Why SCS doesn't have a firewall
There is no firewall between the Carnegie Mellon network and the internet, nor is there a firewall between the SCS network and the CMU network. We do filter a few ports, in particular we have filtered some Windows ports in reaction to the recent RPC/DCOM vulnerability, and some research groups have their own firewalls. Whether or not SCS should have a firewall is a contentious issue, with people on both sides having strong feelings about it. Our reasons for not having a firewall include the following:
- The border between SCS and the rest of CMU (and the internet) is both ill-defined and somewhat open by necessity. We have Facilitized hosts on the Campus (as opposed to the SCS) network, people from other departments who regularly use SCS hosts, undergraduates who use SCS Facilities from the CMU residence halls, many home users, and people from off-site locations such as corporations and other universities that use our network. There are some ways to accomodate home users, such as VPN, but they have proved somewhat problematic and difficult to set up in practice.
- We want to provide the maximum flexibility for people to do network-related research, set up their own servers, work easily with collaborators at other sites, etc, without having to put Facilities in the critical path of having to open up the firewall for each special case (and having each special case reduce overall security by some amount).
- We have doubts about how much real additional security a firewall would provide. Our experience dealing with the firewalls that some research groups have has been that, in practice, any firewall we put up would have a huge number of exceptions in its rules because of demands from people in the community. There is also the problem of people believing that a firewall is a panacea that frees them from having to worry about security issues, and thus neglecting host-based security.
- Some people in the SCS community have voiced the opinion that CMU has always been an "open node" on the internet, and this is a good thing for a variety of reasons.
While there are lots of universities that do have firewalls, many of our peers (meaning top-class CS research universities) do not have them for many of the same reasons as mentioned above (off-site link, will open in a new window).