perfSONAR nodes are meant to be used, both by local users and the public at large, to perform a variety of network tests. The open access policy is at odds with ways to mitigate the risk of exposing functionality to those that would cause harm. The following is a possible approach for managing access to the host:
- SSHD can be turned off completely if remote access to the machine via the terminal is not need (e.g. in cases where console access is available either directly, or indirectly)
- If SSHD is turned on, consider using a jump host setup wherein access to the perfSONAR node can only be accomplished through a single (or set) of trusted hosts. This type of restriction can be implemented in IPTables.
- Tool access can be controlled using the perfSONAR limits system.
perfSONAR nodes come with the fail2ban host IDS. This tool will analyze many of the logs on the host, and insert IPTables rules to prevent malicious users from repeatedly attacking system resources. For example, a host that performs an SSH scan (e.g. attempting to log in with many user names over a short period of time) would be blocked from accessing the host.
perfSONAR uses the Linux IPTables to block traffic to all ports not needed by perfSONAR. More information can be found at: http://docs.perfsonar.net/manage_security.html
Using perfSONAR with Firewalls
Firewalls can impact network performance. Therefore we recommend placing the perfSONAR node outside the firewall if possible.If the perfSONAR device must be behind a firewall, a set of ports must be opened for incoming and outgoing traffic. The list of ports that need to be open can be found at: http://docs.perfsonar.net/manage_security.html
In general, if a site is blocking outgoing traffic based on destination port, this will cause problems with the perfSONAR measurment tools since there is no way to limit the port choices of the remote sites. Outbound filtering is therefore not recommended.
NTAC Performance Working Group Statement
The NTAC Performance Working Group has published a document related to deploying perfSONAR while still justifying cybersecurity policy. This document can be found here: