Service Description
Firewall on Demand enables GRNET customers to filter or mitigate flows with non-legitimate traffic (DoS/DDoS) targeting their border router or internal networks.
Access and authentication to the the service portal relies on the SAML protocol (Shibboleth). Authorisation, on the contrary, depends on a number of pre-defined Shibboleth attributes released by the customer's IdP and its address space as registered in RIPE's db. All software modules are open source and were implemented by GRNET/NOC.
Users
The following attributes are required for administrators and must be released by their home IdPs to the SP according to the
policy and procedures documentation provided by the GRNET AAI federation:
- eduPersonPrincipalName: Provides a string that uniquely identifies an administrator in the management application.
- eduPersonEntitlement: A specific URN value must be provided to authorize an administrator: urn:mace:grnet.gr:fod:admin
- mail: The e-mail address (one or more) of the administrator. It is used for notifications from the management application. It may also be used for further communication, with prior consent.
- givenName (optional): The person's first name.
- sn (optional): The person's last name.
Implementation
The service enables users to mitigate active attacks aimed at their network equipment. The creation of dynamic firewall filters that are applied to the network using the management protocol
NETCONF and are propagated to compatible (Juniper) backbone network devices via
BGP flowspec NLRI are its fundamental functional components.
Filters may be applied only to address spaces that belong to the customers' network. Currently, attacks are limited as per /29 subnet.
Requests for new filters are applied and propagated immediately to the network's elements and therefore users should wisely fill the application. Filters that have been applied to the network are removed after their expiry date, and users can activate then again by selecting the corresponding option. Moreover, users are given the option for early deactivation of their requests.
Security
Applications are monitored and reported upon request to the customer's designated administrator(s). The service administrators may at any time remove active requests from the network, if deemed necessary. Requests or clarifications regarding the operation of the service should be submitted to GRNET Helpdesk (tel: 800-11-47638 + or via e-mail to helpdesk -@- grnet.gr).Get it via git: git clone https://github.com/grnet/flowspy
or visit
https://github.com/grnet/flowspy and grab the latest file under
Files section