This page holds information related to the level of service committed to the users and requirements that users must oblige to when using the service.

RESPONSIBLE: Information provided in this page is initially populated by the development team (during the transition phase), and revised based on the need or in a yearly service check by service_name Service Manager.

Service Description

Intro


Firewall on Demand service provides potential users (educational and academic community) the option to protect their networking equipment against network attacks and threats.

In particular, the SERVICE is provided by GÉANT to the academic and research community who have needs for short-term protection against network attacks with destination, equipment they operate.
To ensure the integrity of the service and in order to prevent the service being a source of attacks, the authentication of users is done via Shibboleth. The authorisation is based on a combination of Shibboleth attributes with the address space that each organization manages.
The software chosen to implement the service is solely based on open source.
Requests or clarifications concerning the operation of the service should be submitted to GÉANT OC Helpdesk via phone at +44 1223 733033 or via e-mail to ncc@noc.geant.net.

Joining the service


Joining the service requires the appropriate configuration of certain Shibboleth attributes:

  • givenName
  • mail
  • persistent-id
  • principalName
  • surname
  • uniqueID
Use


The service enables users to mitigate active attacks aimed at their network equipment.
It is based on the creation of dynamic firewall filters that are applied to the network using the management protocol NETCONF and are propagated to compatible (Juniper) backbone network devices via BGP flowspec NLRI.
In order to properly complete the application for a new filter is essential that the destination address belongs to the user's administrative network.
Currently attacks are limited to protect IPv4 targets and per /29 subnet and for IPv6 targets limited to /64 subnets.
Requests for new filters are applied directly to the network and therefore users should pay extra attention in their request. Filters that have been applied to the network are removed after their expiry date, and users can activate then again by selecting the corresponding option.
Moreover, users are given the option for early deactivation of their requests.

Security

For security reasons, the submission of requests is monitored by the administrators of the service.
The service administrators may at any time remove active requests from the network, if this is deemed necessary.


Terms of Service


The FoD service is provided by GÉANT to the academic and research community and the use of the service should only be done to promote academic, educational and research purposes. The following terms apply to all users of the service. These terms of use, as applicable, and each time amended, constitute the contract between the service users and GÉANT. To use the service, users are required to accept the following terms.

Potential Users


The service is targeted at the Network Operation Centers (or similar structures) approved by the board of GÉANT, participating in the federal identification using Shibboleth. The service is provided to mitigate network attacks aimed at network equipment. The entrance and use of the service requires proper configuration and release of specific Shibboleth attributes.

  • No labels