Date

Attendees

Goals

Discussion items

TimeItemWhoNotes

Firewall On Demand (FoD)
  • (info page for FoD development https://wiki.geant.org/pages/viewpage.action?pageId=63965046)
  • FoD v1.5 = FoD with new functionalities: rule range specification, current rule behaviour statistic graphs, multi-tenant rule control REST-API
  • FoD v1.6 = FoD with automated rule proposal from RepShield
  • FoD v1.5 Pilot UAT testing
        • Existing user documentation (as presentation document, especially regarding rule control REST API) should be extended to a proper document, e.g. to be used in future user trainings
        • Pilot evaluation survey which was of used for FoD v1.1 has to be reviewed and updated for v1.5
        • Third UAT VC: feedback from pilot users:
              • LITNET: https connection issues for UAT server
              • EENET: format restriction for names of rules?
              • EENET: it maybe useful to at least extend the statistics interval to 7 days (current auto expire maximum time)
              • EENET: are graphs continued after expiring and reactivating?
              • LITNET and EENET have both DDoS detections based on NfSen (http://nfsen.sourceforge.net/; mainly for UDP attacks), as well as volume-to-host threshold checking (e.g. based on Cacti), LITNET currently is investigating also into FastNetMon
              • LITNET (also EENET) have mostly short attacks, 5-10 min
              • EENET: attacks from GEANT+NorduNET link
              • EENET started to test REST API, e.g. nice would be possibility to reactivate a rule every week after auto timeout
              • idea (LITNET): for single attacker IP address+port allow to block traffic to whole subnet (also bigger than /29) to mitigate e.g. scanning attacks
        • issues on FoD test machines: firewall configuration was lost and had to be restored; local puppet interfered with FoD when trying to reinstall old FoD file versions
        • Hands-On during this VC on FoD test server:
            • TCP/UDP Port 0 specification tested with real traffic
            • allowed any length for TCP/UDP port ranges (initially it has been limited to 100 because of concerns regarding BGP FlowSpec performance)
            • increased setting for max length of mitigation stats from 1 day to 7 days: effect on graphs will have to be checked; ideally zooming features should be implemented
            • increased setting for max auto expiration time of rules from 7 days to 30 days; issues with JavaScript DatePicker have still to be investigated
            • added link for JSON data export of mitigation statistics
        • => after further checking: resulting config updates and a new rpm with new modifications should be installed on FoD UAT server to allow pilot users to test modifications
  • FoD v1.5 production service documents
      • Now for the future production phase of FoD v1.5 (and all further versions) all necessary PLM documents have to be prepared, e.g. CBA, service description, service design plan
      • Especially for the operative documents this will be done in close cooperation of Evangelos
      • For most PLM documents, this will be done by filling the FoD service template wiki pages (https://wiki.geant.org/display/gn42jra2/Firewall-On-Demand+%28FoD%29+Service) which David started to fill
      • Evangelos will check the service template to get acquainted with it
  • FoD v1.6 (with RepShield) development/testing/pilot:
        • DDoS simulation/testing: configuration changes in test Flowmon instance have been done: now it possible to simulate/test DDoS attacks with one of the FoD test machines as victim from anywhere, e.g. using hping3 tool
        • Hands-On during this VC on FoD test server:
              • test Warden/RepShield: some components were not running any more: has been fixed during VC
              • test FlowMon instance obviously stopped exporting it's alerts to test warden since 01.12.2017; needs to be investigated

DDoS Detection/Mitigation (D/M) WG
  • GARR DDoS D/M PoCs/Testing Framework
      • GARR DDoS working-group F2F meeting took place: agreed to do a joint experimentation in the coming months.
      • => test Radware washing machine with GARR user; detection systems: FastNetMon, Security Onion, a smaller Radware box and others
      • In next days: start Radware PoC

RepShield/NERD
  • RepShield/NERD development: some performance improvements
  • Silvia/Nino will check how to share alert data from their FastNetMon PoC to Warden, Václav will support them in writing/installing Warden filer script for exporting

T6 Code on Github
  • Nicole Harris still needs to grant write permission to Tomáš and Václav to publish code on GEANT Github

Next VC

In 2 weeks: 07.02.2018, 14:15-15:15 CE(S)T

Action items

  • Evangelos: provide DDoS simulation/testing VM
  • Evangelos: check the FoD service template (https://wiki.geant.org/display/gn42jra2/Firewall-On-Demand+%28FoD%29+Service) to get acquainted with it
  • David/Evangelos/Tomáš/Václav: investigate broken exchange between flowmon and local Warden/RepShield
  • Tomáš: investigate JavaScript DatePicker issue
  • Tomáš: investigate possibilities for zooming in mitigation stats graphs
  • Silvia/Nino/Václav: cooperate on checking whether and how to export GARR FastNetmon PoC alerts to Warden
  • all: next regular T6 VC: 07.02.2018, 14:15-15:15 CE(S)T


  • No labels