Date

Attendees

Goals

  • Status Updates of work items (FOD/RepShield/CT)
    • FoD v1.5 pilot preparations
    • Deliverable FoD v1.6 (with automated rule proposal from RepShield)
    • FoD v1.6 pilot
  • Status of DDoS Detection/Mitigation WG
  • F2F-Meeting-Planning:
      • location: Prague
      • => Discussing potential date
  • GEANT Symposium, 03-04.10.2017, Budapest
  • Review Open Action Points from last VC(s)
  • AOB

Discussion items

TimeItemWhoNotes

Firewall On Demand (FoD)
  • (info page for FoD development https://wiki.geant.org/pages/viewpage.action?pageId=63965046)
  • FoD v1.5 = FoD with new functionalities: rule range specification, current rule behavior statistic graphs, multi-tenant rule control REST-API
  • FoD v1.6 = FoD with automated rule proposal from RepShield
  • FoD v1.5 pilot installation
      • REST API basically works (querying, creating, changing, deleting rules), for FoD v1.6 automated rule proposal functionality will has to be enhanced and extended
      • Issues with Puppet on the pilot machine, replacing FoD files as well as reconfiguring Firewall resulting in blocked SSH sessions and FoD SNMP traffic
      • Finally all changes for v1.5 have to be adapted in puppet, David is contact with Michael Haller from GÉANT for this
  • Other FoD v1.5 pilot preparations
      • Excel sheet for pilot acceptance criteria has to be reviewed and finalized
      • Then pilot can be opened to the committed pilot users, Evangelos will prepare an introduction mail for the this
      • Evangelos will sent old pilot evaluation survey which was of used for FoD v1.1 so it can be updated for v1.5
  • FoD v1.5 production service documents
      • Evangelos sent old PID document for FoD
      • Now for the future production phase of FoD v1.5 (and all further versions) all necessary PLM documents have to be prepared, e.g. CBA, service description, service design plan
      • Especially for the operative documents this will be done in close cooperation of Evangelos
  • Deliverable D8.3 "DDoS Detection/Mitigation Pilot"
      • Deliverable D8.3 about FoD pilot v1.6 (integration with RepShield) was finalized and sent to technical authors; now waiting for feedback
  • FoD v1.6 (with RepShield) development/testing/pilot:
      • Plan for pilot
          • Use of FlowMon Warden/IDEA connector for accessing NSHaRP events by this Warden/RepShield instance
          • Firewall-rule-updater (FRU) component: script which uses API of RepShield to get NSHaRP events (correlated with each other and other DDoS/security events/information) as well as REST API of FoD to propose rules in inactive state, inform respective (pilot) users via mail
      • VM to install Warden/RepShield is lacking enough disk space and it would be preferable to recreate it again with CentOS 7 as OS, as Václav already has working scripts for RepShield (installation)
      • Vaclav started to install Warden/RepShield on VM, Tomáš will find out status of it
      • Explicit information about FlowMon Warden/IDEA connector documentation and test events of it are still missing; initial tests will be done by some assumptions
      • For automated rule proposal by FRU existing FoD REST API will has to be enhanced and extended regarding following issues:
            • Mapping of NShaRP users to FoD users along with assigned allowed IP prefixed (in FoD) and REST API tokens
            • => potentially REST-API of FoD has to be extended to query that meta-information
            • Ability to flexibly change rules (with API or GUI to later-on edit proposal) independently of other existing rules (e.g., from other NSHaRP events), even if their ip address source/destination pair is the same
            • Maybe ability to group rules in FoD, as a single NSHaRP event has to be translated to multiple rules

RepShield/NERD
  • VM for RepShield for FoD v1.6 is lacking disk space and ideally should be reinstalled with CentOS 7 as OS
  • So instead of installation of RepShield on this VM work on RepShield in general was continued.

Certificate Transparency (CT)

No news because of holiday period


F2F Meeting Planning
  • Location: Prague is to be used (thanks to Tomáš and Václav)
  • So everybody can check required travel time
  • Foodl (https://foodl.org/foodle/T6-F2F-Meeting-596f1) was filled by mostly anybody
  • => date will be 21-22.11.2017 (2 half days meeting)

GEANT Symposium, 02-05.10.2017, Budapest
  • Everybody in T6 is invited to come there
  • Time is 03-04.10.2017
  • Registration at https://eventr.geant.org/events/2564
  • There will be a "Network Monitoring and Management" session where
          • Evangelos will present about NSHaRP and FoD (15min)
          • David will present about other parts of T6, i.e., mainly RepShield and CT (10min)
          • Afterwards a 15-min discussion will follow

Next VC

In 2 weeks: 23.08.2017, 14:15-15:15 CE(S)T

Action items

  • Evangelos will provide FlowMon Warden/IDEA connector documentation and if possible some test events from it when he is back from holiday
  • David: Wait for Puppet config to be updated by Michael Haller
  • Evangelos will prepare an pilot phase introduction mail for the FoD v1.5 pilot users when he is back from holiday
  • David/Evangelos: update of user documentation for FoD v1.5
  • Tomáš/Václav: install Repshield for FoD v1.6 pilot on VM provided by Evangelos after VM has been newly installed with CentOS and more disk space
  • all: Register for GEANT Symposium (03-04.10.2017) at https://eventr.geant.org/events/2564
  • all: Next regular T6 VC: 23.08.2017, 14:15-15:15 CE(S)T


  • No labels