Growth of the Internet has increased awareness of the need for security to prevent destruction of data by an intruder, maintain the privacy of local information, and prevent unauthorized use of computing resources . Indeed, analysts estimate that 50% of large corporations have seen a computer break-in over the past year . Corporations are concerned with preventing unauthorized leakage of corporate intellectual property.
To achieve these goals, most corporate environments have deployed firewalls to block (or heavily restrict) access to internal data and computing resources from untrusted hosts and limit access to untrusted hosts from inside. A typical corporate firewall is a strong security perimeter around the employees who collaborate within the corporation, as shown in Figure 1a.
Figure 1: Nature of Trusted Users, Untrusted Users, and Collaboration in (a) Corporate Environments and (b) Academic Environments
The network security perimeter surrounds the corporate network and occasionally includes machines at employee homes. Everything else is excluded. The security perimeter carefully controls the transfer of information and, in many instances, forbids all outward information flow. Although many corporations desire more open access to the Internet, they limit Internet access and the sacrifice such services as personal World-Wide-Web pages to achieve corporate security. Even recent firewall designs which attempt to relax some of these limitations  only support specific interactions between sites located within a single authentication domain or private network.
Academic institutions also face concerns about the security of computing resources and information. Academic research groups often need to maintain the privacy of research grant proposals, patent applications, ideas for future research, or results of research in progress. Administrative organizations need to prevent leakage of student grades, personal contact information, and faculty and staff personnel records. Moreover, the cost of security compromises is high. A research group could lose its competitive edge, and administrative organizations could face legal proceedings for unauthorized information release. Furthermore, academic institutions are visible targets for hackers and intruders. Indeed, a large percentage of ``crackers'' are physically located within academic environments, and they are highly motivated to access and modify grades and other information. Network break-ins---and subsequent time lost recovering from break-ins and deletion of data---have become a fact of day-to-day life at educational institutions [5,7]
In a corporate environment, the natural place to draw a security perimeter is around the corporation itself. However, in an academic environment, as depicted in Figure 1b, it is nearly impossible to draw a perimeter surrounding all of the people with whom we need to interact closely---and only those people. If the firewall is too big, it includes untrusted people, as shown by the dashed box. For instance, a corporate firewall erected around the entire University would contain many of the untrusted students and malicious hackers that the firewall should keep outside the perimeter. Moreover, universities offer almost no physical security. On the other hand, if the firewall is too small, then it will exclude some of the people with whom we must share data, as shown by the dotted box. A corporate firewall erected around a research group would exclude collaborators located in other departments or even at other universities. This tradeoff between safety and collaboration is unacceptable. Consequently, the traditional corporate firewall is ill-suited for academic environments.
While corporations tolerate limited Internet connectivity in the name of security, research organizations simply cannot function under such limitations. First, trusted users need unrestricted and transparent access to Internet resources (including World-Wide-Web, FTP, Gopher, electronic mail, etc.) located outside the firewall. Researchers rely on fingertip access to on-line library catalogs and bibliographies, preprints of papers, and other network resources supporting collaborative work. Second, trusted users need the unrestricted ability to publish and disseminate information to people outside the firewall via anonymous FTP, World-Wide-Web, etc. This dissemination of research results, papers, etc. is critical to the research community. Third, the firewall must allow access to protected resources from trusted users located outside the firewall. An increasing number of users work at home or while traveling. Research collaborators may also need to enter the firewall from remote hosts. Besides these factors, the usual considerations of cost, ease-of-management in a heterogeneous computing environment, performance, and reliability apply. Budget cuts are precluding academic institutions from allocating money for computer security hardware, software, or personnel; we expect this to be a long-term constraint. The lack of dedicated security staff means, for example, that a firewall might be managed by inexperienced people (i.e. incoming graduate students) with no expertise in custom components.
In this paper, we describe the Stanford University Research Firewall (SURF), a firewall implementation developed by the Distributed Systems Group at Stanford University to achieve the above goals. The next section describes our security policy and its motivation. We then discuss how we implemented the three components of this policy: ``request-response'' packet filtering for information security, ``expendable hosts'' for information dissemination, and a ``virtual enclave'' to support trusted users outside the firewall. We highlight the lessons learned during the firewall development process and then discuss how application protocols can be modified to better support implementation of our security policy. We conclude with an indication of future work.