, and inbound
packets are allowed inside the firewall only if they can be
determined to be responses to outbound requests.
- Packets to or from outside-the-firewall ``expendable hosts'' are
unrestricted (aside from normal operating system and application-level
access controls) because they are outside the security perimeter.
- Packets known to be from authenticated hosts or users outside the
firewall are allowed inside the firewall.
The rationale for this policy is straightforward. Rule 1 follows from
our recognition that open network access is a necessary component of a
research environment. The rule relies on the assumption that we trust
our users to understand and adhere to the research group's security
goals. The Request-Response security policy states that an
outgoing request implicitly grants permission to admit its response into
our secure network. Rule 2 addresses our need to support information
dissemination (FTP, WWW, etc.) in a research environment. We simply
accept that these expendable hosts may be compromised and choose to
automatically recover their state on a regular basis from information
kept securely behind the firewall. Compromises to expendable hosts
therefore do not affect the security of the private network. Rule 3
grants access to protected resources to users as they work from home or
while travelling, as well as to collaborators located outside the
research group. We rely on secure IP tunnels and carefully selected
authentication mechanisms to implement this virtual enclave
environment.
This security policy addresses the needs of academic environments---and
indeed the needs of many corporate environments. The next three
sections describe how we implemented these security rules within our
research environment.
Next: Request-Response Policy
Up: Designing an Academic
Previous: Introduction
Sandeep Singhal
Thu Nov 30 01:58:58 PST 1995