Traditional corporate firewalls assume that most users are physically co-located inside the corporate firewall. The few users who are travelling on business or working from home may be authorized to gain access through the corporate firewall. Such access typically involves a modem call to a private, corporate point-of-presence, or ``smart card'' shared-secret authentication, or (in some cases) both. Corporate travellers do desire to access their secure machine from an insecure terminal and network connection, such as from facilities provided at a conference, but such access is typically not permitted.
This assumption of physical co-location or secure network access is not viable in research environments. Most users do considerable work at home or while traveling. Furthermore, mobile hosts, particularly laptops running Linux, are becoming commonplace among researchers. In addition, collaborative research often requires that certain individuals from other organizations be granted access to resources that we do not wish to make available to the general public. In each case, the remote user is potentially approaching the firewall through an insecure network. Within an academic research group, ``smart cards'' or dedicated dial-in points-of-presence are too costly to acquire and administer, and they do not fully address our need to support access from insecure hosts connected to the Internet.
Moreover, the SURF architecture defines security perimeters at a much finer granularity than is usual: at the level of an academic research group or department rather than a single corporate entity. This finer granularity means that extending a firewall to permanently encompass sites outside a single building or a single LAN segment is more important. Together, these multiple sites constitute a virtual security enclave, and the enclave must have a firewall at every point of connection to an insecure network.
The remote user, once authenticated to a trusted host, should have access to protected resources as if she were physically located behind the firewall---or as much as practicable. However, the security mechanisms must ensure that granting this remote access does not compromise either the user's own, or anyone else's, data security.
Our firewall provides two methods of non-local access with different levels of functionality. The first access method provides authenticated, secure IP access by means of an IP tunnel. This tunnel allows the remote user to freely send IP packets without restriction through the firewall. The second access method provides authenticated remote login. It is intended for use by users who are travelling or who work off-site but cannot set up a secure IP channel.