GD group Firewall requests

The standard procedure to request one or more ports to be accessible from the outside or from the LAN is the following. It only applies to non-Quattor GD machines.

Local firewall (access from the CERN LAN)

The local firewall on the system must firstly be configured to enable external or LAN access to the port(s). For test machines, this can be done manually.

For production machines, the hosts are using lcg-fw, which is installed by default on GD systems. The default lcg-fw configuration is to only offer SSH access to the CERN LAN, but all outgoing connections are permitted.

In order to change the firewall template that has been allocated to a node, you can contact gd-security-services@cernNOSPAMPLEASE.ch by specifying what type of service your host will be providing. An updated template will be issued and automatically installed on the node (providing its runs lcg-fw).

If you attempt to manually change the firewall rules on a node running lcg-fw, the registered profile will be re-installed the next time the hourly cron job is run. If you wish to make a temporary change, you can either:

  • Contact gd-security-services@cernNOSPAMPLEASE.ch to change temporarily the firewall template
  • Deprecated: you can change the local rules by suspending the update of the firewall template. This can be done by issuing the following command on the node:
chmod -x /etc/cron.hourly/firewall.cron

Please consult instructions here for more information. The local firewall status of GD machines is visible at https://lcg-fw.cern.ch/public/.

Site firewall

non-Quattor hosts:

  • Your host must be running lcg-fw
  • Send your request to gd-security-services@cernNOSPAMPLEASE.ch
  • The request will then be reviewed, as it must be compliant with the site network security policy (ex: Incoming SSH access is not normally accepted).
  • You will then be asked to temporarily stop the local firewall on your system so that the CERN Security Team can run a security scan on your host.
  • The report of the security scan will be forwarded to you.
  • You may be asked to check/correct your system configuration, and a new scan may then be performed against your host.
  • Once the security scan is validated by the CERN Security Team, your firewall request can be approved.
  • Once the firewall request is approved, it is generally implemented within one working day.

Quattor hosts:

Fast track
If the request only affect one or two very standard ports (ex: http, https).

  • Register your request here: https://www.cern.ch/firewall-registration/
  • The request will then be reviewed by the CERN Security Team, as it must be compliant with the site network security policy (ex: Incoming SSH access is not normally accepted).
  • You will then be asked to temporarily stop the local firewall on your system so that the CERN Security Team can run a security scan on your host.
  • The report of the security scan will be forwarded to you.
  • You may be asked to check/correct your system configuration, and a new scan may then be performed against your host.
  • Once the security scan is validated by the CERN Security Team, your firewall request can be approved.
  • Once the firewall request is approved, it is generally implemented within one working day.

Standard request
If the request is complex or affect multiple ports (ex: gLite WMS)

  • Send your detailed request to Computer.Security@cernNOSPAMPLEASE.ch
  • You may be asked to fill a form to confirm the background of the request and provide the name of the Group Leader endorsing the request.
  • The request will then be reviewed by the CERN Security Team, as it must be compliant with the site network security policy (ex: Incoming SSH access is not normally accepted).
  • You will then be asked to temporarily stop the local firewall on your system so that the CERN Security Team can run a security scan on your host.
  • The report of the security scan will be sent back to you
  • You may be asked to check/correct your system configuration, and a new scan may then be performed against your host.
  • Once the security scan is validated by the CERN Security Team, your firewall request can be approved.
  • Once the firewall request is approved, it is generally implemented within one working day.

Help

Do not hesitate to contact Romain Wartel to:

  • discuss in advance potential issues with a particular firewall request
  • seek for help to define your firewall requirements (ex: what ports do I need to request to enable my gLite CE to be reachable from the outside?).

-- Romain Wartel - 27 Nov 2006

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2006-11-27 - RomainWartel
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback