Earth Sciences wired computer network firewall to restrict incoming SSH traffic beginning on January 28, 2013

Last revision December 19, 2012

The firewall for the School of Earth Sciences wired computer network will be modified on January 28, 2013, to limit incoming connections using the Secure Shell (SSH) protocol. SSH connections to Earth Sciences computers will generally only be allowed from other computers on the Stanford network (including the VPN). Exceptions will be made for certain servers and research workstations. This will improve the general security of the Earth Sciences wired network and cut down unnecessary network traffic.

SSH is a networking protocol that's generally used for remote login for UNIX/Linux based operating systems. It is also built-in to Mac OS X and can be run on Windows with special software installed. File servers accepting SFTP or SCP connections are also based on SSH.

Currently, we allow all incoming SSH traffic through the firewall without restriction. Computers that have the SSH service enabled have to process all connection requests, which adds to CPU load and may enable hackers to break into your computer if you have accounts with weak passwords.

Computers that don't have SSH turned on just ignore that traffic. But nonetheless, a lot of unnecessary network traffic still gets to the computers that don't having SSH running.

By implementing firewall restrictions on SSH, all of that unnecessary traffic and potential hacker probes using the SSH protocol will be eliminated on the Earth Sciences network. These restrictions should work for most people who remotely connect by SSH to computers on our network. We can also have custom exceptions as needed.

The planned firewall restrictions on SSH will look like this:

  • Allow SSH connections from any computer on the Stanford networks (including residences and wireless) to any computer on the entire Earth Sciences network. Use the Stanford VPN to connect from off-campus.

  • Allow SSH connections from any computer on the Internet to the School sftp server,

  • Allow connections from non-Stanford computers to specific computers on the Earth Sciences network upon request when use of the Stanford VPN is not feasible.

Once this new rule goes into effect, off-campus people who use SSH today to remotely login to their office workstation will need to start using the Stanford VPN. The VPN makes your remote computer act like it is actually on the Stanford network.

Some people have a workstation or server that allows connections from specific non-Stanford sites such as vendors or collaborators at other research institutions who do not have access to the Stanford VPN. In that case, we can create a special firewall rule to allow non-Stanford SSH access without the VPN to your computer here. Please send your request to the network administrator. We'll look at your case and perhaps ask a few questions to fully understand your needs. The goal is to craft any exception to be as limited as possible, without interfering with your real needs for connectivity.

Please be aware that typical turnaround time for firewall rule changes is one day from the time we (Earth Sciences IT) submit our request to ITS. Requests that are submitted at the end of the day (5pm) will likely be picked up and worked on the next day. Please plan ahead if you know you will need the access.

If you do not understand what this news item is talking about, chances are you are not using SSH. You can simply ignore this page. Just trust that the end result of this change will transparently be good to your computer and the network in general.

You can see all the current firewall rules for the Earth Sciences network on this web page:

If you have any questions regarding this message, please send them to the network administrator.

Kevin Tai
SES Network Administrator

Comments or Questions?