Stanford University School of Earth Science
 
Home
News
New Users
Policies
Email
Web Hosting
Get Help
Net Connections
Macintosh
Windows PC
Unix/Linux System
Pangea Server
School Resources
    Use Policy
   Network
   Computer Labs
   Printers
   Security
   Univ Resources
   FAQ
Using Unix

School of Earth Sciences network firewall

last revision October 17, 2007

Security safeguards:

  1. Minimize network presence
  2. Using strong passwords
  3. Install security patches regularly
  4. Backup computer data
  5. Encrypted login
  6. Network firewall
  7. Switched ethernet
  8. Restricted Connections to Pangea
  

The university is funding and implementing departmental computer network "firewalls". These devices regulate incoming traffic into the department network from the rest of campus and the entire Internet. They do not block outgoing connections made from your computer.

The School of Earth Sciences implemented such a firewall on May 30, 2007 for all wired network jacks in its three buildings: Geology Corner, Mitchell Earth Sciences (except Branner Library and Hartley Conference Center), and Green Earth Sciences. Wireless service and the wired jacks in Branner Library and Hartley Conference Center are on separately managed networks that are not protected by the Earth Sciences firewall.

This firewall increases our network security by blocking hacker probes of insecure services and preventing or interfering with self-propagating virus and worm attacks. But it may affect some ways that people connect into our network from outside. This page describes those effects, including the rules on what services on individual computers inside Earth Sciences can be accessed by computers outside our network.

"Average" computer users

The "average" computer user in Earth Sciences will not notice the network firewall. The firewall does not block any outgoing connections that you start from your computer. You can connect to web servers, mail servers, instant messaging services, and initiate file transfers just like you did before. But probes against your computer from outside our network will be blocked.

Home users or travelers

If you like to access your Earth Sciences office or lab computer for file sharing or remote login from home or while traveling with a portable computer, you need to install the Stanford Virtual Private Network (VPN) client software on your home or portable computer in order to get through the firewall to your office or lab computer. You can make a HelpSU request to have our CRC desktop consultants install this. Stanford DSL users do not need the VPN.

"Power" users or managers of research workstations and servers

The "power" user or manager of a research workstation or server may find that some services that you would like to open to the outside world are blocked by the firewall.

The firewall allows incoming connections from outside the Earth Sciences network to major servers on our network, such as pangea. Managers of research servers can request access for well-secured services used for academic purposes on their computers, as described in the detailed table below. Inherently insecure services such as plain ftp and plain telnet are not allowed at all through the firewall.

Details of firewall rules and operation

The purpose of a firewall is to regulate incoming traffic onto our network, particularly to services that are known to be vulnerable to hacker attacks. A service is simply a way for outsiders to connect to your computer in order to download a file, view the screen, or run a program.

As part of the firewall project, we have tightened policies for access to services running on computers on the Earth Sciences network. Vulnerable services that are often turned on by individual computer users will be limited to access from the Stanford network only, or in some cases, to just the Earth Sciences network.

These rules only affect connections that originate outside the Earth Sciences wired network. Wireless services in Earth Sciences are part of a separate ITS managed network. Wireless connections are considered outside the Earth Sciences network. Thus, connections from your laptop running wirelessly to the desktop computer in the same office connected to the wired network may be affected.

Any connection that you originate while seated in front of your computer in your Earth Sciences office or lab is not affected. Any service you open on your computer that is connected to the wired Earth Sciences network can still be accessed by any other computer on the wired Earth Sciences network, even if outside connections are blocked.

The following table summarizes the effect of the new firewall policies on common services that people may enable on their computers.

"Stanford campus network" means the wired network in all academic buildings and residence halls; registered (not guest) computers using the ITS wireless networks; Stanford DSL home computers; connections made through the Stanford dial-up modem pool; and other home and remote connections using the Stanford public VPN client.

Service running on your computer

Outside connections allowed from ...

Description and exceptions
Remote desktop Stanford campus network. Only these methods for remote desktop logins are allowed: Windows Remote Desktop, Apple Remote Desktop, VNC, Timbuktu, and compatible protocols that use the same TCP ports as one of these (for example, PCAnywhere can be configured to use the same port number as VNC ). If you need remote desktop logins from home or while traveling with a portable computer, install and use the Stanford public VPN client.
ssh The entire Internet. The ssh service allows remote command-line logins and remote command execution on your Earth Sciences computer. Because the ssh protocol is fully encrypted and requires a local account and password, access is allowed from anywhere. If you enable the ssh server on your computer, make sure all local accounts on that computer have strong passwords!
sftp and scp The entire Internet. These file transfer services are part of the ssh protocol.
Web server No access to personal servers. Entire Internet access to School and research servers. Connections from the Internet are allowed upon request to properly configured and maintained research group web servers used for academic purposes only when the pangea web server is not adequate.

Outside access to personal web sharing is blocked. Improperly configured web servers are commonly penetrated by hackers and used to compromise computers. For personal web sharing, such as your personal photos, use your pangea or leland systems personal web account (for small files), or a free Internet service (such as flickr, shutterfly, picasa, mediamax, or xdrive).

Email server Entire internet access to pangea and SEP mail servers. Everyone uses email programs on their computers to send and receive email through a server such as pangea or the central @stanford.edu servers. But individuals and research groups are not permitted to run their own email servers on the Earth Sciences network. Only connections to the pangea server and the SEP group's long-standing email server are allowed to come in through the firewall.
ftp No access, except entire Internet for anonymous ftp on pangea. ftp is used to transfer files. It is inherently insecure because it sends passwords and data over the network in clear text. The firewall permits outside ftp connections to pangea only. Pangea in turn prohibits normal ftp logins and only allows access to the anonymous ftp service, which anyone in the School can use to distribute files. If you need to serve large files from your computer, enable a secure sftp server instead.
telnet No access, except entire Internet for kerberized telnet on pangea. telnet is used to make remote command-line logins. It is inherently insecure because it sends passwords and data over the network in clear text by default. The firewall permits outside telnet connections only to pangea. But pangea requires those telnet connections to be encrypted with kerberos (for example, the Samson program). If you need to make remote command-line logins to your computer, use ssh instead of telnet.
Printing Stanford campus network. Only the lpd, ipp, or HP jetdirect (9100) printer connection protocols are allowed. If you need to send print jobs to an Earth Sciences printer from home or while traveling with a portable computer, install and use the Stanford public VPN client.
Pangea file shares Stanford campus network. Pangea serves home directories and other common disk areas ( /play, /scr1, /ftp, and /WWW) as network file shares accessible to Windows and Mac OS X PCs. If you need to access a file share on pangea from home or while traveling with a portable computer, install and use the Stanford public VPN client.
Windows PC file sharing No access, except ERE PCs via the VPN. Turning a Windows PC into a file server exposes it to hacker attacks that target both inherent weaknesses in the file sharing software and common misconfigurations. Numerous PCs on campus have been successfully compromised via the file sharing service.

Special firewall rules allow access to file shares on centrally managed Windows PCs in the ERE department via the Stanford public VPN client and Stanford DSL, but not the rest of the academic and residence networks (to limit exposure to hacked PCs in those areas). Such access can also be granted to properly configured and maintained research group Windows PC file servers upon request.

Mac OS X file sharing Stanford campus network. The Appleshare/IP protocol used by this service is not a major security risk like Windows file sharing. If you need to connect to the file sharing service on your office Mac from home or while traveling with a portable computer, install and use the Stanford public VPN client.
X-Window graphics No access, except via ssh tunnel. The XDMCP protocol, which gives a complete remote console with full graphical interface, is limited to the local Earth Sciences network only, as it sends passwords over the network in plain text mode, and can permit hackers to spy on your system. If you need to open an X-window to display results on your computer in Earth Sciences from a program running on a computer outside Earth Sciences, use an ssh X-window tunnel.
IM, chat, skype The entire Internet. Instant messaging, chat, and internet telephony programs such as AIM, iChat, Windows Messenger, IRC, and Skype can work through the firewall. Users are clients who login to servers; servers relay messages between users. Since the user initiates the original outbound login connection to the server, the firewall allows the connection. An attempt to run your own IRC or other chat server is blocked by the firewall.
Peer-to-peer file sharing The entire Internet in most cases. Peer-to-peer file sharing services such as Napster, Kazaa, Grokster, Gnutella, Limewire, and Bittorrent may work poorly or not at all in their default configurations. Most of these programs offer workarounds for dealing with a firewall.

Please be aware that peer-to-peer file sharing programs are notorious vectors for hacker compromises of computers and identity theft. They should never be installed on Stanford-owned computers and you are strongly discouraged from using them on personally owned computers. Distribution sites for the programs themselves and files that are distributed are often "contaminated" by hackers with their own malicious programs, that "ride along" and infect your computer while you are downloading files. Once installed, these programs often expose other files on your computer, including those containing identity information, to anyone on the internet.

Other services No access. Any other service running on your computer which is not described here is not accessible to connections originated by other computers outside the Earth Sciences network. If you need access to some other service for legitimate academic purposes, contact the network manager, who will first evaluate the security implications before modifying firewall rules.

 


Comments?

Stanford University    |