JISC

The Internet has evolved to the state where it is now an everyday part of personal and business life.  At the time of writing, there are an estimated 300 million people using the Internet at least once a week, and some 70,000,000 hosts permanently connected to the Internet. 

Executive Summary

The rapid growth of the Internet enables new methods for Universities to perform distance teaching and research, to conduct business, and to attract new students and staff.  But it also brings the danger of an increased online population from which “hacking” or other undesirable activity may originate.

The main findings of our one-year JISC/JTAP project are as follows:

• The adoption of default deny firewalls on JANET sites is very limited.  The typical firewall policy involves a handful of protocols being filtered at a site’s JANET point of presence and perhaps a small firewall protecting financial systems.  We estimate that less than 10% of all sites have a default deny firewall/security policy, for inbound or outbound traffic
• We were able to successfully deploy an inbound default deny firewall at a site with 1,300 users on over 600 live hosts.  The solution we chose was Check Point Firewall-1 on a Sun/Solaris platform.  In doing so we determined a wide range of selection criteria that should be applicable to assist sites considering their own deployments
• User education and awareness are critical issues.  The traffic passing through the point at which a firewall may be inserted can be monitored to see which services users are accessing. However, it is important to consult the users of a network to find what their feelings are and to see what they perceive their requirements to be
• The introduction of a firewall or set of firewalls is only a means by which to enforce a security policy.  That policy must be determined by the institution concerned.  An ongoing risk assessment exercise is one method by which to maintain and refine a security policy
• Despite the intuitive feeling that a department of computer scientists would include many people running unusual applications over the Internet on unusual IP port numbers, we discovered that the volume of such traffic is much lower than expected.  After the initial move to a default deny firewall configuration, the rate of additional long-term service-enabling requests was very low, of the order of at most five per month, often less.  Temporary requests for the purposes of software demonstrations were more common, but still not of a level to cause a severe administrative overhead.  It was very important that service requests were processed quickly and fairly
• There are new network services becoming popular where simple packet-based filtering is not able to perform the desired “firewall” function, e.g. video streaming protocols and chat clients like ICQ.  In such instances application level gateways such as SOCKS5 appear to offer a good solution
• The cost to an institution of a breach of security is very hard to evaluate.  Those sites adopting a more rigorous security policy have typically been exposed to a major incident from which they have learnt that cost the hard way.  This has made the passing of a firewall policy through such university committees that much easier
• Failing to deploy a firewall system can have indirect repercussions.  If a site is found to be open to “spam e-mail relay” abuse, it may be added to one of a number of blacklists.  Many sites make use of such black lists when filtering for junk e-mail or for general network traffic, so becoming blacklisted can be a major problem
• While the deployment of a firewall has immediate costs in terms of new hardware and/or software and staff training, that cost can likely be recovered by the notable reduction in systems staff time spent pursuing problems caused by security breaches
• A firewall or set of firewalls is only one risk reduction measure.  A site security policy should also encompass areas such as secure access to data, e.g. via secure shell (ssh) or secure socket layer (SSL), and authenticated access to data beyond plain usernames and passwords, e.g. via X.509 or PGP software certificates, or via physical tokens such as SecurID
• Firewall technology is improving rapidly.  Some can now do content filtering in silicon.  Established products such as Firewall-1 allow content-based vectoring whereby WWW, FTP and e-mail data can be passed to a process on another machine for filtering (e.g. automatic non-intrusive virus checking of inbound e-mail).   However, the basic security principles (as reported in this document) remain the same
• The Data Protection Act 1998 requires all personal data to be held under a reasonable level of security.  That may include data encryption but also the selective blocking of access to certain network servers or subnetworks.  It is a site’s responsibility to decide what information needs protecting, and to what level the site will protect that information
• Many police forces throughout the UK are now addressing IT issues.  The popular press tends to cover the more sensational pornography-related cases.  While these may be a cause of embarrassment to a site, there is also a corporate liability under which sites should be able to identify individuals carrying out illegal acts over a network.  This is difficult from non-authenticated access points.  While in some cases no law may have been broken by the site from which an incident originated, if the site can be shown to have acted negligently in a civil court it may be liable for a fine or compensation.  Thus some method of outbound authentication may be required

Read the final report below