New Lifecycle for Firewall Openings
The first line in defending CERN against malicious traffic from the Internet is CERN's outer perimeter firewall. Following a well-defined set of rules, this firewall permits or denies any incoming network traffic to communicate with CERN hosts and controls outgoing traffic towards the Internet. System administrators can usually request firewall openings for the servers they are responsible for by using the LANDB Web interface (http://network.cern.ch). These requests are approved or rejected following the result of a subsequent security scan performed by the Computer Security Team.
In the past, the number of firewall openings has grown significantly. System administrators naturally care more about their openings than about demanding closure once an opening has become obsolete or the server has changed purpose. Even worse, servers might pass under a new responsibility, i.e. a new system administrator, who does not even know about the current firewall openings. Indeed, a manual review of all firewall openings has shown that several dozen openings have not even been used in the recent past. Many more openings might have been used at certain moments but might have become obsolete since then.
In order to improve the current situation, the Security Team in collaboration with the IT Communication Systems Group will soon deploy a full life-cycle for firewall openings. Openings can be requested as usual using the LANDB Web interface. However, every approved opening is from then on valid for two years maximum. Starting 90 days before the validation deadline the corresponding system administrator (i.e. the owner and main user of the corresponding server) will be regularly notified by e-mail and asked to either renew the firewall openings or discontinue them. Taking no action will automatically lead to expiry of the pending openings.
This new life-cycle will be deployed and activated in September 2011. Firewall openings without a validation/expiry date will have such a date assigned to them. Openings generated via so-called “LANDB sets” are not affected.
If you have questions, suggestions or comments, please contact Computer.Security@cern.ch or visit us at http://cern.ch/security.