14354991089_a990402c4f_kSlide thumbnail

Firewall on demand

Firewall on Demand enables GRNET customers to filter flows of non-legitimate traffic (DoS/DDoS) targeting their border router or internal networks.

Access and authentication to the service portal relies on the SAML protocol (Shibboleth), while authorization is based on a number of pre-defined Shibboleth attributes released by the customer’s IdP and its address space as registered in RIPE’s db. All software modules are open source and have been implemented by GRNET/NOC.

Users

The following attributes are required for administrators and must be released by their home IdPs to the SP according to the policy and procedures documentation provided by the GRNET AAI federation:

Attribute Description
eduPersonPrincipalName Provides a string that uniquely identifies an administrator in the management application.
eduPersonEntitlement A specific URN value must be provided to authorize an administrator: urn:mace:grnet.gr:fod:admin
mail The e-mail address (one or more) of the administrator. It is used for notifications from the management application. It may also be used for further communication with the administrator, with prior consent.
givenName (optional) The administrator’s first name.
sn (optional) The administrator’s last name.

Implementation

About

The service enables users to mitigate active attacks aimed at their network equipment. The creation of dynamic firewall filters that are applied to the network using NETCONF management protocol, and they are propagated to compatible (Juniper) GRNET backbone network devices via BGP flowspec NLRI.

Filters may be applied only to address space that belong to the customers’ network. Currently, attacks are limited as per /29 subnet.

Requests for new filters are applied and propagated immediately to the network’s elements. Filters that have been applied to the network are removed after their expiration date, and users can activate them again by selecting the corresponding option. Moreover, users are given the option for early deactivation of their requests.

Security

Applications are monitored and reported upon request to the customer’s designated administrator(s). The service administrators may at any time remove active requests from the network, if deemed necessary.

Requests or clarifications regarding the operation of the service should be submitted to GRNET Helpdesk (tel: 800-11-47638 + or via e-mail to helpdesk -@- grnet.gr).