Managing our Internet footprint

As a security measure a host-based firewall is now being implemented on centrally managed Scientific Linux workstations.

Just as Fermilab works toward reducing its carbon footprint to contribute to a greener environment, employees need to put effort into managing the laboratory’s Internet footprint to maintain a secure computing environment.

Our Internet footprint consists of a wide variety of communication channels open to the large numbers of computers attached to the Fermilab internal network. Each of these channels, an offered service or an open port, is a potential avenue for an attacker to exploit a security vulnerability and take control of a laboratory computer.

For many years, Windows and Mac desktop and laptop systems restricted open channels by running host-based firewalls by default. That same practice is now being implemented on centrally managed Scientific Linux workstations. A host-based firewall allows for the computing needed to support the laboratory’s scientific mission while being less vulnerable to attackers on the Internet. The standard firewall configuration will allow most users to operate as they do now with no modifications. Additional services identified by the user as necessary will also be allowed through the host-based firewall. Unnecessary services will be blocked by the firewall and thus not visible from the general Internet.

This practice will bring these desktop workstations into compliance with the laboratory policy of only offering specific required Internet services. Similarly, computer servers also will begin undergoing an inventory of offered services to reduce unneeded open ports. These efforts together will significantly reduce Fermilab’s Internet footprint.

— Irwin Gaines