You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Date

Attendees

Goals

Discussion items

TimeItemWhoNotes

Firewall On Demand (FoD)
  • (info page for FoD development https://wiki.geant.org/pages/viewpage.action?pageId=63965046)
  • FoD v1.5 = FoD with new functionalities: rule range specification, current rule behaviour statistic graphs, multi-tenant rule control REST-API
  • FoD v1.6 = FoD with automated rule proposal from RepShield
  • Other FoD v1.5 pilot preparations
      • Existing user documentation (as presentation document) update currently in progress
      • Pilot evaluation survey which was of used for FoD v1.1 has to be reviewed and updated for v1.5
  • Pilot UAT testing
      • Fix by Tomas for specifying port 0 has been provided, still has to be tested on testing machine before creating new rpm for UAT machine
      • Second UAT VC: feedback from pilot users:
        • LITNET tried again rule 53,0 to mitigate a short 5-20 min DDoS attack -> failed somehow and no graphs were created
        • EENET: strange DDoS attack at end of year (repeated at particular intervals), mitigation (rate-limiting) worked with a single rule, but graphs with longer time range would be desirable to easier investigate attack behaviour
        • EENET started to test REST API, e.g. nice would be possibility to reactivate a rule every week after auto-timeout
        • idea (LITNET): for single attacker IP address+port allow to block traffic to whole subnet (also bigger than /29) to mitigate e.g. scanning attacks
        • CERT meeting in Hamburg, 5-7.02.2018
  • FoD v1.5 production service documents
      • Now for the future production phase of FoD v1.5 (and all further versions) all necessary PLM documents have to be prepared, e.g. CBA, service description, service design plan
      • Especially for the operative documents this will be done in close cooperation of Evangelos
      • For most PLM documents, this will be done by filling the FoD service template wiki pages (https://wiki.geant.org/display/gn42jra2/Firewall-On-Demand+%28FoD%29+Service) which David started to fill
      • Evangelos will check the service template to get acquainted with it
  • FoD v1.6 (with RepShield) development/testing/pilot:
        • DDoS simulation/testing would be valuable to test viability of the approach, especially during the development/testing
        • VM for DDoS simulation/testing to be installed in Lab still pending

DDoS Detection/Mitigation (D/M) WG

GARR DDoS D/M PoCs/Testing Framework

GARR Arbor PoC: preliminary results:

        • ARBOR's so-called profile detection seems to be incapable of detecting DDoS attacks (even to some reliable extent) out of highly dynamic and unforeseeable research network traffic in GARR
        • So profile detection is disabled for now in the PoC
        • Beyond that ARBOR is creating a large number of false positives
        • Furthermore, alert export of ARBOR is quite limited, so far only email export seems to be realizable
        • But because of the high false positive rate is not considered currently
        • Remaining use of ARBOR in GARR (and so also similar research networks, including universities) may be to limit the DDoS detection to particular machines, e.g. DNS servers

RepShield/NERD
  • RepShield/NERD development: some performance improvements
  • Silvia/Nino will check how to share alert data from their FastNetMon PoC to Warden, Václav will support them in writing/installing Warden filer script for exporting

Next VC

In 2 weeks: 24.01.2018, 14:15-15:15 CE(S)T

Action items

  • Evangelos: provide DDoS simulation/testing VM
  • Evangelos: check the FoD service template (https://wiki.geant.org/display/gn42jra2/Firewall-On-Demand+%28FoD%29+Service) to get acquainted with it
  • Silvia/Nino: provide action plan document for GARR DDoS D/M PoCs next week
  • Silvia/Nino/Václav: cooperate on checking whether and how to export GARR FastNetmon PoC alerts to Warden
  • all: next regular T6 VC: 24.01.2018, 14:15-15:15 CE(S)T


  • No labels