next up previous
Next: Acknowledgements Up: Designing an Academic Previous: Multicast traffic


The SURF design meets the needs of research environments. The firewall has three basic elements:

Request-Response Policy:
Incoming packets are dropped unless they can be directly linked to a request originating inside the firewall.
Public Image:
Use of expendable hosts and conscious selection and physical separation of public data and private data.
Virtual Enclaves:
Linking isolated, mutually trusting host groups, each protected by their own security perimeter, using an IP tunnel.

As a consequence, the firewall is largely transparent to trusted users and therefore retains the sense of ``openness'' critical in a research environment. This transparency and perceived openness actually increase security by eliminating the temptation for users to bypass our security mechanisms.

Our implementation experience demonstrates that a research firewall can be constructed with low costs in acquisition and maintenance. Because our implementation required no modifications to any operating system kernel, it can be used to protect a heterogeneous set of machine architectures. Indeed, our research environment includes workstations from at least seven vendors. Furthermore, our use of general-purpose software and hardware components allows individual groups to easily customize the set of exported network services and accepted connections.

In deploying our firewall, we have reduced our research group's outside dependencies. We have functioned virtually unaffected even during failures of the campus nameservers and routers and during occasional broadcast packet ``storms'' caused by misconfigured hosts on the campus networks. For example, by servicing DNS requests from their caches, our internal nameservers can still function during network outages; internal electronic mail delivery is oblivious to the outside network's existence. We feel that the fault-tolerance granted by this autonomy is truly valuable.

However, our experience has also revealed that many existing application protocols are not designed to operate within a secure network environment. We have outlined how protocols might be modified to better fit within a request-response paradigm and therefore obviate the need for application-level proxies on bastion hosts. Ideally, the request-response policy could be enforced entirely by the packet filter, with bastions only used to implement the virtual enclave. This protocol re-design is an area of on-going research.

We observe that implementation of a security policy shares many of the same issues faced in mobile computing environments. In both cases, one seeks to support the autonomy of several ``enclaves'' while still supporting communication between those disconnected machines. Moreover, office environments are seeing increased use of wireless LANs, so security policies must adapt to protect such environments. We are exploring how secure IP tunneling might be replaced with the encrypted IP used in mobile environments, and we are also exploring how a wireless computing environment would affect security policy.

Rather than using statically-set filter rules, we are considering a security perimeter in which internal hosts dynamically program the filter to control which packets are admitted. Dynamic filtering would allow implementation of an exact request-response filtering policy. It introduces the cost and complexity of a protocol allowing applications to add and remove filter ``rules'' (i.e. UDP source/destination address/port four-tuples), and timely removal of stale rules left by applications and hosts that crash. Dynamic filtering obviates the need to modify existing protocols, but it requires substantial changes to all application implementations. We intend to investigate whether this is an effective tradeoff, particularly for connection-oriented networks.

In designing the SURF firewall, we have identified that network security for research institutions is a problem in its own right and that traditional corporate firewalls impose excessive restrictions. Research firewalls represent a difficult three-way tradeoff between perceived security risks, user desires for an open research environment, and implementation difficulty. While corporations also face this tradeoff, security usually overshadows all other concerns. Such choices are simply not as clear-cut within research institutions.

next up previous
Next: Acknowledgements Up: Designing an Academic Previous: Multicast traffic

Sandeep Singhal
Thu Nov 30 01:58:58 PST 1995