by teamonkey on Fri Mar 21, 2003 4:14 pm
Julian Crowe has just sent me an email regarding IT Services' firewall policy following a meeting of their security working party.
---
ResNet firewall policy
The first thing to understand is that the University is not a company
offering a commercial service to students, but a community whose members
are working towards a set of shared goals. Any policy that ITS might adopt
must be measured against a number of criteria:
* will it work?
* can we afford it?
* do we have time to implement it?
* is it fair to all members of the University community?
All these things have to be considered not in isolation, but in relation to
each other and to the University's essential functions of teaching and
research.
The University communications and IT infrastructure serves several
different parts of the community: the administration, teaching, research
and support staff, open access computer rooms for teaching and generalstudent use, and ResNet. It is fair to say that because IT Services
doesn't operate in an environment where it can charge a commercial rate for
all of its activities it has to prioritise and ResNet cannot be regarded as
the first priority.
This unavoidable fact is reflected in a number of ways: the lack of
seven-day cover (which applies to all our services, not just ResNet), the
response time to individual faults (which is probably slower for ResNet
than for other parts of the service), and the restrictions imposed by the
firewall.
Within the ResNet service, we have to set priorities. Given that it cannot
be a comprehensive, commercial quality service, what should we try to offer
as a basic level of service? Clearly networked computers are now an
essential tool for students and our first priority within ResNet is to
provide the services required for learning, and for taking part in
University life: e-mail and internet access. We also recognise that manystudents use Instant Messaging to keep in touch with friends and family,
and so it is accepted that that should be supported on ResNet. (This needs
some qualification: different instant messaging services use different
ports, and we cannot undertake to cater for every instant messaging service
there is, only for the commonest ones.) We have discovered, as time goes
on, that a number of other networked services are used by students as part
of their educational experience. So e-mail and internet access form the
well-defined core service offered on ResNet, and at the edges there are a
range of other things which we are prepared to support up to a point and so
far as we are able. There are also other services which we are simply not
prepared to support, and these include things like Kazaa and games-playing
of any sort.
Among the considerations when we are asked to open up ports for a
particular purpose is that of even-handedness. If we accede to a
particular request the effort and security implications might be minimal,
but we might be committing ourselves to making similar concessions to manyothers whose claim to be a special case is as good.
The main control that we impose on ResNet is through the
firewall. Permitting a service will usually require us to "open up" a port
or range of ports on the firewall. Every port which we open will to some
extent reduce the level of security. All computer security is a matter of
compromise; to permit any activity, we have to open up some ports. When
asked to open up a given port or range or ports we have to balance the
advantage against the diminished security. Many services require the
opening up of a wide range of ports, and that is equivalent to making a
large breach in the firewall.
The issue of security is not the only point to consider. Network
administration is a complex and time-consuming job. We have to take what
steps we can to simplify the task of maintaining ResNet. The network is
not static; any component might require upgrading or patching at some time
during the year. Every modification to the firewall implies a complication of this maintenance task, so when we say we cannot afford the time to make
modifications we are not referring only to a one-off investment of
time. Every increase in the complexity of the network builds up extra work
for the future. We believe that what staff resources we can spare for
ResNet should go towards improving the reliability of the basic service,
rather than extending the range of facilities that are supported.
We should add that connection to ResNet is not a right. The University
provides facilities for e-mail and access to teaching material in 24-hour
computer classrooms, so a ResNet connection cannot in most cases be
regarded as essential for academic purposes. ITS will disconnect users
from ResNet in cases of serious misuse of the computer network. The fact
that an activity is not prevented by the firewall does not entail that it
is permitted by University rules. Transmission of abusive, offensive or
menacing messages by e-mail or Instant Messaging Services is regarded as a
serious breach of the rules. Peer to peer file sharing is not only
unadvisable from the point of view of your own computer's security, it isalso a highly inefficient use of the network, and is not permitted.
Similarly, activities such as downloading pornography or copyright
protected material, though physically possible through the firewall, are
strictly forbidden. Finally, all ResNet users are reminded that they must
keep their PCs protected against viruses, by installing anti-virus software
and keeping its virus database up-to-date. If it is found that a networked
computer is infected with a virus that could infect others it will be
disconnected until it has been disinfected.