Network security definitions

Host protection overview

The policies approved by CSAC have resulted in a significant number of protection levels offered to different hosts. Many of the names that have been adopted over time are not immediately clear without further explanation.

This document provides firm definitions for the various security levels to simplify and clarify related discussions. It is not an official CSAC-approved policy document, so if there is any disagreement between this document and official polices, the official polices shall be authoritative.

Types of host protection

There are five types of hosts in the current security policies: "protected," "external," "fully exposed," "semi-exposed," and "guest." These five types are referred to collectively as UCAR networks. All other networks, including Abilene, Internet, and BPOP and FRGP members, are non-UCAR networks.

These five types of hosts are divided into two general categories.

Internal hosts

The first category is the "internal" hosts, which have an initial level of protection provided by the security filters in the routers. The "protected," "semi-exposed," and "fully exposed" hosts make up the "internal" group. All "internal" hosts have full access to each other with no security or filtering.

External hosts

The second general category is the "external" hosts. It includes the "guest" networks and the "external" networks. (This is an unfortunate overloading of the term "external;" it refers to both the specific "external" network type and the category of networks that includes the "external" and "guest" types.) The external hosts have no special access to the internal hosts, and they are unprotected by UCAR security filters.

Distinction between "networks" and "addresses"

A distinction between "network" and "address" needs to be made before the following terms are defined.

Protected networks

Protected hosts make up the vast majority of the UCAR host addresses. Any network address that has not been specifically placed into one of the lower-security types is configured as "protected" by default. Essentially all TCP connections to "protected" addresses are blocked. Only the "protected", "fully exposed" and "semi-exposed" types are allowed to make TCP connections to "protected" addresses.

Semi-exposed addresses

The "semi-exposed" addressess are the most protected range of addresses accessible by "non-UCAR" networks. "Non-UCAR," "guest," and "external" addresses are allowed to connect to a small number of approved services on "semi-exposed" hosts. These include common relatively safe non-interactive services such as HTTP and FTP. Services that use plaintext passwords are not allowed. "Internal" and "fully exposed" addresses are allowed to connect to "semi-exposed" addresses without any filtering or restriction.

Fully exposed addresses

The "fully exposed" addresses are similar to the "semi-exposed" addresses in that they are accessible to the "non-UCAR," "guest," and "external" networks while also having full access to the "protected" and "semi-exposed" addresses. The difference is that some services are prohibited on the "fully exposed" addresses. This list includes services that are prone to abuse such as SMTP and lpd. It also includes services that have poor authentication, such as Telnet, POP, and X Windows. Finally, services that have a bad history of security-critical bugs have been added, including NFS and Windows file sharing.

External networks

The "external" networks are effectively outside the security filters. There is no filtering between the "external" network and "non-UCAR" networks. At the same time, the "external" networks have no special access to the "protected," "semi-exposed," or "fully exposed" hosts.

Guest networks

The "guest" networks are provided for visitors to UCAR. They are protected from "non-UCAR" and "external" networks in the same way the "internal" hosts are. However, they do not have access to "internal," "semi-exposed," or "fully exposed" addresses. To these hosts, the "guest" networks are treated the same as the "external" and "outside" networks.

UCAR || NCAR || UOP || SCD || Search all UCAR websites
NCAR is managed by UCAR and sponsored by the National Science Foundation