CERN’s computing infrastructure is vast and heterogeneous, dynamic and complex. Keeping it secure is a marathon– trying to stay ahead of new deployments in order to guarantee decent protection, but often just running behind, trying to regain control. The Computer Security Office has been attempting to plug obvious holes in CERN’s computer security stance since well before the 2023 cybersecurity audit, and it will continue to do in 2025 and beyond.
Very early measures to maintain control were already established in the 2000s, when CERN’s outer perimeter firewall was toggled from “mostly open” to “closed with controlled openings”. Since then, all incoming accesses have required a dedicated opening, while outgoing traffic is by default blocked on all so-called “lower” ports (i.e. ports 0-1023/tcp and udp). In doing so, CERN regained visibility and control over what kind of traffic enters and leaves CERN, providing proper protection and early detection. One hole plugged.
Also in the 2000s the Technical Network (TN) was isolated from what was then called the General Purpose Network (GPN), such that only explicitly permitted hosts could communicate between both worlds. While that provided a first level of control and protection, its “trusted/exposed”-mechanism based on simple IP addresses and Access Control Lists (ACLs) remained coarse, vague and still too open. This is why Long Shutdown 3 (LS3) will see a replacement of “trusted/exposed” by a fully fledged redundant pair of firewalls that are better able to filter and select between desirable and undesirable traffic. In the course of their deployment, all central IT services and some control systems will need to neatly define which parts (e.g. “front-end”) to open between the networks – a restriction based on need, not on convenience. Another hole plugged.
Similarly, today’s Campus network (i.e. large parts of the aforementioned GPN, hosting office PCs and the wireless network) will be separated from CERN’s data centre networks via a similar set of firewalls. As for the TN, only necessary servers and services will be exposed to CERN IT’s clients, while the “internal goings-on” will stay within the data centres and no longer be accessible to third parties. Hole three plugged.
Turning to CERN’s web sphere, its “internet presence”, many different penetration tests have revealed time and again weaknesses, misconfigurations and vulnerabilities. Still, today, the choice of which website is publicly visible and which is not lies with the webmaster, uncontrolled and unreviewed by the Computer Security Office. With the deployment of a Web Application Firewall, a layer of monitoring and protection will be inserted in order to catch at least the basic blunders and mistakes. Mandatory “Security Principles” will help website owners to further improve the security stance of their sites. Two more holes plugged.
While a new mail application already plugged additional holes linked to malicious emails, phishing attempts and the like, the 2024 deployment of antispoofing measures (“SPF/DKIM/DMARK”) and the upcoming deployment of “impersonation protections” will further protect CERN mailboxes from malicious evildoers. With that, we are done. Several holes, plugged in one go.
Finally, accounts. In February 2025, a two-year-long campaign to deploy 2-factor authentication (2FA) to all CERN primary and secondary accounts concluded. At least it concluded for the CERN Single Sign-On, now protecting access to many CERN websites. A big hole plugged. And further holes will be plugged with the roll-out of 2FA to CERN’s interactive Linux service (“LXPLUS”) and Windows Terminal Service (“CERNTS”). In addition, discussions have started on how to improve the security of so-called service accounts (2FA, too?) and how to better distinguish between secondary accounts (alternative accounts for humans) and service accounts (intended to be used by automatisms). While this is still pending, CERN’s password rules will evolve this year, dropping the requirement for “a mix of capital and small letters, numbers and symbols” and instead simply requiring a passphrase of 15 characters: “Fais de ta vie un rêve, et d’un rêve, une réalité”, “In Xanadu did Kubla Khan a stately pleasure dome decree!”, and even “Mmm Mmm Mmm Mmm” will become acceptable passwords. The hole created by password rules that are too weak should be plugged soon.
Of course, it is natural that there are more holes and new holes will follow. With the Computer Security Board now in place, the existing and new rules that are subsidiary to the CERN Computing Rules will be officially approved, as future rules will be too, helping to control CERN’s vast and heterogeneous, dynamic and complex computing landscape, providing additional layers of protection, and helping to plug the (security) holes of the future.
______
Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.