Host protection overview
The policies approved by CSAC have resulted in a significant number
of protection levels offered to different hosts. Many of the names that
have been adopted over time are not immediately clear without further
This document provides firm definitions for the various security
levels to simplify and clarify related discussions. It is not an
official CSAC-approved policy document, so if there is any
disagreement between this document and official polices, the
official polices shall be authoritative.
Types of host protection
There are five types of hosts in the current security policies:
"protected," "external," "fully exposed," "semi-exposed," and
"guest." These five types are referred to collectively as UCAR
networks. All other networks, including Abilene, Internet, and
BPOP and FRGP members, are non-UCAR networks.
These five types of hosts are divided into two general
The first category is the "internal" hosts, which have an initial
level of protection provided by the security filters in the routers.
The "protected," "semi-exposed," and "fully exposed" hosts make
up the "internal" group. All "internal" hosts have full access
to each other with no security or filtering.
The second general category is the "external" hosts. It includes
the "guest" networks and the "external" networks. (This is an
unfortunate overloading of the term "external;" it refers to both
the specific "external" network type and the category of networks
that includes the "external" and "guest" types.) The external
hosts have no special access to the internal hosts, and they are
unprotected by UCAR security filters.
Distinction between "networks" and "addresses"
A distinction between "network" and "address" needs to be
made before the following terms are defined.
Protected hosts make up the vast majority of the UCAR host
addresses. Any network address that has not been specifically placed
into one of the lower-security types is configured as "protected"
by default. Essentially all TCP connections to "protected" addresses
are blocked. Only the "protected", "fully exposed" and "semi-exposed"
types are allowed to make TCP connections to "protected" addresses.
The "semi-exposed" addressess are the most protected range of
addresses accessible by "non-UCAR" networks. "Non-UCAR," "guest,"
and "external" addresses are allowed to connect to a small number
of approved services on "semi-exposed" hosts. These include common
relatively safe non-interactive services such as HTTP and FTP.
Services that use plaintext passwords are not allowed. "Internal"
and "fully exposed" addresses are allowed to connect to
"semi-exposed" addresses without any filtering or restriction.
Fully exposed addresses
The "fully exposed" addresses are similar to the "semi-exposed"
addresses in that they are accessible to the "non-UCAR," "guest,"
and "external" networks while also having full access to the
"protected" and "semi-exposed" addresses. The difference is that
some services are prohibited on the "fully exposed" addresses.
This list includes services that are prone to abuse such as SMTP
and lpd. It also includes services that have poor authentication,
such as Telnet, POP, and X Windows. Finally, services that have
a bad history of security-critical bugs have been added, including
NFS and Windows file sharing.
The "external" networks are effectively outside the security
filters. There is no filtering between the "external" network and
"non-UCAR" networks. At the same time, the "external" networks have
no special access to the "protected," "semi-exposed," or "fully
The "guest" networks are provided for visitors to UCAR. They
are protected from "non-UCAR" and "external" networks in the
same way the "internal" hosts are. However, they do not have
access to "internal," "semi-exposed," or "fully exposed"
addresses. To these hosts, the "guest" networks are treated
the same as the "external" and "outside" networks.