Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LANL Unclassified Network Re-engineering.

Slides:



Advertisements
Similar presentations
Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.
Advertisements

1 A Partnership between the Office of the Chief Information Officer and the National Nuclear Security Administration Anil Karmel, NNSA M&O Chief Technology.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Page 1 MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their.
CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved Adaptive Trust Security Policies for Today’s Enterprise Mobility Pete Ryan – ClearPass.
The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
U N C L A S S I F I E D LA-UR LANL Exchange / Blackberry Deployment June 2, 2009 Anil Karmel Solutions Architect Network and Infrastructure Engineering.
Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited.
Secure Computing Network
LLNL and LANL Portal Update Cathy Aaron, Lawrence Livermore National Laboratory Katherine Norskog, Los Alamos National Laboratory Presented at InterLab.
Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 1 Roles Based Network Access Controls James R. Clifford Los Alamos.
Sophos / Utimaco Data Loss Prevention Peter Szendröi, SOPHOS Nordics Jan 20, 2010.
CNIL Report April 4 th, CNIL Report (Apr 4 th, 2005) Two Major Goals: –Improvement of Instructional Services –Strengthening research IT infrastructure.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Borderless Networks Enabling the Borderless Organisation Mark Jackson,
Internet Protocol Security (IPSec)
Wireless LANs A Case Study of Baylor University’s Wireless Network Copyright Bob Hartland 2002 This work is the intellectual property of the author. Permission.
RBAC Defense in Depth Authors: Brad Ruppert & Russell Meyer.
All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
Data Centers and IP PBXs LAN Structures Private Clouds IP PBX Architecture IP PBX Hosting.
Understanding Active Directory
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
SIM352. Proliferation of devices Virtualization moving to the desktop Growing threats to corporate information Industry Trends “More things to manage”
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Empower Enterprise Mobility Jasbir Gill Azure Mobility.
Brian Arkills Software Engineer, LDAP geek, AD bum, Senior Heckler, and Associate Troublemaking Officer State of Windows Services at the UW.
Mobility Without Vulnerability: Secure and Enable Your Mobile Users, Apps, and Devices David Clapp – Intuitive.
Deploying a Certification Authority for Networks Security Prof. Dr. VICTOR-VALERIU PATRICIU Cdor.Prof. Dr. AUREL SERB Computer Engineering Department Military.
Your storage on the ground; Your files in the cloud.
Unified Student-Centric Authentication and Authorization Nathan Wilder Special Assistant - Technology Office of the CIO.
Anil Karmel Deputy Chief Technology Officer National Nuclear Security Administration Streamlined Application Management The Intersection of Cloud and Mobility.
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
Confidential Data Security Strategies Based upon the ESG “Outside-In” Confidential Data Security Model © 2009 Enterprise Strategy Group Vendor Channel.
70-411: Administering Windows Server 2012
Keep Your Information Safe! Josh Heller Sr. Product Manager Microsoft Corporation SIA206.
Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D Lessons Learned: Certification and Accreditation.
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Network Access Technology: Secure Remote Access S Prasanna Bhaskaran.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
Appendix A UM in Microsoft® Exchange Server 2010.
Sudha Iyer Principal Product Manager Oracle Corporation.
Bluesocket vWLAN Overview. Its ALL about n……
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Introducing Network Design Concepts Designing and Supporting Computer Networks.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Introducing Network Design Concepts Designing and Supporting Computer Networks.
Security fundamentals Topic 10 Securing the network perimeter.
Michael Przytula Senior Solution Architect HP Services, Asia-Pacific & Japan.
7.4 Update - ISE Session.
Be Microsoft’s first and best customer Enabling world-class and predictable customer, client, and partner experience Protecting Microsoft’s physical and.
User and Device Management
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
Secure Network Connectivity Claus Jespersen Solution Architect (the new) HP
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
U N C L A S S I F I E D LA-UR Exchange 2007 Pilot at LANL Anil Karmel Technical Staff Member
ORNL Site Report ESCC July 15, 2013 Susan Hicks David Wantland.
Short Customer Presentation September The Company  Storgrid delivers a secure software platform for creating secure file sync and sharing solutions.
This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under contract DE-AC52-07NA27344.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Security fundamentals
Secure Connected Infrastructure
Power BI Security Best Practices
9/14/2018 2:22 AM THR2026 Set up secure and efficient collaboration for your organization with Office 365 Joe Davies Senior Content Developer Brenda Carter.
IIS.
CEBAF Control System Access
Securing web applications Externally
Presentation transcript:

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LANL Unclassified Network Re-engineering Dale Land Chris Kemper Jim Clifford LA-UR July 2010

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR Over the next three years, LANL IT services will help the Laboratory to be more competitive, and support an agile, collaborative, highly mobile and fully networked workforce IT Vision – Classified & Unclassified Agile support of mission with security and compliance built in Separation of various levels of sensitive data via Network enclaves supported by role-based access control A single (non-colored) unclassified network vs. current state of parallel yellow, green, visitor networks Classified network centered on SVTRs supporting SRD, SNSI, SFRD, SIPRnet, etc. Agnostic support of mission computing platforms Tailoring the IT environment to give the staff what they need to do their jobs Key Technologies Virtual servers / Virtual Desktop Infrastructure (VDI) Strong identity management, network access controls for people, devices, information and applications

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR One view of the IT Vision 1. One ubiquitous mobile device (does everything!) 2. That docks back in the office 3. Tied into high availability central computing and storage

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR ICAM Unified Identity and Access Mgmt Access to Network, Computers, Applications, and Data Fine Grain Roles control access to resource. Auto-Provisioning for Business Roles; Employee, Program / Line Manager, Rad Worker, etc… Self-Serve Site for Specific Accesses; HPC, Data Warehouse, Network Connect/VPN, ISR Raptor Enclave, etc… — Automated approval workflow. Support for HSPD.12 Credentials Commercial Partner Oracle Proof-of-Concept Well placed in Gartner/Burton Group Magic Quadrant Replace IdM (eventually), EAS/SAS, Oracle Responsibilities (EBS), Register, … Does not cover all requirements so some local solutions needed.

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR Identity, Credential, & Access Mgmt Data Storage Syntax, Structure, Consistency, Integrity, Access Business Rules Import/Export with Sources/Subscribers Identity, Credential, & Access Mgmt Data Storage Syntax, Structure, Consistency, Integrity, Access Business Rules Import/Export with Sources/Subscribers User Interfaces Credential Mgmt IM/RBAC Scope User Account Access Mgmt Host / Device Mgmt HR (People) Organizations Property Training Authorities & Roles Foreign Visits Badging HPC Accounts Vulnerability Scanning CSIRT Authentication Radius, Kerberos, AD Web, LDAP, Encryption SSL Certs, User Data Credentials Token Cards, Certificates, CAC Cards, Passwords LDAP mail routing, radius web auth, white pages, Cyber security, departmental LDAP Accounts Mail & Calendar Entrust DNS / DHCP Maillists LDIF for LDAP challenge Enterprise Accounts Classified Network & ESN

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR Yellow Re-engineering Summary Current unclassified network architecture Flat network, >30,000 devices, wide spectrum of data sensitivity from open-unrestricted (LAUR) to UCNI Difficulty in simultaneously tracking people, devices, applications and data OCE is the start of where we need to go Re-engineered architecture Strong identity management (IM) – people, devices, data and applications Network enclaves – dividing the Yellow network into a series of enclaves based on information sensitivity which is proportional to risk. Reduced risk leads to increased ease of access Role based access control (RBAC) – finer grained controls based on intrinsic and assigned roles Defense in depth – controls at network, device, data, application layers All enclaves accessible from a common network infrastructure – we currently use parallel network equipment for each network “color” Support for 802.n wireless networks

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR Mild (OPEN) Enclaves OUO (MEDIUM) CORE (DNS, ?, etc) SENSITIVE UNCLASSIFIED Access Control Identity management / Role based access control (IM/RBAC) BUSINESS (personnel, financial) User Clients VISITOR (Legacy) GREEN (Legacy) Programmatic Open Science Internet

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR Open Science Enclave Open Science enclave chosen to meet long-standing needs of the Laboratory open research staff Better support of scientific and research collaborations based on the presence of only open research and science information Desire to test and evaluate “Federated Authentication” capability (from selected and approved sites) in open science enclave pilot Desire to test open science / Internet border configurations to increase data transfer rates for large data sets From a cyber security compliance perspective, open science is defined as research and development work which is openly shared and does not collect or process information that requires moderate or high controls for confidentiality, integrity or availability (CIA). CIA = {low, low, low} The long-term goal is to replace the OCE with the Open Science Enclave. The plan is for security controls for the Open Science Enclave to be equivalent or better than the OCE.

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR LANL Unclassified Network Re-Engineering Open Network Turquoise Visitor Green Red (up to SRD) Type 1 Encryption Internet ESNe t I-2 ESN SIPR Net SIPR Net Orange (up to SNSI) Type 1 Encryption Proposed 1 GE 10GE Shared circuit Central Services Yellow Network (Unclassified-Protected) General User Scientific Collaboration (segmented) Public Internet presence On-site visitor access Type 1 Encryption LLNL Sandia Restricted Subnets Limited amounts of and tight controls on presence of sensitive information

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR LANL Unclassified Network Re-Engineering Internet Core Unclassified Network IM / RBAC UCNI Open Science Visitor Green Turquoise Identity management / Role based access control

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR Enclave Network Design Model Inter-Enclave Policy Enforcement R R R R R R ES D D D D D D D D D D D D D D D D IEPE Internet CORE services CORE services Tagged DMZ

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR Network Architecture

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR How will you put devices on the network? Wired NAC Devices live in only one enclave (hostmaster). MAC authentication places it into the right Enclave (vlan). DHCP will provide network information (static or dynamic IP) Host Integrity Check (future, enclave specific) Wireless NAC SSID for Visitor & (Yellow, OCE, Open Science) Odyssey Client required to handle FIPS encryption for SUI networks (Yellow) & 802.1x Device Cert Authentication & User Authentication(*). Host Integrity Check (future, enclave specific) Remote Access to Yellow, OCE, Open Science. Network Connect requires 802.1x Device Cert Authentication and User Authentication(*). Host Integrity Check.

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR This year – FY10 Un-tethered Computing Wireless at TA-53 (more later outside the fence) Blackberry’s behind the fence Early production unclassified enclaves at TA-53 for yellow, OCE, open science and visitor from the same wall jack or WiFi connection.

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR TA-53 Pilot Scope Network Enclaves Initial enclaves — Yellow (includes OCE) — Open Science (!!!) — Visitor — Green Limited scope Enclaves accessible from a common network infrastructure – both wired and wireless Some compliance challenges for the open science enclave DAA needs convincing that we are not increasing risk Promising “Limited scope and limited duration” Documenting planned controls Wireless deployment 3 buildings n No compliance challenges

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR Scope is 4 buildings at TA wired and wireless 30 wired 6 wireless (partial) 31 wireless (partial) Building selection based on - Site survey including Tempest - User provided prioritized list

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR Control Channels Edge Network (including wireless) Core Network User SEP-11 SCAP NAC Central Authentication AD, Radius, WebAuth, etc. Cert. Auth. CryptoCARD CAC Access Control Cert’s Block Commands User inputs (device & account info, groups, permissions, etc.) Host Cert. IM / RBAC NEW AD, Control Points and LDAP Business Rules Institutional Feeds HR, DIVA, Property Clearance, Authorities Training, etc. Monitoring Integrity Checks CPAT VLAN Control DHCP = new systems HPC Accounts Enterprise App’s Register Hostmaster LDAP AD Control Point Suppli- cant Workflow / authorities File groups Policies

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR Portfolio of Projects Modernize & Unify Identity Mgmt & Access Control Unify Unclassified Network with Enclaves & NAC New Multi-Enclave Core Services Pilot demonstration of the above at TA-53 including Open Science Enclave Link Active Directory into Unified IM/AC Wireless network capability for open areas Wireless Networking Demonstration at TA-53 Telephony Modernization (including Blackberry service) Exchange /Calendar conversion Virtual Desktop Infrastructure Enterprise Business System Modernization

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.