A FIREWALL FOR JESUS COLLEGE (Cambridge)
This document is for those wishing to know more about the Jesus College firewall. It explains certain functions and features of the firewall, and outlines the reasoning behind its implementation. Although this is not a technical paper, certain concepts are discussed for which a basic knowledge of IP networking will be useful.
In September 2001, Jesus College installed a firewall with support for Network Address Translation (NAT). Essentially, NAT allows many computers to share one outgoing IP: hosts inside College are allocated private, local IP addresses, but the header of each outgoing packet is translated so that all College traffic appears to originate from a specific IP. Such a system has many benefits for the College: see http://www-it.jesus.cam.ac.uk/network/nat.html.
The decision to install a firewall and to implement NAT was made after many months of research and consideration. Different firewall products were evaluated, and their benefits to the College were weighed against the disruption which would inevitably be caused by the necessary changes to our network. The solution adopted - a cluster of two NetServers FireRack firewalls href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftn1" name=_ftnref1>[1] - increased the flexibility and resilience of the College network in addition to exceeding all of our security requirements. The IT Department is confident that the benefits of such a networking strategy more than justify its implementation.
It must be emphasised that the introduction of a firewall was for management reasons and was not intended to restrict legitimate use of the network. The IT Department have taken and will continue to take every opportunity to assist those wishing to use the network to do so unhindered.
Many operating systems (including most versions of Microsoft Windows and various Linux distributions) open a number of network services to the world by default href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftn2" name=_ftnref2>[2]. Most are safe, but some may be exploited by malicious users wishing to gain access to the machine on which the service is running, or more often the network of which it is a part. Accordingly, security on our academic network href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftn3" name=_ftnref3>[3] has been an issue for some time. Our previous setup, which allowed anyone with Internet access (over 500 million at last count href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftn4" name=_ftnref4>[4]) a free rein to attack our network, was simply unacceptable. This concern is not unjustifiably paranoid - after its implementation, the firewall revealed that hundreds of attempts to break into machines in College are made every minute.
Firewalls can provide network security at a number of levels, but one feature common to most is the ability to block Internet connections which are likely to be malicious. A strategy employed by many firewalls is to block all such connections except those which are considered necessary and/or safe. To minimise disruption to users of the College network, we have employed a hybrid approach: any outgoing connection may be established but only certain types of incoming connection will be accepted. This is considered the least restrictive strategy which retains the benefits of an IP firewall in a 'hostile' environment href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftn5" name=_ftnref5>[5]. NAT provides a further level of protection by ensuring that machines inside the firewall cannot be addressed directly from outside our network, even if the firewall itself is compromised.
While the prevention of intrusion from outside College is the primary function of the firewall, its features provide an additional layer of internal security to our network. Every network card manufactured has a unique Medium Access Control (MAC) address, which must be registered with the IT Department before a machine can use the College network. It is much harder to 'hijack' another network user's MAC address than an IP address, so unauthorised use of the network (which previously accounted for much of the high-bandwidth and illicit use of the network) and IP sharing (which results in the total Internet traffic cost being split between fewer people than there are users) have been significantly reduced.
The introduction of the firewall has allowed us to subdivide the College network into a number of discrete segments, the interrelation between which is controlled by a set of rules. Troubleshooting and network administration have been facilitated to the extent that much of the network can be tested and reorganised from a web browser. The advantages of segmentation are manifold: to ensure the security of our administrative servers from student machines, for example, it would previously have been necessary to duplicate network devices and cabling. Existing network hardware can now be used to provide additional services such as the connection of catering terminals and CCTV cameras across College without the expense of additional equipment or the security concerns of an open network.
The firewall is essentially a single device situated directly between the University network and every host on the College network. A significant benefit of such a network structure is that client network settings (such as IP address) may be configured automatically via DHCP href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftn6" name=_ftnref6>[6]. For the vast majority of users, this allows a computer to be connected to the College network with a minimal effort: it must merely be connected to the network and the MAC address registered for a largely unrestricted Internet connection to be established.
For the first time, the IT Department have been able to implement a coherent internal IP allocation policy without having to pass DNS changes with the University Computing Service. In effect, we have regained control over our network - administration that was once duplicated between ourselves and the University has become largely internal.
The College is charged hundreds of pounds each week by the University for transatlantic downloads href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftn7" name=_ftnref7>[7]. Previously, it was not possible to determine patterns of Internet use in order to minimise these charges. The firewall, however, allows detailed and comprehensive Internet traffic logging and auditing. By monitoring connections more closely and preventing students in College from serving data to the world, we have been able to regain significant bandwidth, making the network faster for those who use it legitimately. Traffic monitoring may seem Draconian, but it facilitates an appropriate response where a user really abuses the network. The College is not interested in students who download a few MP3s or visit non-academic sites in their spare time.
A major project in College has been the introduction of redundancy and failover systems, particularly on the administrative network. This may soon be extended to the external Internet connection: should the external link fail, it will be possible to switch the connection to a non-University ISP. This was not possible where University IPs were allocated to each host on the College network. Because the firewall NATs each connection, however, any single IP may now be used as a gateway to the world. In theory, as IP packets are rewritten by the firewall, users within College need not notice if the CUDN goes down.
To the majority of users (those who use the Internet to check e-mail and browse the Web), the firewall is entirely transparent – in itself, it does not prevent hosts from connecting to any Internet service. Similarly, the firewall does not affect TCP/IP across the College network; IP connections between fellows' machines, for instance, are unaffected because this traffic does not pass through the firewall.
It is inevitable, however, that the introduction of a new technology as complex and powerful as NAT will cause some disruption. Those who previously served information from a computer in College must now use the NAT/IP gateway href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftn8" name=_ftnref8>[8]; those who previously connected to departmental X servers using an X session should use the alternative (and more secure) method described at http://www-it.jesus.cam.ac.uk/documentation/remotex.html. Regrettably, it is not possible to use Microsoft NetMeeting through our firewall (although it may still be used within College), as it uses a badly-designed protocol which embeds routing information in the stream of data rather than relying on IP headers href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftn9" name=_ftnref9>[9].
The IT Department have gone to great lengths to ensure that any inconvenience caused by the firewall or changes to the network made as a result of its introduction is kept to a minimum. Particularly, where academic work requires the use of the Internet for a particular purpose, we are committed to finding a solution within the technical constraints of our network. Where the simplest or most frequently applied solution has the potential to compromise the security of other machines on the network, this may require the use of an alternative protocol or different software. However, we have yet to be approached with a problem for which we have not been able to find some solution.
Any member of College experiencing problems which they believe to be related to the firewall should contact the IT Department at computer-help@jesus.cam.ac.uk.
href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftnref1" name=_ftn1>[1] See http://www.firerack.com.
href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftnref2" name=_ftn2>[2] In this context, a network service is an application which runs on any computer connected to the Internet, and waits for a connection from other machines.
href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftnref3" name=_ftn3>[3] The network infrastructure of Jesus College comprises a number of sub-networks, of which the 'academic network' is one. This network it is regarded by the IT Department as a high security risk because the College has little control over its use. It contains all machines in student rooms, most fellows' machines, and most public-use machines in College (such as those in the Computer Centre). A machine can be identified as part of the academic network if its IP begins '172.31.'.
href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftnref4" name=_ftn4>[4] Source: http://www.nua.ie/surveys/how_many_online/.
href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftnref5" name=_ftn5>[5] See, for example, Garfinkel and Spafford: Practical UNIX & Internet Security (2nd edition, 1996).
href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftnref6" name=_ftn6>[6] Dynamic Host Configuration Protocol: a service which will allocate an IP address to a machine requesting to connect to a network.
href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftnref7" name=_ftn7>[7] Transatlantic traffic charges passed on to Jesus College amounted to £1359.01 for the period 1 November 2001 to 31 January 2002.
href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftnref8" name=_ftn8>[8] Information on running a server behind the firewall may be found at http://www-it.jesus.cam.ac.uk/network/nat.html#servers.
href="http://www-it.jesus.cam.ac.uk/network/firewall.html#_ftnref9" name=_ftn9>[9] Microsoft NetMeeting has been widely criticised for its inability to route across networks, and is no longer supported by Microsoft – there is no development team, and Microsoft have announced that there will be no new releases. Other real-time communication tools such as ICQ and MSN Messenger, each of which allows users to chat between networks, have been successfully tested through the firewall.
Comments on this document, and on the implementation of the Jesus College firewall, are welcome: please e-mail computer-help@jesus.cam.ac.uk. Last updated on 31 May, 2004 by Christian Martin