Firewall on Demand

Service Description

Firewall on Demand enables GRNET customers to filter or mitigate flows with non-legitimate traffic (DoS/DDoS) targeting their border router or internal networks.

Access and authentication to the the service portal relies on the SAML protocol (Shibboleth). Authorisation, on the contrary, depends on a number of pre-defined Shibboleth attributes released by the customer's IdP and its address space as registered in RIPE's db. All software modules are open source and were implemented by GRNET/NOC..


The following attributes are required for administrators and must be released by their home IdPs to the SP according to the policy and procedures documentation provided by the GRNET AAI federation:

eduPersonPrincipalNameProvides a string that uniquely identifies an administrator in the management application.
eduPersonEntitlementA specific URN value must be provided to authorize an administrator:
mailThe e-mail address (one or more) of the administrator. It is used for notifications from the management application. It may also be used for further communication, with prior consent.
givenName (optional)The person's first name.
sn (optional)The person's last name.


The service enables users to mitigate active attacks aimed at their network equipment. The creation of dynamic firewall filters that are applied to the network using the management protocol NETCONF and are propagated to compatible (Juniper) backbone network devices via BGP flowspec NLRI are its fundamental functional components.

Filters may be applied only to address spaces that belong to the customers' network. Currently, attacks are limited as per /29 subnet.
Requests for new filters are applied and propagated immediately to the network's elements and therefore users should wisely fill the application. Filters that have been applied to the network are removed after their expiry date, and users can activate then again by selecting the corresponding option. Moreover, users are given the option for early deactivation of their requests.


Applications are monitored and reported upon request to the customer's designated administrator(s). The service administrators may at any time remove active requests from the network, if deemed necessary.

Requests or clarifications regarding the operation of the service should be submitted to GRNET Helpdesk (tel: 800-11-47638 + or via e-mail to helpdesk -@-



Presentation in TNC2012