Since Santa Claus delivered CERN’s next-generation outer perimeter firewall right before Christmas, the IT department’s network team has finalised its installation and commissioning and the first packets should flow soon through it. With it come new, advanced protection capabilities (hence “next-generation firewall”). Time, then, to start benefitting from these new protective features!
First, some background: CERN’s outer perimeter firewall is the first line of defence for the Organization’s computer security. As a “stateful” firewall, it keeps track of the full state of every single network connection, i.e. the destination IT service being connected to, the network protocol employed (i.e. ICMP, TCP or UDP), the port number used (e.g. “ports 20000-25000/tcp”) and the application-layer protocol (e.g. “HTTPS”), as well as whether the traffic originated from within CERN (“outgoing”) or is destined to be served by CERN (“incoming”).
The firewall automatically analyses in depth any incoming or outgoing traffic and autonomously judges whether to permit or deny its onward journey into or out of CERN. The decision to grant or block traffic is based on network protocol standards, firewall-opening requests made by CERN IT service managers, dedicated threat intelligence provided by the firewall’s security researchers, and the decisions of CERN’s Computer Security Officer, who is mandated to protect the Organization against all types of cyberthreats.
Adhering to network protocol standards, any outgoing traffic initiated from the so-called “lower ports”, i.e. ports 0-1023* or using so-called “private” or “non-routable” IP addresses will be blocked.
Any incoming traffic is blocked by default unless there is an explicit opening towards a particular IT service. Administrators of such IT services can submit corresponding firewall-opening requests, which are subsequently assessed and approved or rejected by the Computer Security team.
In general and as in the past, correctly secured services in production are authorised and opened. Requests in respect of systems that fail to follow basic security paradigms are rejected, and the corresponding systems have to improve their security posture before being reassessed.
Complementing CERN’s intrusion detection system (see our Bulletin article on “Scaling out intrusion detection”), the new firewall comes with sophisticated threat intelligence on malicious actors and threats, allowing the Computer Security team to block any malicious or abnormal incoming or outgoing traffic.
In addition, the firewall will block outgoing traffic to a number of external destinations considered to pose security risks to CERN (and to your devices), like websites:
- serving malware or being abused for commanding or controlling malware
- hosting phishing sites
- offering “grayware” for downloads (i.e. unwanted applications or files that are not classified as malware but can worsen the performance of computers and cause security risks)
- as well as newly registered domains and private – and hence non-routable – IP addresses.
Furthermore, the firewall will block sites known to contain content the accessing of which constitutes a violation of CERN’s Computing Rules (OC5), like those:
- dedicated to illegally offering videos, movies or other media for download
- infringing copyrights (peer-to-peer communication will not be affected as it is also used nowadays for many legitimate reasons).
For these blocked categories, measures have been put in place to understand the collateral damage with regard to false positives, i.e. websites that are harmless. So, if you identify a website that you strongly believe is wrongly blocked, contact us at Computer.Security@cern.ch.
Other categories of websites may or may not be blocked by the firewall, depending on the settings that CERN chooses. However, it goes without saying that just because a website is not blocked does not mean that accessing it is necessarily OK and permitted under CERN’s Computer Rules. Accessing content that is inappropriate or offensive or that violates applicable laws is in breach of these Rules and will be followed up by the Computer Security team as usual, regardless of such content’s status in the firewall’s filters.
Any other outgoing traffic, e.g. you browsing the internet, remains unrestricted and the internet is freely “visible” to your devices, laptops and smartphones. Websites with “innocent” content, used either for professional business or for personal leisure, will continue to be accessible from within CERN’s office network, e.g. business and economy, educational institutions, financial services, government, health and medicine, internet communications and telephony, internet portals, job searches, legal, news, online storage and backup, personal sites and blogs, reference and research, search engines, shopping, social networking, training and tools, translation, travel, web-based email, etc.
Please note that, even though CERN provides unrestricted internet access, browsing for personal leisure should be aligned with the “Rules for Personal Use” of the CERN Computing Rules.
Overall, this new configuration is regarded as sound and reasonable. It reflects best practice in terms of modern blocking capabilities and procedures, and protects our open academic environment while taking seriously our need for robust cybersecurity protection.
_____
* VPN and IPsec tunnels will be kept open.
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.