CINXE.COM

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" href="/style.css" type="text/css" /> <script type="text/javascript" src="/jquery.min.js"></script> <title>CERN Computer Security Information</title> <script type="text/javascript"> $(document).ready(function(){ // Menu highlight var path = location.pathname.split("/"); if ( path ) { $('#main_menu a[href*="' + path[1] + '"][class!="noselect"]').addClass('selected'); // path[3] = /security/<xxxxx>/ $('#sidebar ul.sidemenu li[class!="noselect"]:has(a[href$="' + path.reverse()[0] + '"])').addClass('selected'); } // Add icon to external links $('a[id!=logo-img]').filter(function() { return this.hostname && this.hostname !== location.hostname; }).after(' <img src="/images/external_link.png" alt="external link" title="external link"/>'); }); </script> </head> <body> <div id="wrap"> <div id="top-bg"></div>  <div id="header"> <div id="logo-text"> <a id="logo-img" href="https://home.cern/"><img src="/images/CERNLogo2.png" width="59" height="59" style="margin: 10px" alt="CERN Logo"/></a><div id="logo-text-big"><a href="/home/en/index.shtml" title="">CERN Computer Security</a></div> </div> <div id="header-logo"><a href="/services/en/emergency.shtml"><img width=335 src="/images/emergency.png" alt="Computer Emergencies"/></a></div> </div>  <div id="header-photo"></div>  <div id="nav"> <ul id="main_menu"> <li><a class="noselect" href="/home/fr/index.shtml"><img src="/images/fr.png" alt="FR"/></a></li> <li><a href="/home/en/index.shtml">Home</a></li> <li><a href="/rules/en/index.shtml">Computing Rules</a></li> <li><a href="/recommendations/en/index.shtml">Recommendations</a></li> <li><a href="/training/en/index.shtml">Training</a></li> <li><a href="/services/en/index.shtml">Services</a></li> <li><a class="secured" href="/reports/en/index.shtml">Reports & Presentations</a></li> </ul> </div>   <div id="content-wrap"> <div id="main"> <h2>The CERN Outer Perimeter Firewall</h2> <p> In order to protect devices connected to the CERN network from the regular attacks initiated from off-site, <b>incoming connections to all CERN devices are blocked</b> in the CERN outer perimeter firewall by default. In addition, <b>source ports 0-1023/TCP and 0-1023/UDP (except 500/UDP) are blocked</b> by default for outgoing connections. Thus, users can initiate client applications (on so-called higher ports) but not expose server processes.</p> <p>The firewall hardware is maintained by the CERN/IT network group, while the configuration is maintained by the Computer Security Team.</p> <h4>Requesting Firewall Openings</h4> <p>In the exceptional case that a device needs to be directly exposed to the Internet, there are four ways for requesting firewall openings:</p> <ul> <li><b>Via the <a href="https://network.cern.ch/sc/fcgi/sc.fcgi?Action=SelectForUpdate">Network Connection Request Form</a>:</b> Select "update", scroll down to the part called "Central Firewall Configuration" and click on "Make Firewall Request";</li> <li><b>Use so-called <a href="https://network.cern.ch/sc/fcgi/sc.fcgi?Action=SearchForSets&ForAction=DisplaySet">LANDB sets</a></b>, where the firewall has static openings for this LANDB set. Usually, such sets are used for redudancy or large, homogeneous services. These sets are either managed by the Computer Security Team or by the service managers themselves. Contact <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a> to figure out whether your device is eligible (or not);</li> <li>For Openstack VMs or any Puppet managed hosts, please follow the <a href="https://configdocs.web.cern.ch/configdocs/firewall/cern.html">specific documentation</a>. Usually, such host groups are used for redudancy or large, homogeneous services;</li> <li><b>Make a special request:</b> For special request like e.g. for having IPsec opened, contact <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a>.</li> </ul> <h4>Security Requirements</h4> <p>The corresponding device must comply with the OC5 subsidiary policy on <a href="/rules/en/firewall.shtml">Openings in the Outer Perimeter Firewall</a>.</p> <h4>Regular Checks</h4> <p>When requesting an opening or at any other time, the Computer Security Team will conduct the standard <a href="/services/en/device_scans.shtml">vulnerability</a> and, if applicable, <a href="/services/en/web_scans.shtml">Web application</a> scans. For either, you will be asked to stop the local firewall (e.g. using <tt>/sbin/service iptables stop</tt> for most Linux systems). After the scan, you will receive a scan report and be asked to fix any potential vulnerabilities and other problems found. <b>Only devices which have successfully passed the scan(s) will be granted (to keep) the requested opening.</b> </p> <p>In addition, automatic tools are regularly checking whether your opening is actually used, i.e. whether</p> <ul> <li>there is (still) a service listening on the open port;</li> <li>there has been traffic observed recently contacting that open port.</li> </ul> <p>For homogeneous <a href="https://network.cern.ch/sc/fcgi/sc.fcgi?Action=SearchForSets&ForAction=DisplaySet">LANDB sets</a>, it is sufficient that one of its members fulfils the aforementioned criteria (as we assume that this is a homogeneous load-balanced set with fall-back servers).</p> <p>In case the opening does not seem to be used anymore, notification emails will be sent to the main user and person responsible of the corresponding device or set.</p> </div>    <div id="sidebar"> <ul class="sidemenu"> <li><a href="/home/en/privacy_statement.shtml">Privacy Statement</a></li> </ul> <h3>Computer Security Incident Response</h3> <ul class="sidemenu"> <li><a href="/services/en/emergency.shtml">Emergencies</a> <li><a href="/services/en/sems.shtml">Self-mitigation portal</a></li> </ul> <h3>Consulting, Pentesting & Reviews</h3> <ul class="sidemenu"> <li><a href="/services/en/reviews.shtml">...on request</a> <li><a href="/services/en/whitehats.shtml">CERN WhiteHat Challenge</a> </ul> <h3>Host-Based Intrusion Detection</h3> <ul class="sidemenu"> <li><a href="/services/en/csl.shtml">Central security logging</a></li> <li><a href="/services/en/password_dumps.shtml">Password Dump Notifications</a></li> <li><a href="/services/en/receipts.shtml">Remote Login Notifications</a></li> </ul> <h3>Traffic Control & Monitoring</h3> <ul class="sidemenu"> <li><a href="/services/en/dns.shtml">DNS analysis</a></li> <li><a href="/services/en/ids.shtml">Network-based intrusion detection</a></li> <li><a href="/services/en/firewall.shtml">The CERN outer perimeter firewall</a></li> <li><a href="/services/en/dnim.shtml">Statistical traffic analysis</a></li> <li><a href="/services/en/spam.shtml">SPAM filtering</a></li> </ul> <h3>Vulnerability Scans</h3> <ul class="sidemenu"> <li><a href="/services/en/device_scans.shtml">Device scans</a></li> <li><a href="/services/en/network_scans.shtml">Network scans</a></li> <li><a href="/services/en/passwords.shtml">Password cracking</a></li> <li><a href="/services/en/web_scans.shtml">Web application scans</a></li> </ul> </div>   </div>  <div id="footer-wrap"> <div id="footer-bottom"> © Copyright 2024<strong> <a href="https://cern.ch/security">CERN Computer Security Office</a></strong> <table> <tr> <td id="footer-info-left"> e-mail: <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a><br/> Please use the following PGP key to encrypt your messages:<br/> ID: 0x954CE234B4C6ED84<br/> <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/429D60460EBE8006B04CDF02954CE234B4C6ED84">429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84</a> </td> <td id="footer-info-right"> Phone: +41 22 767 0500<br/> Please listen to the recorded instructions. </td> </tr> </table> </div> </div>  </div>   </body> </html>