In addressing challenges to the security of its networked information resources posed by connection to the Internet, Lawrence University has elected to install a network firewall. Threats to networked information resources have become more pronounced, and it is estimated that as many as 67 percent of networked computers are infected with one form of a virus or another in a given year. In addition to virus threats, cracking, unauthorized copying, and intentional sabotage are serious concerns.
While several approaches to protecting the campus network from threats arising on the Internet are possible, a firewall was deemed to be the only sensible choice because it permits the central deployment and enforcement of Internet security provisions. Any other approach requires that security measures be deployed on every computer system connected to the campus network, thereby driving up costs for specialized software, management overhead, and vigilant monitoring.
UNDERLYING PREMISES
Installing a firewall on the campus network to isolate that network and participating servers from the public Internet is a significant step. While robust provisions for the security of the college's assets flow almost automatically from the firewall, particular care must be taken within the confines of the firewall to facilitate the publication and exchange of works of art and scholarship, along with the inquiries, investigations, and conversations leading to and supporting those activities.
In adopting this security arrangement, Lawrence University affirms its commitment to maintaining a balance between security of access and support for the academic endeavors of the college and to accommodate flexibly and responsively those Internet communication projects that express, support, or advance the college's mission.
FIREWALL PROVISIONS
Any Internet security arrangement must be framed in terms of the network services that Lawrence provides to on-campus users and to the public via the Internet. It also must address what services will be provided to Lawrentians who are off-campus and what special means, if any, are required to enable remote access to these services. A firewall will create three networks from our single, unified network:
This network consists of server systems, desktop computers, and the personally-owned computers of students.
This network contains a small, select number of server systems for delivering information and services to the public. There are no user accounts on any of these systems.
The untrusted network will be our connection to the Internet.
Each of these services will be discussed in two contexts: 1) a general stance, and 2) an implementation approach. The later is primarily directed to systems and network administration personnel and slightly technical in nature, but it is included for those interested in such details.
General Stance
The flow of e-mail to and from the Lawrence campus will remain unrestricted. E-mail will pass through the firewall, however, to allow eventually for virus scanning at a single entry point. Virus scanning is currently a distributed process delegated to individual desktop systems, many of which may not have such software (e.g., student-owned personal computers). None of this represents a change in current practice, other than for a very small group of people who log in to an e-mail host using terminal emulation to read e-mail. In the future, they will use either a graphical e-mail client or a terminal-based networkaware e-mail client. Off-campus access by Lawrentians to their e-mail will remain open, apart from this small restriction.
Implementation Approach
Client access to e-mail stored at Lawrence will be provided by IMAP4 clients such as Microsoft Outlook and Netscape Communicator connecting through a proxy on the firewall. It should be noted that all e-mail services will migrate to an IMAP-only service to improve the general performance of our e-mail service, thus eliminating the possibility of an interactive login to read e-mail.
The use of client plug-ins (e.g., SASL) that support secure access is strongly recommended. These prevent the passing of authentication information and e-mail contents as clear text over the Internet. Computer Services will offer user education to those members of the community who, by the nature of their correspondence, have special security concerns when communicating via e-mail.
World Wide Web
General Stance
Access to the World Wide Web from Lawrence will remain unrestricted. The nature of the Web services Lawrence offers to the Internet will change however. Only Web services in the public, protected network will be accessible from the Internet. Web services from departmental computing facilities and personal computers, whether university-owned or personally-owned, will only be accessible from on-campus. We conducted a survey of all faculty and students currently using such services, and found that this type of accessibility was not of concern to them. We will make broader services available to faculty, staff, and students on central servers to allow them adequate means to publish material to the public Web server, thereby making it available to the Internet at large. Individuals desiring the ability to create and maintain pages on Lawrence Web servers from the public Internet will require the use of VPN software (discussed under a separate heading), which Lawrence will provide to them at no cost.
Implementation Approach
All Web traffic will pass through a transparent proxy on the firewall. In this context, transparent means that the end-user does not need to re-configure any client software (e.g., a Web browser) to use the proxy. Requests for remote Web pages originating on the campus network are intercepted and fulfilled on behalf of the user by the proxy on the firewall and then returned data passed back to the requestor.
Access from the Internet to Lawrence-created pages will be routed to a separate HTTP server set up to handle requests from external sources. The contents of this server will be replicated from an internal source server, which will also contain pages visible from on-campus only. This approach allows distribution of internal policies and procedures, committee meeting minutes, etc., which should not be viewed by the general populace.
Those who desire to maintain Web pages from outside the campus network will require VPN software, which will make them appear as campus users and allow them to participate in the internal, protected network on which Web documents are developed.
FTP
General Stance
FTP access from Lawrence to the Internet will be unrestricted. FTP services for Internet users to Lawrence will be centralized on a single server located on the public, protected network. No FTP services from our internal network will be available to the public. Currently, some individuals- use FTP to connect to the VMS server(s), but that service is seldom used. In most cases, files can be sent as e-mail attachments to campus.
Implementation Approach
Outbound FTP traffic will pass through a transparent proxy. Inbound FTP traffic to the public, protected network will pass through packet filter rules. Access to internal FTP services will only be possible using VPN software.
Telnet
General Stance
Outbound Telnet from Lawrence to the Internet will be unrestricted, but there will be no inbound Telnet service except by using VPN software. Previously, we enabled inbound Telnet access to a limited number of individuals for academic or administrative purposes. In most of these cases, this type of access is used to read e-mail, access to which is now being addressed differently. As more services move to network-based solutions where a specific type of client software is used to access information, the need for Telnet access will all but disappear.
Implementation Approach
Telnet traffic will pass through a transparent proxy. Users coming from the Internet will not have access to any Lawrence computer. None of the computer systems in the public, protected network will provide a Telnet service. Ultimately, this means that these computers do not need user accounts, an important security benefit. Interactive access to accounts on other computers at Lawrence from the Internet will only be possible using VPN software.
RealAudio(TM)
Access from the campus to RealAudio(TM) sources on the Internet will not be restricted, but will pass through a proxy service. This will require clients to point their RealPlayer(TM) software to that proxy in order to access those resources. That is, unlike the HTTP, Telnet, and FTP services, the RealAudio(TM) proxy will not function transparently. Since this software is not currently in our standard desktop setup, Computer Services will provide the proper directions and assist users in modifying the setup for proper functioning. Access to sound and video clips on Lawrence servers from the Internet will be facilitated through a filter service to the public. Access to internal resources from the Internet will require the use. of VPN software for Lawrentians at remote locations.
SQL*Net(TM)
A proxy on the firewall will provide access to outside databases using client software from Oracle. Internet users will have limited access to internal database applications. Such services will be provided by a proxy from the public, protected network, where the users (e.g., prospective students, alumni) will interact with a Web-based front-end application. Uninhibited access from the outside to internal database resources will only be provided by VPN software.
Usenet News
On-campus users will have unrestricted access to newsgroups located on the WiscNet news server. A proxy on the firewall will provide this access. Computer Services will provide the proper setup for client software in the standard setups used for the deployment of university-owned desktop systems. Lawrence may also provide internalonly newsgroups; there will be no outside access to these other than by VPN software.
Other Services
As the need arises to support other network services that have the potential to advance the college in the conduct of its mission and the achievement of its purposes, the appropriate proxy will be provided on the firewall.
VPN SOFTWARE,
Virtual private network software (VPN) enables secure access to resources and services over an unsecured communications channel such as the Internet. VPN uses either public- or private- key encryption. Deploying VPN technology at Lawrence will typically involve commercial software. We will, however, consider freely available software for cases involving individuals not in the employ of the college. In order to ensure access into the campus network via the Internet for members of the Lawrence community, VPN software for commonly used desktop computing platforms will be distributed on request and without cost by the computer services department; the software will be actively supported by the computer services help desk. Maintaining VPN access will be a first-priority criterion as changes to the campus network configuration are planned.
SUMMARY
The following table provides an overview of all types of access to be provided via the firewall. Access from the Internet to Lawrence is divided into two categories: access to internal resources (that is normally restricted) and access to public resources (i.e., those intended for use by the public). Remote access in this context refers to valid Lawrence users who desire some form of access to resources at Lawrence while they are not physically on campus. This category predominantly covers faculty and staff members who temporarily or permanently work somewhere else and, to a lesser degree, students in off-campus programs or on leave of absence. The London Study Center has received little consideration with respect to remote access before discussions of a firewall began, and although access will remain as at present after the installation of a firewall, the needs of the center in this regard merit further analysis and action.
| Service | Lawrence-to-Internet | Internet-to-Lawrence (internal resources) |
Internet-to-Lawrence (public resources) |
Remote Access |
| SMTP (E-mail) | Proxy (1) | Proxy | None (2) | VPN only |
| IMAP4 (Client e-mail) | Proxy | Proxy | None | VPN or proxy |
| Web | Proxy (transparent) (3) | None | Filtered (4) | VPN only |
| FTP | Proxy (transparent) | None | Filtered | VPN only |
| Telnet | Proxy (transparent) | None | None | VPN only |
| RealAudio | Proxy | None | Filtered | VPN only |
| SQL*net | Proxy | Proxy | Filtered | VPN or proxy |
| Usenet News | Proxy | None | None | VPN only |
None implies that there is no need for such a service, or that providing one introduces unacceptable risk.
A transparent proxy does not require any re-configuration by the client, which is not aware of the presence of the proxy.
Filtered services are provided in accordance with established rules, but the client interacts directly with the service, whereas a proxy interacts on behalf of the client with the service, thus having the opportunity to examine the request for validity and avoid known security weaknesses in the protocol of the service.