On 29 May CERN increased again the security of its firewall. All servers that need to be directly accessible from the internet (e.g. mail and web) must now have prior authorization and be configured explicitly in CERN’s main firewall. This strengthening of the firewall also affects the LXPLUS Linux cluster by restricting its access from off-site to the SSH server.

In the past users could expose some applications to the internet without prior agreement, but this has led to security incidents that could have placed the whole site at risk and/or impacted the reputation of the laboratory. We have had to take action to close this loophole.

CERN began to strengthen its firewall some years ago by protecting services that were known to be targeted by attackers. Now any service offered to the internet is considered to be a target for attack. The situation has become too dangerous to permit external exposure without justification and without security checks being carried out in advance.

To make it easier to manage firewall access for the many CERN services that must be made available to the internet, IT department’s Communication Systems group has integrated firewall management into their network database tools. This enables registered system administrators to view and request firewall modifications for the devices they manage. This new system has been described in a previous article "CERN upgrades firewall to meet requirements of LHC”.