Openings in the Outer Perimeter Firewall

2021/8/26 by CSO

This subsidiary policy to Operational Circular No. 5 defines the rules under which openings in CERN's outer perimeter firewall are approved and maintained. Any opening not fulfilling those rules are (kept) to be closed. The procedure for requesting an opening can be found here.

Rules

Any device with openings in CERN's outer perimeter firewall needs to meet the following security requirements:

  • The service must be unique and not be covered by central IT services. For example, consider using the central CERN Webservice instead of setting up your own Web server to host Web sites or Web applications. This will allow you delegating the responsibility for maintaining a secure configuration, timely patching, proper back-ups, intrusion detection, etc. to the IT department;
  • The service must have a justified case of professional need. SSH servers and control system servers will generally not be opened. Instead, please use the standard means for remotely connecting to CERN;
  • The device must be ready for production and configured according to the relevant Security Baselines. The latter requires that software updates will be applied automatically, that all non-essential network services are disabled;
  • The device must have proper logging enabled, recording remote actions, their origin and precise time. For example, for web accesses this means logging the time (UTC or GVA timestamp), the source IP address, the full URI and if relevant the logged-in user. Such logs should be pushed into central logging infrastructure, for example through the IT Monitoring service or the Computer Security Team's infrastructure;
  • The device must pass the standard vulnerability and, if applicable, Web application scans at any time.

In addition, when using Puppet host groups or delegated LANDB sets, these must be homogeneous, attributed to a distinct use case, and used for production only.

Derogations are possible upon request to Computer.Security@cern.ch.