Christmas has come early this year for the Computer Security team and the Communication and Network group (IT-CS) in the form of hardware for a new outer perimeter firewall. This next-generation firewall is intended to boost performance and bandwidth as well as being a sophisticated means to better identify and protect against cyberattacks.
CERN’s outer perimeter firewall is the first line of defence protecting the Organization from any malicious or otherwise unwanted network traffic entering its general-purpose network. The firewall exposes to the internet selected computing services that need to be accessible from outside CERN, controls internet traffic from and to all user devices, and blocks malicious traffic. Due to an increasingly aggressive global cyberthreat landscape, it is imperative to strengthen our firewall’s cybersecurity protection and detection capabilities using modern and sophisticated prevention tools. Unfortunately, the firewall currently installed at CERN, with its protective features and its limited throughput, has become insufficient to support the Organization’s networking and protection needs.
Enter our Christmas present! CERN’s new outer perimeter firewall will correct these two drawbacks – limited bandwidth and limited protection capabilities – and provide a sustainable solution for the next seven plus years.
On the hardware side, it will be able to digest, filter and control up to 200 Gb per second in uplink (i.e. leaving CERN) and downlink (i.e. entering CERN) traffic without any performance penalty. Its set-up is flexible, meaning that this total bandwidth can be adapted to CERN’s current and future needs and ramped up whenever necessary. Of course, hardware redundancy will guarantee high availability and spare CERN from connection problems in the event of one of the hardware chassis or their network connections failing. And the whole functionality will be integrated into the network automation software developed and used by IT-CS, to ensure that configurations are properly managed and can be changed easily and consistently.
On the computer security side, this new firewall benefits from advanced threat intelligence, which offers enhanced capabilities compared to traditional threat prevention services. Such threat intelligence services rely on security researchers to track down specific threat groups, ranging from cybercriminals to nation-state attackers, in order to produce detailed, up-to-date, specific indicators for detecting malicious attacks. Combined with the threat intelligence already available to CERN’s Computer Security team, this means sophisticated potential attacks will be automatically identified and malicious content automatically filtered before it can cause harm.
These advanced services also make it possible to enforce certain CERN Computing Rules (OC5) by blocking internet content that is considered to be inappropriate (e.g. pornographic or sexually explicit material, or sites that promote the abuse of both legal and illegal drugs) or offensive (e.g. websites promoting terrorism, racism, fascism or other extremist views that discriminate against people or groups of different ethnic backgrounds, religions or other beliefs, but not websites discussing controversial political or religious views) or violates applicable laws (e.g. sites that infringe copyright by illegally offering music, movies or other media for download). We still need to determine the extent to which such content should be blocked without overly restricting our academic liberties and freedom of communication. We would like to hear your thoughts on this – write to us at Computer.Security@cern.ch.
In the next few months, the IT-CS experts and the Computer Security team will put this lovely Christmas gift of a new firewall into production – for a better first line of defence. And we want to spread the Christmas spirit by wishing you all a happy and healthy holiday season. Enjoy your time off, take care of yourself and your family, and stay safe and secure!
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.