Managed by UT-Battelle for the Department of Energy Clark Piercy ORNL Task Lead for Networking and Telecomm Update on Network Enhancements for Defense in Depth at ORNL National Laboratories Information Technology Summit May 2008

2Managed by UT-Battelle for the Department of Energy Enforcing Network Compliance – Stafford (Mon. 11 am) Update on Network Enhancements – Piercy (Mon. 3:30 pm) Who’s Your System Administrator – Willoughby (Tue. 4:15 pm) ORNL 30,000 foot IT strategy Consolidate IT Staff Application Transformation 2007 IT Governance & Standards Cyber Security Revitalization Change Management/Control in the SAP Environment – Scoggins(Tue. 11 am) Central Helpdesk Standardization and Consolidation – Causby/Beane (Tue. 1:30 pm) Advanced Windows Operating System Imaging and Deployment – DeGuira (Tue. 4:15 pm) Lessons Learned in Implementing SCCM – Cunningham (Wed. 11:45 am) IT University – Overby (Mon. 2:15 pm) Sharepoint as ORNL Portal – Begovich (Tue. 11 am) Enhancing Communications through Unifying – Depp (Tue. 11:45 am)

3Managed by UT-Battelle for the Department of Energy ORNL DID Project Level 1 Milestones  1. Network – Information and Activity Segregation  2.0 System - Establish configuration standards  3.0 Property - Establish asset management (Software and Hardware)  4.0 Access - Establish strong authentication

4Managed by UT-Battelle for the Department of Energy 1. Network – Information and Activity Segregation  Protection Zones - Segregate systems with different levels of data sensitivity into protection zones (PZes) with appropriate network controls between PZes  Firewall Non-standard Systems - Put systems that can't meet security and configuration requirements behind a managed firewall (dubbed Type 4 Firewalls)  Network Access Control - Create a method to quarantine/block systems not meeting security and configuration requirements (ORNL NACMgr – See Paige Stafford Presentation)

5Managed by UT-Battelle for the Department of Energy Protection Zone Definitions  Moderate with Enhanced Controls (M/EC): –contains systems which process moderate information that ORNL has determined requires additional (enhanced) controls to protect the information, including UCNI, C/FGI-Mod, NNPI, and collections of enterprise PPII  Infrastructure: systems which provide laboratory infrastructure and general system support to other systems at ORNL ( servers, web portal servers, dns servers, etc.)  Administrative: systems which contains most of the general purpose desktop/office automation systems which create, access and process moderate information  Controlled Research: contains systems used by researchers to create, store and process proprietary, export controlled, protected CRADA, applied technology or similar information  Open/Public: systems containing web and ftp servers hosting public information that is accessible via anonymous access for any person or system on the Internet  Open Research: systems used to conduct open research that creates, stores, and processes fundamental research information.  NCCS: systems that comprise the National Center for Computational Sciences

6Managed by UT-Battelle for the Department of Energy Protection Zones (PZes) Presentation_name

7Managed by UT-Battelle for the Department of Energy Protection Zones: Where and How Many?  Which devices need to go in which protection zones?  How many devices in each protection zone type?  Where are they located?  Few answers to base network design on initially

8Managed by UT-Battelle for the Department of Energy PZ Deployment Network Design  Based on assumption that numbers of systems in M/EC, Open Research, Open Public, and Infrastructure will be relatively small and be mostly located in the datacenters, decided to deploy PZes by placing Cisco Firewall Service Modules (FWSMs) in Datacenter 6500 routers and use VLANs and trunking as needed to extend PZes/VLANs  Rules to be applied on FWSMs to control traffic between PZs  Installed a ASA5520 firewall appliance between M/EC PZ and rest of network due to requirement to have One Time Password (OTP) for login to M/EC systems from outside M/EC.  We now have a better idea of how many systems will be in each PZ type in the near term(M/EC = ~35 NNPI/UCNI/CFGIMOD, Enterprise PPII ?, OP = 5, OR = ~25, Infra = ~325, Admin/ContRes = ~12,000)

9Managed by UT-Battelle for the Department of Energy ORNL DID Network Segregation Design

10Managed by UT-Battelle for the Department of Energy PZ Deployment Technical Issues  Initial firewall insertion into Open Research PZ resulted in an app breaking due to default connection timeout on firewall, even with no rules  Routing problem when migrating system between Infra and Open Public PZ. System had dual interfaces, one in each PZ, and one was default path. Firewall blocked session,  Independent FWSMs vs Active/Active FWSMs Presentation_name

11Managed by UT-Battelle for the Department of Energy Non Technical Issues  Characterizing type of data on systems –Device/information owners requested to categorize data on systems –Protected PII vs. Non-Protected PII, Incidental PPII vs. Enterprise Collection of PPII  Approval process for systems to be in Open Research and M/EC  Process for identifying and approving firewall rules for specific systems in OR and MEC  Determining what standard Firewall rule sets will be Presentation_name

12Managed by UT-Battelle for the Department of Energy Remaining PZ Deployment Tasks Presentation_name  Insert Virtual FWs in front of remainder of Open Research, Open Public, and Infrastructure PZ VLANS/Subnets  Determine and apply rules to PZ Virtual FWs and M/EC Firewall

13Managed by UT-Battelle for the Department of Energy Non-compliant System Segregation  Some systems cannot meet cyber security baseline requirements (called Type 4 systems) –Instruments that can’t have autoupdates/reboots during experiment run –Non-standard OSes that can’t be changed due to one of a kind software –Etc.  Will place systems that cannot be compliant behind firewalls managed by IT (called Type 4 Firewalls) –Many instances of one device behind one firewall –Some instances of many associated devices behind one firewall  Using small ASA5505s for most systems, have a few ASA5520s available for higher bandwidth needs  ~400 systems unable to be compliant  Systems owners required to write security plan detailing application needs (including TCP/UDP ports) and if multiple system with an affinity can be group behind a single firewall  Have ~100 firewalls purchased with 3 in place at present

14Managed by UT-Battelle for the Department of Energy Non-compliant System Segregation Example Presentation_name

15Managed by UT-Battelle for the Department of Energy Non-Compliant System Firewall Deployment Technical Issues  One Cisco ASA5505 connected to a Cisco 3750 switch did not autonegotiate properly, now hardcoding speed/duplex to 100/Full Presentation_name

16Managed by UT-Battelle for the Department of Energy Non Technical Issues  Motivating device owners to write their plans –Provided a “working on plan exception” –Now removing “working on plan exceptions” and giving deadlines to have plans completed or device will be blocked from network –Many owners need help from a IT savvy person (have trained some IT staff to assist)  Motivating device owners to work with IT staff to implement firewall once plan is approved Presentation_name

17Managed by UT-Battelle for the Department of Energy Questions??? Presentation_name