Network firewalls are coming to Earth Sciences on May 30, 2007.
May 22, 2007
The university is funding and implementing departmental computer network "firewalls". These devices regulate incoming traffic into the department network from the rest of campus and the entire Internet. They do not block outgoing connections made from your computer.
The firewall will greatly increase our network security by blocking hacker probes of insecure services and preventing or interfering with self-propagating virus and worm attacks.
The firewall will be turned on for the Earth Sciences subnet, which includes all offices and labs in Geology Corner, Mitchell Earth Sciences (except Branner Library), and Green Earth Sciences, on Wednesday, May 30 at 7 a.m. There will be a brief interruption in the network while it is switched to the firewall.
This firewall will make our network more secure. But it may affect some ways that people connect into our network from outside. Here is what you need to do after the firewall goes into effect on May 30.
Send email to the Earth Sciences network team with any questions. Send reports of connectivity problems on May 30 or later to the same address.
"Average" computer users
The "average" computer user in Earth Sciences will not notice any change and doesn't need to do anything. The firewall will not block any outgoing connections that you start from your computer. You can connect to web servers, mail servers, instant messaging services, and initiate file transfers just like you did before. But probes against your computer from outside our network will be blocked.
Home users or travelers
If you like to access your Earth Sciences office or lab computer for file sharing or remote login from home or while traveling with a portable computer, you need to install the Stanford Virtual Private Network (VPN) client software on your home or portable computer to keep all access after the firewall is enabled. You can make a HelpSU request to have our CRC desktop consultants install this. Stanford DSL users do not need the VPN.
"Power" users or managers of research workstations
The "power" user or manager of a research workstation may find that some services that you have opened to the outside world are now blocked.
The firewall will allow incoming connections from outside the Earth Sciences network to major servers on our network, such as pangea, plus special research servers that we have already identified. For example, we have identified all research web servers that need access from outside our network through the firewall.
You can request access for other well-secured services used for academic purposes on your computer, as described in the detailed table below. Inherently insecure services such as plain ftp and plain telnet will not be allowed anymore.
Details of firewall rules and operation
The purpose of a firewall is to regulate incoming traffic onto our network, particularly to services that are known to be vulnerable to hacker attacks. A service is simply a way for outsiders to connect to your computer in order to download a file, view the screen, or run a program.
As part of the firewall project, we are tightening policies for access to services running on computers on the Earth Sciences network. Vulnerable services that are often turned on by individual computer users will be limited to access from the Stanford network only, or in some cases, to just the Earth Sciences network.
These rules only affect connections that originate outside the Earth Sciences wired network. Wireless services in Earth Sciences are part of a separate ITS managed network. Wireless connections are considered outside the Earth Sciences network. Any connection that you originate while seated in front of your computer in your Earth Sciences office or lab is not affected. Any service you open on your computer that is connected to the wired Earth Sciences network can still be accessed by any other computer on the wired Earth Sciences network, even if outside connections are blocked.
The following table summarizes the effect of the new firewall policies on common services that people may enable on their computers.
"Stanford campus network" means the wired network in all academic buildings and residence halls; registered (not guest) computers using the ITS wireless networks; Stanford DSL home computers; connections made through the Stanford dial-up modem pool; and other home and remote connections using the Stanford public VPN client.
| Service running on your computer | Outside connections allowed from ... | Description and exceptions |
| Remote desktop | Stanford campus network. | Only these methods for remote desktop logins will be allowed: Windows Remote Desktop, Apple Remote Desktop, VNC, Timbuktu, and compatible protocols that use the same TCP ports as one of these (for example, PCAnywhere can be configured to use the same port number as VNC ). If you need remote desktop logins from home or while traveling with a portable computer, install and use the Stanford public VPN client. |
| ssh | The entire Internet. | The ssh service allows remote command-line logins and remote command execution on your Earth Sciences computer. Because the ssh protocol is fully encrypted and requires a local account and password, access will be allowed from anywhere. If you enable the ssh server on your computer, make sure all local accounts on that computer have strong passwords! |
| sftp and scp | The entire Internet. | These file transfer services are part of the ssh protocol. |
| Web server | No access to personal servers. Entire Internet access to School and research servers. |
Connections from the Internet will be allowed
upon request
to properly configured and maintained research group web servers used
for academic purposes only when the pangea web server is not adequate.
Outside access to personal web sharing will be blocked.
Improperly configured web servers are commonly penetrated by hackers
and used to compromise computers.
We have already identified all existing academic web servers and created the firewall rules to allow continued access. For personal web sharing, such as your personal photos, use your pangea or leland systems personal web account (for small files), or a free Internet service (such as flickr, shutterfly, picasa, mediamax, or xdrive). |
| Email server | Entire internet access to pangea and SEP mail servers. | Everyone uses email programs on their computers to send and receive email through a server such as pangea or the central @stanford.edu servers. But individuals and research groups are not permitted to run their own email servers on the Earth Sciences network. Only connections to the pangea server and the SEP group's long-standing email server will be allowed to come in through the firewall. |
| ftp | No access, except entire Internet for anonymous ftp on pangea. | ftp is used to transfer files. It is inherently insecure because it sends passwords and data over the network in clear text. The firewall will permit outside ftp connections only to pangea. Even on pangea, use of personal accounts for ftp connections will be phased out by midsummer. After that, pangea will only provide the anonymous ftp service, which anyone in the School can use to distribute files. If you need to serve large files from your computer, enable a secure sftp server instead. |
| telnet | No access, except entire Internet for kerberized telnet on pangea. | telnet is used to make remote command-line logins. It is inherently insecure because it sends passwords and data over the network in clear text. The firewall will permit outside telnet connections only to pangea. Even on pangea, use of plain text telnet connections will be phased out by midsummer. After that, only encrypted kerberized telnet connections (for example, the Samson program) will be allowed even to pangea. If you need to make remote command-line logins to your computer, use ssh instead of telnet. |
| Printing | Stanford campus network. | Only the lpd, ipp, or HP jetdirect (9100) printer connection protocols will be allowed. If you need to send print jobs to an Earth Sciences printer from home or while traveling with a portable computer, install and use the Stanford public VPN client. |
| Pangea file shares | Stanford campus network. | Pangea serves home directories and other common disk areas ( /play, /scr1, /ftp, and /WWW) as network file shares accessible to Windows and Mac OS X PCs. If you need to access a file share on pangea from home or while traveling with a portable computer, install and use the Stanford public VPN client. |
| Windows PC file sharing | No access, except ERE PCs via the VPN. |
Turning a Windows PC into a file server
exposes it to hacker attacks that target both inherent weaknesses in
the file sharing software and common misconfigurations. Numerous PCs
on campus have been successfully compromised via the file sharing
service.
Special firewall rules will allow access to file shares on centrally managed Windows PCs in the ERE department via the Stanford public VPN client and Stanford DSL, but not the rest of the academic and residence networks (to limit exposure to hacked PCs in those areas). Such access can also be granted to properly configured and maintained research group Windows PC file servers upon request. |
| Mac OS X file sharing | Stanford campus network. | The Appleshare/IP protocol used by this service is not a major security risk like Windows file sharing. If you need to connect to the file sharing service on your office Mac from home or while traveling with a portable computer, install and use the Stanford public VPN client. |
| X-Window graphics | No access, except via ssh tunnel. | The XDMCP protocol, which gives a complete remote console with full graphical interface, will be limited to the local Earth Sciences network only, as it sends passwords over the network in plain text mode, and can permit hackers to spy on your system. If you need to open an X-window to display results on your computer in Earth Sciences from a program running on a computer outside Earth Sciences, use an ssh X-window tunnel. |
| IM, chat, skype | The entire Internet. | Instant messaging, chat, and internet telephony programs such as AIM, iChat, Windows Messenger, IRC, and Skype will work through the firewall. Users are clients who login to servers; servers relay messages between users. Since the user initiates the original outbound login connection to the server, the firewall allows the connection. An attempt to run your own IRC or other chat server will be blocked by the firewall. |
| Peer-to-peer file sharing | The entire Internet in most cases. |
Peer-to-peer file sharing services such as Napster, Kazaa, Grokster,
Gnutella, Limewire, and Bittorrent may stop working in their default
configurations, or not work as well. Most of these programs offer
workarounds for dealing with a firewall.
Please be aware that peer-to-peer file sharing programs are notorious vectors for hacker compromises of computers and identity theft. They should never be installed on Stanford-owned computers and you are strongly discouraged from using them on personally owned computers. Distribution sites for the programs themselves and files that are distributed are often "contaminated" by hackers with their own malicious programs, that "ride along" and infect your computer while you are downloading files. Once installed, these programs often expose other files on your computer, including those containing identity information, to anyone on the internet. |
| Other services | No access. | Any other service running on your computer which is not described here will not be accessible to connections originated by other computers outside the Earth Sciences network. If you need access to some other service for legitimate academic purposes, contact the network manager, who will first evaluate the security implications before modifying firewall rules. |