School of Earth Sciences network firewall
last revision September 19, 2008
The university has implemented departmental computer
network "firewalls". These devices
regulate incoming traffic
into the department network from the rest of campus and the entire Internet.
They
do not block outgoing connections
made from your computer.
The School of Earth Sciences implemented such a firewall on May 30, 2007
for all
wired
network jacks in its three buildings: Geology Corner, Mitchell
Earth Sciences (except Branner Library),
and Green Earth Sciences.
Earth Sciences computers connected to wired jacks in the
interdisciplinary Yang and Yamazaki Environment and Energy Building
(Y2E2) are also subject to these firewall rules.
Wireless service and the wired jacks in Branner Library
are on separately managed networks that are
not
controlled by the Earth Sciences firewall.
They have their own firewall rules that may be more restrictive.
Network firewalls are a standard part of computer security.
They block outside hackers from probing insecure services.
They prevent or interfere with self-propagating virus and worm attacks.
But this firewall also limits the ways that you can connect into
computers, printers, and services on our network from the outside.
This page describes the firewall rules and operation so you know
which services are accessible from outside our network, and how
to access them.
Remember that network firewalls do not prevent hacker attacks that are based
on tricking people into clicking on dangerous links in their web
browsers. Nor do they help if an infected laptop is brought onto
our network and then starts to probe or attack other computers.
It is alway important to keep your computer up to date with security
patches and
practice secure computing,
such as
not
clicking on strange links in emails or opening unexpected attachments.
"Average" computer users
The "average" computer user in Earth Sciences will not notice the
network firewall.
The firewall does not block any outgoing connections that you
start from your computer. You can connect to web servers, mail
servers, instant messaging services, and initiate file transfers just
like you did before. But probes against your computer from outside our
network will be blocked.
Home users or travelers
If you like to access your Earth Sciences office or lab computer for
file sharing or remote login from home or while traveling with a
portable computer, you need to install the
Stanford Virtual Private Network (VPN) client software
on your home or portable computer
in order to get through the firewall to your office or lab computer.
You can make a
HelpSU request
to have our CRC desktop consultants install this.
Stanford DSL users do
not
need the VPN.
"Power" users or managers of research workstations and servers
The "power" user or manager of a research workstation or server
may find that some services that you would like to open to the outside
world are blocked by the firewall.
The firewall allows incoming connections from outside the Earth
Sciences network to major servers on our network, such as sesfs and pangea.
Managers of research servers can
request access
for well-secured services used for
academic purposes on their computers, as described in the detailed
table below. Inherently insecure services such
as
plain ftp
and
plain telnet
will never be allowed through the firewall.
Details of firewall rules and operation
The purpose of a firewall is to regulate incoming traffic onto our
network, particularly to services that are known to be vulnerable to
hacker attacks. A service is simply a way for outsiders to connect to
your computer in order to download a file, view the screen, or run a program.
Vulnerable services that are often
turned on by individual computer users are limited to access from
the Stanford network only, or in some cases, to just the Earth
Sciences network.
These rules only affect connections that
originate outside
the Earth Sciences wired network.
Any connection that
you
originate while seated in front of your computer in your Earth Sciences
office or lab is not affected.
Wireless services in Earth Sciences are part of a separate
ITS managed network.
Wireless connections are considered
outside
the Earth Sciences network.
Thus, connections from your laptop running wirelessly to the wired
desktop computer in the same office may be affected.
Any service you open on your computer that is connected to the
wired
Earth Sciences network can still
be accessed by any other computer on the
wired
Earth Sciences network, even if outside connections are blocked.
The following table summarizes the effect of the firewall policies
on common services that people may enable on their computers.
"Stanford campus network" means the wired network in all academic
buildings and residence halls; registered (not guest) computers
using the
ITS wireless networks;
Stanford DSL
home computers;
and home and remote connections using the
Stanford public VPN client.
Service running on your computer |
Outside connections allowed from ... |
Description and exceptions |
|
Remote desktop
|
Stanford campus network.
|
Only these methods for remote desktop logins are allowed:
Windows Remote Desktop,
Apple Remote Desktop,
VNC,
Timbuktu,
and compatible protocols that use the same TCP ports as one of these
(for example,
PCAnywhere
can be configured to use the same port number as
VNC
).
If you need remote desktop logins from home or while traveling with a
portable computer, install and use the
Stanford public VPN client.
|
|
ssh
|
The entire Internet.
|
The ssh service allows remote command-line logins and remote command
execution on your Earth Sciences computer. Because the ssh protocol is
fully encrypted and requires a local account and password, access
is allowed from anywhere. If you enable the ssh server on your
computer, make sure
all
local accounts on that computer have
strong passwords!
|
|
sftp and scp
|
The entire Internet.
|
These file transfer services are part of the ssh protocol.
|
|
Web server
|
No access to personal servers.
Entire Internet access to School and research servers.
|
The School provides the "pangea" web server for use by departments
and research groups; it is accessible from the entire Internet.
Connections from the Internet will be allowed
upon request
to properly configured and maintained research group web servers used
for academic purposes only when the pangea web server is not adequate.
Outside access to personal web sharing on your computer is blocked.
Improperly configured web servers are commonly penetrated by hackers
and used to compromise computers.
For personal web sharing, such as your personal photos, use
your
pangea personal web space,
or a free Internet service (such as
flickr,
shutterfly,
picasa,
mediamax,
or
xdrive).
|
|
Email server
|
Entire internet access to sesmail
and SEP mail servers.
|
Everyone uses email programs on their computers to send and receive
email through a server such as the central
@stanford.edu
servers.
That kind of use is
not
affected by the firewall.
Individuals and research groups are not permitted to run their
own email servers on the Earth Sciences network.
Only connections to the sesmail server (used for system administration
purposes) and the SEP group's long-standing
email server are allowed to come in through the firewall.
|
|
ftp
|
No access, except entire Internet for anonymous ftp on pangea.
|
ftp is used to transfer files.
It is inherently insecure because it sends passwords and
data over the network in clear text.
The firewall permits outside ftp connections only to the
anonymous ftp service
on pangea, which anyone in the School can use to share files with
outside colleagues. If you need to serve large files from your own
computer (such as a lab computer), enable a secure
sftp
server instead.
|
|
telnet
|
No access
|
telnet is used to make remote command-line logins.
It is inherently insecure because it sends passwords and
data over the network in clear text.
Incoming telnet connections are always blocked.
If you need to make remote command-line logins to your computer, use
ssh
instead of telnet.
|
|
Printing
|
Stanford campus network.
|
Only the lpd, ipp, or HP jetdirect (9100) printer connection protocols
are allowed. If you need to send print jobs to an Earth Sciences
printer from home or while traveling with a portable computer, install
and use the
Stanford public VPN client.
|
|
Sesfs file shares
|
Stanford campus network.
|
The
School of
Earth
Sciences
File
Server,
sesfs.stanford.edu,
provides home shares, common disk areas (
scr1,
ftp,
and
WWW),
and research group shares (for example,
sac
and
eel)
as network file shares accessible to
Windows
and
Mac OS X
PCs. If you need to access a file share on sesfs from home or while
traveling with a portable computer, install and use the
Stanford public VPN client.
|
|
Windows PC file sharing
|
No access, except ERE PCs via the VPN.
|
Turning a Windows PC into a file server
exposes it to hacker attacks that target both inherent weaknesses in
the file sharing software and common misconfigurations. Numerous PCs
on campus have been successfully compromised via the file sharing
service.
Special firewall rules allow access to file shares on
centrally managed Windows PCs in the ERE department via the
Stanford public VPN client
and
Stanford DSL,
but not the rest of the academic and residence networks (to limit
exposure to hacked PCs in those areas).
Such access can also be granted to properly configured and maintained
research group Windows PC file servers
upon request.
|
|
Mac OS X file sharing
|
Stanford campus network.
|
The Appleshare/IP protocol used by this service is
not a major security risk like Windows file sharing. If you need to
connect to the file sharing service on your office Mac from home or
while traveling with a portable computer, install and use the
Stanford public VPN client.
|
|
X-Window graphics
|
No access, except via ssh tunnel.
|
The
XDMCP protocol,
which gives a complete remote console
with full graphical interface, is limited to the local Earth
Sciences network only, as it sends passwords over the network in plain
text mode, and can permit hackers to spy on your system.
If you need to open an X-window to display results on your
computer in Earth Sciences from a program running on a computer outside
Earth Sciences, use an
ssh X-window tunnel.
|
|
IM, chat, skype
|
The entire Internet.
|
Instant messaging, chat, and internet telephony programs such as AIM,
iChat, Windows Messenger, IRC, and Skype work through the
firewall. Users are clients who login to servers; servers relay
messages between users. Since the user initiates the original outbound
login connection to the server, the firewall allows the connection. An
attempt to run your own IRC or other chat server will be blocked by the
firewall.
|
|
Peer-to-peer file sharing
|
The entire Internet in most cases.
|
Peer-to-peer file sharing services such as Napster, Kazaa, Grokster,
Gnutella, Limewire, and Bittorrent may not work in their default
configurations. Most of these programs offer
workarounds for dealing with a firewall.
Please be aware
that peer-to-peer file sharing programs are
notorious vectors for hacker compromises of computers.
Distribution sites for the programs themselves and files that are
distributed are often "contaminated" by hackers with their own
malicious programs, that "ride along" and infect your computer
while you are downloading files.
In addition, these peer-to-peer file sharing programs often expose
files on your computer, including those containing identity
information, to anyone on the internet.
Peer-to-peer file sharing programs should
never
be installed on Stanford-owned computers and you are strongly
discouraged from using them on personally owned computers.
|
|
Other services
|
No access.
|
Any other service running on your computer which is not described here
is not accessible to connections originated by other computers
outside the Earth Sciences network.
If you need access to some other service for legitimate academic
purposes, contact the
network manager,
who will first evaluate the security implications before modifying
firewall rules.
|
