Wandering Thoughts archives

2005-08-05

Perimeter firewalls and universities

The University of Toronto doesn't have a firewall. There, I've said it and you can all gasp in horror: how could any organization on the Internet in this day and age fail to have such a basic thing as a firewall between them and the nasty net?

Because it doesn't help all that much; because it has the wrong threat model. A perimeter firewall protects you from evil people out there on the net, but does nothing to protect you from evil people inside, on your intranet.

A decent-sized university is overrun with students. Some of those students may be malicious, and many of them are going to be careless with their student logins. (These days, many of them may have compromised laptops, or in residences, desktops.)

Compound the situation with unsecured network drops and plugs, and ad-hoc wireless networks set up by departments, workgroups, and professors. Compound the situation again because in practice the general public can wander pretty freely through any place where ordinary students are found.

So, any serious attacker and many casual attackers (who are likely to pick on something on the network they're already around because oh, it's there) is going to have on-campus network access. Bypassing a theoretical perimeter firewall entirely, since they are inside.

Once I've secured my machines against on-campus attackers, a perimeter firewall isn't doing me any good. (It's probably getting in the way by blocking access to new and novel things I actually want to let the Internet at.)

In this sort of situation a perimeter firewall may even do active harm. If people naively believe that the firewall is protecting them, they may slack off on the security of their machines, leaving them more exposed to 'internal' attacks than before. (Since people are fundamentally lazy about security, this is actually quite likely.)

Two sidebars:

Firewalls between a department, a workgroup, or a cluster of servers and the rest of the university can sometimes make sense, depending on how isolated the work of the machines or people is. (The UofT's administrative servers are behind a very restrictive and carefully constructed firewall. Some of them are on networks not even routed from the Internet.)

People who run student labs have an even harder job, since malicious people can almost certainly get a legitimate looking login just from things like shoulder surfing.

tech/UniversityFirewalls written at 01:56:19; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.