Firewall on Demand

Service Description


Firewall on Demand enables GRNET customers to filter or mitigate flows with non-legitimate traffic (DoS/DDoS) targeting their border router or internal networks.

Access and authentication to the the service portal relies on the SAML protocol (Shibboleth). Authorisation, on the contrary, depends on a number of pre-defined Shibboleth attributes released by the customer's IdP and its address space as registered in RIPE's db. All software modules are open source and were implemented by GRNET/NOC..

Users


The following attributes are required for administrators and must be released by their home IdPs to the SP according to the policy and procedures documentation provided by the GRNET AAI federation:

AttributeDescription
eduPersonPrincipalNameProvides a string that uniquely identifies an administrator in the management application.
eduPersonEntitlementA specific URN value must be provided to authorize an administrator: urn:mace:grnet.gr:fod:admin
mailThe e-mail address (one or more) of the administrator. It is used for notifications from the management application. It may also be used for further communication, with prior consent.
givenName (optional)The person's first name.
sn (optional)The person's last name.

Implementation

The service enables users to mitigate active attacks aimed at their network equipment. The creation of dynamic firewall filters that are applied to the network using the management protocol NETCONF and are propagated to compatible (Juniper) backbone network devices via BGP flowspec NLRI are its fundamental functional components.

Filters may be applied only to address spaces that belong to the customers' network. Currently, attacks are limited as per /29 subnet.
Requests for new filters are applied and propagated immediately to the network's elements and therefore users should wisely fill the application. Filters that have been applied to the network are removed after their expiry date, and users can activate then again by selecting the corresponding option. Moreover, users are given the option for early deactivation of their requests.

Security

Applications are monitored and reported upon request to the customer's designated administrator(s). The service administrators may at any time remove active requests from the network, if deemed necessary.

Requests or clarifications regarding the operation of the service should be submitted to GRNET Helpdesk (tel: 800-11-47638 + or via e-mail to helpdesk -@- grnet.gr).

 

Publications

Presentation in TNC2012

Paper: http://www.noc.grnet.gr/sites/default/files/tnc2012_misc_Leonidas.pdf