Security: Why SCS Does Not Have a Firewall

There is no firewall between the Carnegie Mellon network and the internet, though there are a few blocked ports. There is also no firewall between the the SCS network and the CMU network. We also filter a few ports, in particular the "usual" Windows ports. Some research groups have their own firewalls.

Whether or not SCS should have a firewall is a contentious issue, with people on both sides having strong feelings about it. Our reasons for not having a firewall include the following:

  • The border between SCS and the rest of CMU (and the internet) is both ill-defined and somewhat open by necessity. We have Facilitized hosts on the Campus (as opposed to the SCS) network. Many people at CMU who are not on the SCS network also regularly use SCS hosts, and people from off-site locations such as corporations and other universities regularly use hosts on our network.. There are some ways to accommodate off-site users, such as VPN, but they have proved somewhat problematic and difficult to set up in practice, particularly given the broad range of remote users we have.
  • We want to provide the maximum flexibility for people to do network-related research, set up their own servers, work easily with collaborators at other sites, etc, without having to put Facilities in the critical path of having to open up the firewall for each special case (and having each special case reduces overall security by some amount).
  • We have doubts about how much real additional security a firewall would provide. Our experience dealing with the firewalls that some research groups have has been that, in practice, any firewall we put up would have a huge number of exceptions in its rules because of demands from people in the community. There is also the problem of people believing that a firewall is a panacea that frees them from having to worry about security issues, and thus neglecting host-based security.
  • Some people in the SCS community have voiced the opinion that CMU has always been an "open node" on the internet, and that this is a good thing for a variety of reasons.

While there are lots of universities that do have firewalls, many of our peers (meaning top-rank CS research universities) do not have them for many of the same reasons mentioned above.