GD group Firewall Requests

The standard procedure to request one or more ports to be accessible from the outside or from the LAN is the following.

Local firewall

The local firewall on the system must firstly be configured to enable external or LAN access to the port(s).

If the host is running lcg-fw, it must be registered in the appropriate cluster (see instruction here to modify the local firewall configuration).

Site firewall

According to the complexity of the firewall requests, there are two ways the request can be submitted.

Fast track

If the request only affect one or two very standard ports (ex: http, https).
  • Register your request here: https://www.cern.ch/firewall-registration/
  • The request will then be reviewed by the CERN Security Team, as it must be compliant with the site network security policy (ex: Incoming SSH access is not normally accepted).
  • You will then be asked to temporarily stop the local firewall on your system so that the CERN Security Team can run a security scan on your host.
  • The report of the security scan will be forwarded to you.
  • You may be asked to check/correct your system configuration, and a new scan may then be performed against your host.
  • Once the security scan is validated by the CERN Security Team, your firewall request can be approved.
  • Once the firewall request is approved, it is generally implemented within one working day.

Standard request

If the request is complex or affect multiple ports (ex: gLite WMS)
  • Send your detailed request to Computer.Security@cernNOSPAMPLEASE.ch
  • You may be asked to fill a form to confirm the background of the request and provide the name of the Group Leader endorsing the request.
  • The request will then be reviewed by the CERN Security Team, as it must be compliant with the site network security policy (ex: Incoming SSH access is not normally accepted).
  • You will then be asked to temporarily stop the local firewall on your system so that the CERN Security Team can run a security scan on your host.
  • The report of the security scan will be sent back to you
  • You may be asked to check/correct your system configuration, and a new scan may then be performed against your host.
  • Once the security scan is validated by the CERN Security Team, your firewall request can be approved.
  • Once the firewall request is approved, it is generally implemented within one working day.

Do not hesitate to contact Romain Wartel to:

  • discuss in advance potential issues with a particular firewall request
  • seek for help to define your firewall requirements (ex: what ports do I need to request to enable my gLite CE to be reachable from the outside?).

-- Romain Wartel - 09 Oct 2006

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r1 - 2006-10-09 - RomainWartel
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback