All information dissemination services---such as anonymous FTP, HTTP (World-Wide-Web), Gopher, WAIS, and finger---are provided by one or more expendable servers outside the firewall. Providing these services is critical in a research environment, but because they involve interactions with unauthenticated users and hosts, they pose considerable security risks. In contrast to traditional firewall designs that try to use ``secure'' or chroot'ed proxies to monitor the behavior of these interactions, we simply assume that these protocols are inherently insecure. Consequently, we run standard server implementations on expendable hosts and just assume that those server hosts are regularly compromised by intruders.
This assumption of insecurity in the server hosts has three major implications. First, private data should never be placed on the server machines. By creating a physical separation between publicly accessed data and non-public data, we aim to prevent accidental release and/or corruption of non-public data when break-ins occur on the server machines. Second, users should never need to log onto the server machines. By keeping users off the insecure servers, we reduce the chance of accidental information release or corruption. We can provide a separate expendable host for users to run untrusted software or protocols. Third, all of the state on the server hosts must be easily recoverable because we assume it gets corrupted. In fact, each of the expendable hosts should be automatically restored regularly from uncompromised sources.
To implement these policies, all data stored on server machines is simply a shadow of directory hierarchies stored on protected machines inside the firewall. For example, files made available for anonymous FTP are stored in .../pub/ftp and files made available for HTTP are stored in .../pub/www inside the firewall. These directories are rdist'ed hourly to the server machines. Recovery from data corruption on a server machine is, therefore, automatic. As a natural extension to this approach, the entire operating system on the expendable hosts could be re-installed nightly from a read-only hard drive.
By making the shadowed directories publicly writable on the protected
machines, we allow any trusted user to add, remove, or modify his own
public data. We find this capability to be a powerful departure from
corporate environments where individual users are not permitted to make
information public.
The capability means
that users do not need to access the expendable host, thereby enhancing
their own security. Moreover, the automated shadowing process ensures
that public data on the expendable machine is configured correctly
(i.e. owned by the appropriate user (ftp, http, etc.), placed in the
appropriate directories, and given the appropriate access permissions).
In effect, individual users explicitly decide which data is public and
which data is private, and the system then assures that public data is
disseminated, that private data is kept secure, and that the two types
of data are kept separated.
Our approach to information dissemination has three significant advantages for an academic environment. First, it eliminates almost all management overhead. System maintenance is largely automatic. Other than occasionally scanning log files to note any anomalous access patterns, no human intervention is needed. Second, in many ways, our approach is more secure than those used by traditional corporate firewalls. We do not need to rely on a proxy to catch security threats, and we do not make assumptions about the security of the underlying operating system. Third, our use of expendable hosts offers a degree of extensibility that is not provided by traditional firewall implementations. As new Internet services and protocols are defined, we can immediately deploy standard, possibly insecure, implementations on an expendable server. This option is very attractive, particularly when compared to the alternative of obtaining or creating a secure implementation of each new service.