CMSR External Access Restrictions
The CMSR database is currently open on CERN central firewall for the port 10121 - Oracle's listener port - allowing applications (for example
PhEDEx) to connect from outside of the CERN network. This access is currently protected with a trigger that display exception when a connection from an unauthorized IP is attempted. This however is not very secure. Some time ago we have discussed replacing the trigger with a set of firewall rules, which in turn provide much better security.
For 2 months we were logging the IPs of servers for which the connections were accepted by the trigger, and out of this we have compiled the list of firewall rules to be deployed on the servers (please see the attached excel for details). The rules typically include larger subnets of retrospective organizations, not just the servers that were connecting.
--
EmilPilecki - 2015-05-19