The CERN Outer Perimeter Firewall

In order to protect devices connected to the CERN network from the regular attacks initiated from off-site, incoming connections to all CERN devices are blocked in the CERN outer perimeter firewall by default. In addition, source ports 0-1023/TCP and 0-1023/UDP (except 500/UDP) are blocked by default for outgoing connections. Thus, users can initiate client applications (on so-called higher ports) but not expose server processes.

The firewall hardware is maintained by the CERN/IT network group, while the configuration is maintained by the Computer Security Team.

Requesting Firewall Openings

In the exceptional case that a device needs to be directly exposed to the Internet, there are four ways for requesting firewall openings:

  • Via the Network Connection Request Form: Select "update", scroll down to the part called "Central Firewall Configuration" and click on "Make Firewall Request";
  • Use so-called LANDB sets, where the firewall has static openings for this LANDB set. Usually, such sets are used for redudancy or large, homogeneous services. These sets are either managed by the Computer Security Team or by the service managers themselves. Contact Computer.Security@cern.ch to figure out whether your device is eligible (or not);
  • For Openstack VMs or any Puppet managed hosts, please follow the specific documentation. Usually, such host groups are used for redudancy or large, homogeneous services;
  • Make a special request: For special request like e.g. for having IPsec opened, contact Computer.Security@cern.ch.

Security Requirements

The corresponding device must comply with the OC5 subsidiary policy on Openings in the Outer Perimeter Firewall.

Regular Checks

When requesting an opening or at any other time, the Computer Security Team will conduct the standard vulnerability and, if applicable, Web application scans. For either, you will be asked to stop the local firewall (e.g. using /sbin/service iptables stop for most Linux systems). After the scan, you will receive a scan report and be asked to fix any potential vulnerabilities and other problems found. Only devices which have successfully passed the scan(s) will be granted (to keep) the requested opening.

In addition, automatic tools are regularly checking whether your opening is actually used, i.e. whether

  • there is (still) a service listening on the open port;
  • there has been traffic observed recently contacting that open port.

For homogeneous LANDB sets, it is sufficient that one of its members fulfils the aforementioned criteria (as we assume that this is a homogeneous load-balanced set with fall-back servers).

In case the opening does not seem to be used anymore, notification emails will be sent to the main user and person responsible of the corresponding device or set.