School of Earth Sciences network firewall
last revision December 11, 2013
| Security safeguards: |
The university has implemented departmental computer network "firewalls". These devices regulate incoming traffic into the department network from the rest of campus and the entire Internet. They do not block outgoing connections made from your computer.
The School of Earth Sciences implemented such a firewall on May 30, 2007 for all wired network jacks in its three buildings: Geology Corner, Mitchell Earth Sciences (except Branner Library), and Green Earth Sciences. Earth Sciences computers connected to wired jacks in the interdisciplinary Yang and Yamazaki Environment and Energy Building (Y2E2) are generally also subject to these firewall rules.
Wireless service and the wired jacks in Branner Library are on separately managed networks that are not controlled by the Earth Sciences firewall. They have their own firewall rules that may be more restrictive.
Network firewalls are a standard part of computer security. They block outside hackers from probing insecure services. They prevent or interfere with self-propagating virus and worm attacks.
But this firewall also limits the ways that you can connect into computers, printers, and services on our network from the outside. This page describes the firewall rules and operation so you know which Earth Sciences services are accessible from outside our network, and how to access them.
Remember that network firewalls do not prevent hacker attacks that are based on tricking people into clicking on dangerous links in their web browsers. Nor do they help if an infected laptop is brought onto our network and then starts to probe or attack other computers from the inside. It is alway important to keep your computer up to date with security patches and practice secure computing, such as not clicking on strange links in emails or opening unexpected attachments.
"Average" computer users
The "average" computer user in Earth Sciences will not notice the network firewall. The firewall does not block any outgoing connections that you start from your computer. You can connect to web servers, mail servers, instant messaging services, and initiate file transfers just like you did before. But probes against your computer from outside our network will be blocked.
Home users or travelers
If you like to access your Earth Sciences office or lab computer for file sharing or remote login from home or while traveling with a portable computer, you need to install the Stanford Virtual Private Network (VPN) client software on your home or portable computer in order to get through the firewall to your office or lab computer. You can make a HelpSU request to have our CRC desktop consultants install this. Some services that require use of the Stanford VPN also require that you first get your SUNet ID onto an authorization list for that service. See the table of services below.
"Power" users or managers of research workstations and servers
The "power" user or manager of a research workstation or server may find that some services that you would like to open to the outside world are blocked by the firewall.
The firewall allows incoming connections from outside the Earth Sciences network to major servers on our network, such as sesfs.stanford.edu and pangea.stanford.edu. Managers of research servers can request access for well-secured services used for academic purposes on their computers, as described in the detailed table below. Inherently insecure services such as plain ftp and plain telnet will never be allowed through the firewall.
Details of firewall rules and operation
The purpose of a firewall is to regulate incoming traffic onto our network, particularly to services that are known to be vulnerable to hacker attacks. A service is simply a way for outsiders to connect to your computer in order to get a file, view the screen, or run a program.
Vulnerable services that are often turned on by individual computer users are limited to access from the Stanford network only, or in some cases, to just the Earth Sciences network.
These rules only affect connections that originate outside the Earth Sciences wired network. Any connection that you originate while seated in front of your computer in your Earth Sciences office or lab that is connected to the wired ethernet is not affected.
Wireless services in Earth Sciences are part of a separate ITS managed network. Wireless connections are considered outside the Earth Sciences network. Thus, wireless connections from your laptop to devices on the wired network in the same office or building may be affected.
Any service you open on your computer that is connected to the wired Earth Sciences network can still be accessed by any other computer on the wired Earth Sciences network, even if outside connections are blocked.
The following table summarizes the effect of the firewall policies on common services that people may enable on their computers.
"Stanford campus network" means the wired network in all academic buildings and residence halls; registered (not guest) computers using the ITS wireless networks; and home and remote connections using the Stanford public VPN client.
Service running on Earth Sciences network device |
Outside connections allowed from ... |
Description and exceptions |
| Windows Remote Desktop Protocol | Stanford VPN with pre-authorization only. | Beginning on October 28, 2013, there are special restrictions if you use a computer that is not on the Earth Sciences wired network to open a Remote Desktop connection to a Windows computer that is on the Earth Sciences wired network. First of all, your SUNet ID must be added to this authorized list. Then you must install or configure the Stanford public VPN client. You must login to the VPN before initiating your RDP connection. See this news item for more details. |
| Remote desktop, other than Windows | Stanford campus network. | See the item above for restrictions on Windows Remote Desktop connections. This item applies to Apple Remote Desktop, VNC, Timbuktu, and compatible protocols that use the same TCP ports as one of these (for example, PCAnywhere can be configured to use the same port number as VNC ). If you need remote desktop logins from home or while traveling with a portable computer, install and use the Stanford public VPN client to get through the firewall. |
| ssh | Stanford campus network; servers and research workstations can request open access to entire Internet. |
The ssh service allows remote command-line logins and remote command
execution on your Earth Sciences computer. Workstations generally
do
not
provide ssh service by default.
If you enable the ssh service on your
computer, make sure
all
local accounts on that computer have
strong passwords!
The ssh protocol is fully encrypted and requires a local account and password, so it is generally safe. However, hackers do probe ssh services looking for weak passwords. Those probes also generate a lot of network traffic and load on computers. Therefore, general ssh access to the Earth Sciences network is restricted to other computers on the Stanford network in order to reduce hacker probes. Researchers can request access from the entire Internet to their server or workstation if needed. |
| sftp and scp | Same as ssh. School server sestransfer.stanford.edu allows access from entire Internet. | These file transfer services are part of the ssh protocol. |
| Web server | No access to personal servers. Entire Internet access to School and research servers. |
The School provides the pangea.stanford.edu web server for use by departments
and research groups; it is accessible from the entire Internet.
Connections from the Internet will be allowed
upon request
to properly configured and maintained research group web servers used
for academic purposes only when the pangea.stanford.edu web server
is not adequate.
Outside access to personal web sharing on your computer is blocked. Improperly configured web servers are commonly penetrated by hackers and used to compromise computers. For personal web sharing, such as your personal photos, use your pangea.stanford.edu personal web space, or a free Internet service (such as flickr, shutterfly, picasa, mediamax, or dropbox). |
| Email server | Entire internet access to sesmail and SEP mail servers. |
Everyone uses email programs on their computers to send and receive
email through a server such as the central
@stanford.edu
servers.
That kind of use is
not
affected by the firewall.
Individuals and research groups are not permitted to run their own email servers on the Earth Sciences network. Only connections to the sesmail server (used for system administration purposes) and the SEP group's long-standing email server are allowed to come in through the firewall. |
| ftp | No access, except entire Internet for anonymous ftp on pangea.stanford.edu. |
ftp is used to transfer files.
It is inherently insecure because it sends passwords and
data over the network in clear text.
The firewall permits outside ftp connections only to the anonymous ftp service on pangea.stanford.edu, which anyone in the School can use to share files with outside colleagues. If you need to serve large files from your own computer (such as a lab computer), enable a secure sftp server instead. |
| telnet | No access | telnet is used to make remote command-line logins. It is inherently insecure because it sends passwords and data over the network in clear text. Incoming telnet connections are always blocked. If you need to make remote command-line logins to your computer, use ssh instead of telnet. |
| Printing | Stanford campus network. | Only the lpd (port 515), ipp (port 631), or HP jetdirect (port 9100) printer connection protocols are allowed. If you need to send print jobs to an Earth Sciences printer from home or while traveling with a portable computer, install and use the Stanford public VPN client to get through the firewall. |
| School file shares | Stanford campus network. | The School of Earth Sciences File Server cluster, provides home shares, common disk areas ( scr1, ftp, and WWW), and research group shares (for example, sac and eel) as network file shares accessible to Windows and Mac OS X PCs. Multiple server names are used for different shares, such as sesfs.stanford.edu, sacfs.stanford.edu, seslabfs.stanford.edu, etc. This firewall rule applies to all equally. If you need to access a file share on the School file servers from home or while traveling with a portable computer, install and use the Stanford public VPN client to get through the firewall. |
| Windows PC file sharing | No access | Turning a Windows PC into a file server exposes it to hacker attacks that target both inherent weaknesses in the file sharing software and common misconfigurations. Numerous PCs on campus have been successfully compromised via the file sharing service. Please note that the Remote Desktop service (above) allows you to copy files back and forth between your Earth Sciences PC and a remote computer. Access to Windows file sharing can be granted to properly configured and maintained research group Windows PC file servers upon request. |
| Mac OS X file sharing | Stanford campus network. | The Apple Filing Protocol (AFP) used by this service is not a major security risk like Windows file sharing. If you need to connect to the file sharing service on your office Mac from home or while traveling with a portable computer, install and use the Stanford public VPN client to get through the firewall. |
| X-Window graphics | No access, except via ssh tunnel. | The XDMCP protocol, which gives a complete remote console with full graphical interface, is limited to the local Earth Sciences network only, as it sends passwords over the network in plain text mode, and can permit hackers to spy on your system. If you need to open an X-window to display results on your computer in Earth Sciences from a program running on a computer outside Earth Sciences, use an ssh X-window tunnel. |
| IM, chat, skype | The entire Internet. | Instant messaging, chat, and internet telephony programs such as AIM, iChat, Windows Messenger, IRC, and Skype work through the firewall. Users are clients who login to servers; servers relay messages between users. Since the user initiates the original outbound login connection to the server, the firewall allows the connection. An attempt to run your own IRC or other chat server will be blocked by the firewall. |
| Peer-to-peer file sharing | The entire Internet in most cases. |
Peer-to-peer file sharing services such as Napster, Kazaa, Grokster,
Gnutella, Limewire, and Bittorrent may not work in their default
configurations. Most of these programs offer
workarounds for dealing with a firewall.
Please be aware that peer-to-peer file sharing programs are notorious vectors for hacker compromises of computers. Distribution sites for the programs themselves and files that are distributed are often "contaminated" by hackers with their own malicious programs, that "ride along" and infect your computer while you are downloading files. In addition, these peer-to-peer file sharing programs often expose files on your computer, including those containing identity information, to anyone on the internet. Peer-to-peer file sharing programs should never be installed on Stanford-owned computers and you are strongly discouraged from using them on personally owned computers. |
| Other services | No access. | Any other service running on your computer which is not described here is not accessible to connections originated by other computers outside the Earth Sciences network. If you need access to some other service for legitimate academic purposes, contact the network manager, who will first evaluate the security implications before modifying firewall rules. |