Network firewalls are coming to Earth Sciences on
May 30, 2007.
May 22, 2007
The university is funding and implementing departmental computer
network "firewalls". These devices regulate incoming traffic into the
department network from the rest of campus and the entire Internet.
They do not block outgoing connections made from your computer.
The firewall will greatly increase our network security by blocking
hacker probes of insecure services and preventing or interfering with
self-propagating virus and worm attacks.
The firewall will be turned on for the Earth Sciences subnet, which
includes all offices and labs in Geology Corner, Mitchell Earth
Sciences (except Branner Library), and Green Earth Sciences, on
Wednesday, May 30 at 7 a.m. There will be a brief interruption
in the network while it is switched to the firewall.
This firewall will make our network more secure. But it may affect
some ways that people connect into our network from outside.
Here is what you need to do after the firewall goes into effect on May 30.
Send email to
the Earth Sciences network team
with any questions. Send reports
of connectivity problems on May 30 or later to the same address.
"Average" computer users
The "average" computer user in Earth Sciences will not notice any
change and doesn't need to do anything.
The firewall will not block any outgoing connections that you
start from your computer. You can connect to web servers, mail
servers, instant messaging services, and initiate file transfers just
like you did before. But probes against your computer from outside our
network will be blocked.
Home users or travelers
If you like to access your Earth Sciences office or lab computer for
file sharing or remote login from home or while traveling with a
portable computer, you need to install the
Stanford Virtual Private Network (VPN) client software
on your home or portable computer
to keep all access after the firewall is enabled.
You can make a
HelpSU request
to have our CRC desktop consultants install this.
Stanford DSL users do
not
need the VPN.
"Power" users or managers of research workstations
The "power" user or manager of a research workstation may find that
some services that you have opened to the outside world are now
blocked.
The firewall will allow incoming connections from outside the Earth
Sciences network to major servers on our network, such as pangea, plus
special research servers that we have already identified. For example,
we have identified all research web servers that need access from
outside our network through the firewall.
You can
request access
for other well-secured services used for
academic purposes on your computer, as described in the detailed
table below. Inherently insecure services such
as
plain ftp
and
plain telnet
will not be allowed anymore.
Details of firewall rules and operation
The purpose of a firewall is to regulate incoming traffic onto our
network, particularly to services that are known to be vulnerable to
hacker attacks. A service is simply a way for outsiders to connect to
your computer in order to download a file, view the screen, or run a program.
As part of the firewall project, we are tightening policies
for access to services running on computers on the Earth Sciences
network.
Vulnerable services that are often
turned on by individual computer users will be limited to access from
the Stanford network only, or in some cases, to just the Earth
Sciences network.
These rules only affect connections that originate outside the
Earth Sciences wired network.
Wireless services in Earth Sciences are part of a separate
ITS managed network.
Wireless connections are considered
outside
the Earth Sciences network.
Any connection that you originate
while seated in front of your computer in your Earth Sciences
office or lab is not affected.
Any service you open on your computer that is connected to the
wired
Earth Sciences network can still
be accessed by any other computer on the
wired
Earth Sciences network, even if outside connections are blocked.
The following table summarizes the effect of the new firewall policies
on common services that people may enable on their computers.
"Stanford campus network" means the wired network in all academic
buildings and residence halls; registered (not guest) computers
using the
ITS wireless networks;
Stanford DSL
home computers;
connections made through the
Stanford dial-up modem pool;
and other home and remote connections using the
Stanford public VPN client.
Service running on your computer |
Outside connections allowed from ... |
Description and exceptions |
|
Remote desktop
|
Stanford campus network.
|
Only these methods for remote desktop logins will be allowed:
Windows Remote Desktop,
Apple Remote Desktop,
VNC,
Timbuktu,
and compatible protocols that use the same TCP ports as one of these
(for example,
PCAnywhere
can be configured to use the same port number as
VNC
).
If you need remote desktop logins from home or while traveling with a
portable computer, install and use the
Stanford public VPN client.
|
|
ssh
|
The entire Internet.
|
The ssh service allows remote command-line logins and remote command
execution on your Earth Sciences computer. Because the ssh protocol is
fully encrypted and requires a local account and password, access will
be allowed from anywhere. If you enable the ssh server on your
computer, make sure
all
local accounts on that computer have
strong passwords!
|
|
sftp and scp
|
The entire Internet.
|
These file transfer services are part of the ssh protocol.
|
|
Web server
|
No access to personal servers.
Entire Internet access to School and research servers.
|
Connections from the Internet will be allowed
upon request
to properly configured and maintained research group web servers used
for academic purposes only when the pangea web server is not adequate.
Outside access to personal web sharing will be blocked.
Improperly configured web servers are commonly penetrated by hackers
and used to compromise computers.
We have already identified all existing academic web servers and
created the firewall rules to allow continued access.
For personal web sharing, such as your personal photos, use
your pangea or leland systems personal web account (for small files),
or a free Internet service (such as
flickr,
shutterfly,
picasa,
mediamax,
or
xdrive).
|
|
Email server
|
Entire internet access to pangea
and SEP mail servers.
|
Everyone uses email programs on their computers to send and receive
email through a server such as pangea or the central @stanford.edu servers.
But individuals and research groups are not permitted to run their
own email servers on the Earth Sciences network.
Only connections to the pangea server and the SEP group's long-standing
email server will be allowed to come in through the firewall.
|
|
ftp
|
No access, except entire Internet for anonymous ftp on pangea.
|
ftp is used to transfer files.
It is inherently insecure because it sends passwords and
data over the network in clear text. The firewall will permit outside
ftp connections only to pangea. Even on pangea, use of personal
accounts for ftp connections will be phased out by midsummer. After
that, pangea will only provide the
anonymous ftp service,
which anyone in the School can use to distribute files. If you need to
serve large files from your computer, enable a secure
sftp
server instead.
|
|
telnet
|
No access, except entire Internet for kerberized telnet on pangea.
|
telnet is used to make remote command-line logins.
It is inherently insecure because it sends passwords and
data over the network in clear text. The firewall will permit outside
telnet connections only to pangea. Even on pangea, use of plain text
telnet connections will be phased out by midsummer. After that,
only encrypted kerberized telnet connections (for example, the
Samson
program) will be allowed even to pangea.
If you need to make remote command-line logins to your computer, use
ssh
instead of telnet.
|
|
Printing
|
Stanford campus network.
|
Only the lpd, ipp, or HP jetdirect (9100) printer connection protocols
will be allowed. If you need to send print jobs to an Earth Sciences
printer from home or while traveling with a portable computer, install
and use the
Stanford public VPN client.
|
|
Pangea file shares
|
Stanford campus network.
|
Pangea serves home directories and other common disk areas (
/play,
/scr1,
/ftp,
and
/WWW)
as network file shares accessible to
Windows
and
Mac OS X
PCs. If you need to access a file share on pangea from home or while
traveling with a portable computer, install and use the
Stanford public VPN client.
|
|
Windows PC file sharing
|
No access, except ERE PCs via the VPN.
|
Turning a Windows PC into a file server
exposes it to hacker attacks that target both inherent weaknesses in
the file sharing software and common misconfigurations. Numerous PCs
on campus have been successfully compromised via the file sharing
service.
Special firewall rules will allow access to file shares on
centrally managed Windows PCs in the ERE department via the
Stanford public VPN client
and
Stanford DSL,
but not the rest of the academic and residence networks (to limit
exposure to hacked PCs in those areas).
Such access can also be granted to properly configured and maintained
research group Windows PC file servers
upon request.
|
|
Mac OS X file sharing
|
Stanford campus network.
|
The Appleshare/IP protocol used by this service is
not a major security risk like Windows file sharing. If you need to
connect to the file sharing service on your office Mac from home or
while traveling with a portable computer, install and use the
Stanford public VPN client.
|
|
X-Window graphics
|
No access, except via ssh tunnel.
|
The
XDMCP protocol,
which gives a complete remote console
with full graphical interface, will be limited to the local Earth
Sciences network only, as it sends passwords over the network in plain
text mode, and can permit hackers to spy on your system.
If you need to open an X-window to display results on your
computer in Earth Sciences from a program running on a computer outside
Earth Sciences, use an
ssh X-window tunnel.
|
|
IM, chat, skype
|
The entire Internet.
|
Instant messaging, chat, and internet telephony programs such as AIM,
iChat, Windows Messenger, IRC, and Skype will work through the
firewall. Users are clients who login to servers; servers relay
messages between users. Since the user initiates the original outbound
login connection to the server, the firewall allows the connection. An
attempt to run your own IRC or other chat server will be blocked by the
firewall.
|
|
Peer-to-peer file sharing
|
The entire Internet in most cases.
|
Peer-to-peer file sharing services such as Napster, Kazaa, Grokster,
Gnutella, Limewire, and Bittorrent may stop working in their default
configurations, or not work as well. Most of these programs offer
workarounds for dealing with a firewall.
Please be aware that peer-to-peer file sharing programs are
notorious vectors for hacker compromises of computers
and identity theft.
They should
never
be installed on Stanford-owned computers and you are strongly
discouraged from using them on personally owned computers.
Distribution sites for the programs themselves and files that are
distributed are often "contaminated" by hackers with their own
malicious programs, that "ride along" and infect your computer
while you are downloading files.
Once installed, these programs often expose other files on your
computer, including those containing identity information, to
anyone on the internet.
|
|
Other services
|
No access.
|
Any other service running on your computer which is not described here
will not be accessible to connections originated by other computers
outside the Earth Sciences network.
If you need access to some other service for legitimate academic
purposes, contact the
network manager,
who will first evaluate the security implications before modifying
firewall rules.
|
