next up previous
Next: Request-Response Policy Up: Designing an Academic Previous: Introduction

The SURF Security Policy


A firewall implements a particular security policy that trades off the need to support collaborative work by maintaining open Internet connectivity against the need to provide security by restricting this connectivity. The security policy is affected by how much trust is given to internal users and is limited by implementation considerations. After all, there is little point in adopting a security policy that is impractical to implement.

Our firewall policy attempts to balance the collaboration and security concerns better than in traditional corporate firewalls. To achieve this goal, we trust our users to understand the importance of security and not intentionally attempt to bypass the mechanisms in place. This trust is comparable to allowing an individual to participate in a research group, attend meetings, and have a computer account. By making the firewall policy as unobtrusive to users as possible, we also increase this trust by eliminating the temptation to bypass the security mechanisms.

Our security policy can be stated in three simple rules, summarized in Figure 2:



: SURF Design with a Request-Response Security Policy, Expendable Hosts, and Bastion Hosts Supporting Remote Access for Trusted Users

  1. All outbound packets are allowed to travel outside, and inbound packets are allowed inside the firewall only if they can be determined to be responses to outbound requests.
  2. Packets to or from outside-the-firewall ``expendable hosts'' are unrestricted (aside from normal operating system and application-level access controls) because they are outside the security perimeter.
  3. Packets known to be from authenticated hosts or users outside the firewall are allowed inside the firewall.
The rationale for this policy is straightforward. Rule 1 follows from our recognition that open network access is a necessary component of a research environment. The rule relies on the assumption that we trust our users to understand and adhere to the research group's security goals. The Request-Response security policy states that an outgoing request implicitly grants permission to admit its response into our secure network. Rule 2 addresses our need to support information dissemination (FTP, WWW, etc.) in a research environment. We simply accept that these expendable hosts may be compromised and choose to automatically recover their state on a regular basis from information kept securely behind the firewall. Compromises to expendable hosts therefore do not affect the security of the private network. Rule 3 grants access to protected resources to users as they work from home or while travelling, as well as to collaborators located outside the research group. We rely on secure IP tunnels and carefully selected authentication mechanisms to implement this virtual enclave environment.

This security policy addresses the needs of academic environments---and indeed the needs of many corporate environments. The next three sections describe how we implemented these security rules within our research environment.

next up previous
Next: Request-Response Policy Up: Designing an Academic Previous: Introduction

Sandeep Singhal
Thu Nov 30 01:58:58 PST 1995