CNS and the ITSO have always argued that a campus firewall would not do much to improve security for the general campus network. The RLAN project does use a firewall (and other border elements). As we have worked through the design elements necessary to get some value from it has affirmed our view that a general border firewall would not add much value to the open network.

Some important points about the RLAN:

  • This is a parallel network with very restricted access to the outside world. It is not suitable for general-purpose internet usage. A different network is used for for general internet access.
  • Devices attached to the RLAN must meet system administration standards set by the ISO.
  • A different device is used for general internet use.
  • The RLAN user community is as small as possible. (The border access policy is the union of all required access and will likely be expensive to maintain.)
  • RLAN users will only have access to specific outside services. (maybe)
  • Traffic on the RLAN is subject to enhanced monitoring and possibly premptive blocking in the event of possible malware or extrusion detection.
  • Adding a new service to the RLAN will require some time and administrative overhead.

To add:

  • variety of user support needs
  • support for different OSs