What/Why

Currently most desktop computers and many group compute servers at SLAC have public IP addresses with most ports above 1024 open to the internet. The vast majority of these machines have no need for incoming TCP connections and leaving these ports open poses a security risk for no gain in functionality. We therefore propose to move to a system where by default all incoming TCP ports will be blocked at the border router.

Since we have no good way of knowing what incoming ports will need to remain open we will need to perform a community outreach to inform group computing coordinators and later everyone at SLAC about the plan. During this initial outreach period, and for the foreseeable future after port blocking is implemented we will need to have a very low impedance method for people to request that ports be opened to specific machines or sets of machines. During this period most requests for incoming port openings should be accepted with minimal review. When port blocking is first implemented we should anticipate that we will not have received input from many users who will nevertheless be affected by the blocking and will have to plan to have an easy way for users to get ports unblocked quickly (perhaps by increased staffing of the computing "help desk").

Timeline

In order to implement this policy we need to do the following:

  • Document initial simple plan
  • Set up (buy or make) some database to keep track of exceptions
  • Communicate plan to relevant group computing coordinators
  • Gather feedback and exception requests
  • Acquire firewall capable of implementing this policy
  • Set up automated system for feeding exceptions into firewall
  • Finalize plan based on feedback
  • Document plan in "policies and procedures"
  • Announce plan to all users (via SLAC today?)
  • Implement policy
  • Anticipate feedback from confused users
  • Ongoing review of exceptions and formulation of longer term policy
Port blocking Workflow

Open questions

  • Block incoming ssh by default?
  • Leave incoming UDP open by default?
  • How to communicate to computing coordinators?
  • IPV6 support?
  • Who is going to do the work?
#trackbackRdf ($trackbackUtils.getContentIdentifier($page) $page.title $trackbackUtils.getPingUrl($page))
  • No labels