Computer Security: A final spurt for improved networking

The past two years have brought a lot of new computer-security deployments at CERN. Spurred on by the 2023 cybersecurity audit, a lot has already been achieved and 2026 should see the successful implementation of all remaining work packages. We already discussed mandatory requirements for IT service managers and upcoming changes to password policies and improvements to two-factor authentication in the last twoissues of the Bulletin. Finally, let's focus on networking in this one.

2026 will also bring improved and more granular network filtering to the Technical Network (TN) and, later, between the Campus and data centre networks, introducing a pair of redundant firewalls for each. Today's filtering between the Campus network, the Meyrin and Prévessin data centres and the TN is based on tuples of IP addresses and, in some rare cases, network service ("port numbers"). This "TRUSTED/EXPOSED" mechanism dates back to before 2006, when no filtering between those network domains was deployed at all. Today, that filtering is deemed too coarse as it either broadly "trusts" particular enumerated devices on the Campus or in the data centres and makes those visible to the whole TN, or exposes certain enumerated devices from the TN to all the other networks. With the upcoming TN firewall, such cross-traffic from the TN to the data centres and the Campus network will be identified and controlled in a more fine-grained manner: Which IT services need to be visible to the TN? Using which network ports? In which direction (incoming or outgoing)? Using which transport protocol (TCP? UDP?)? And who are its clients on the TN? The same holds true for devices connected to the TN: Where do they need to expose their data to and how? With the TN firewall hardware deployed before Long Shutdown 3 (LS3), the major task will be to answer those questions and migrate from the current "TRUSTED/EXPOSED" mechanism to the more fine-grained firewall protection rules during LS3. And once we are done with that, an identical firewall will be deployed between the Campus network and the data centres.

In parallel, and linked to more "domestic" matters, all IT services hosted in the Meyrin or Prévessin data centres will consider deploying Openstack's "Security Groups" once this feature is available. "Security Groups" will allow the service to separate their internal back-end servers from the user-facing front-ends and to better protect those from any other data centre services. At the time of writing, all virtual machines in the "m4" family are eligible, with other types expected to join in 2026-2027. And remember, in the Prévessin data centre this functionality is already in place and ready to be put to good use. Similarly, certain control systems, like those for building automation, will be subjected to better network protection (VLANs) as we have done for the CCTV cameras and general access control systems and printers in 2025.

More generally, 2026 should usher in an encrypted Wi-Fi network using industry-standard WPA protection. While this does not provide end-to-end encryption of your traffic, it secures your traffic from network snooping and protects the CERN network from connections by unauthorised devices. WPA roll-out is planned for early 2026, with a long transition from the old network ("CERN" SSID) to the new one ("CERN-Campus") such that no device is left behind.

So, thanks a lot helping secure CERN if you are involved with the TN and Campus firewalls or "Security Groups". The TN admins and Computer Security Office, respectively, will surely reach out to you. And for the upcoming WPA3 Wi-Fi deployment: Just. Try. It. Out. It's an easy step towards obtaining the best privacy for your communication while further protecting the Organization.

_________

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at [email protected].