Network Asset Management at Jefferson Lab Bryan Hess, Andy Kowalski, Brent Morris,

Slides:



Advertisements
Similar presentations
5-Network Defenses Dr. John P. Abraham Professor UTPA.
Advertisements

Wireless Networking Solutions for Schools AP-300.
CSD-Team 13 Oasis v.2. Introduction Oasis v.1 ISPs share access network Security Choice for end-users Compatible with legacy systems Problems with the.
Wireless and Switch Security NETS David Mitchell.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Jefferson Lab Remote Access Andy Kowalski December 1, 2010.
A Guide to major network components
1 © 2001, Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Easy VPN Solutions Applications and Implementation with Cisco IOS.
Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
Network Registration and User Tracking An Open Source Approach Mark Berman Ashley Frost Williams College.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Virtual Company Group 8 Presentation Date: June /04/2017
Tier 3g Infrastructure Doug Benjamin Duke University.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
The Operator Neutral Access At KistaIP. KistaIP ? Is a student dorm with 144 apartments.
OASIS V2+ Next Generation Open Access Server CSD 2006 / Team 12.
Virtual Local Area Networks. Should I V-LAN? 1. Security V-LANs can restrict access to network resources.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
CSD 2006 / TEAM 12 Final presentation 29 th May 2006.
COEN 252 Computer Forensics
Semester 3, v Chapter 3: Virtual LANs
CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
Altai Certification Training Backend Network Planning
Common Devices Used In Computer Networks
DECS Community IT DIVISION OF ENGINEERING COMPUTING SERVICES Michigan State University College of Engineering.
Implementing Network Access Protection
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 TGIF: NetDB for Power Users April 11, 2003 Sunia Yang Networking Systems.
Windows 7 Firewall.
Module 4: Planning, Optimizing, and Troubleshooting DHCP
Module 8: Configuring Network Access Protection
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
NETWORKING COMPONENTS AN OVERVIEW OF COMMONLY USED HARDWARE Christopher Johnson LTEC 4550.
1 Improving Security Through Automated Policy Compliance Christopher Stevens Director of Network and Technical Services Lewis & Clark College Educause.
NETWORK COMPONENTS Assignment #3. Hub A hub is used in a wired network to connect Ethernet cables from a number of devices together. The hub allows each.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.0 Module 11 TCP/IP Transport and Application Layers.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
2  Supervisor : MENG Sreymom  SNA 2012_Group4  Group Member  CHAN SaratYUN Sinot  PRING SithaPOV Sopheap  CHUT MattaTHAN Vibol  LON SichoeumBEN.
Resnet Enhancements and Directions Part 1, Bruce Campbell, Information Systems and Technology.
Configuring Network Access Protection
Data Communications and Networks Chapter 10 – Network Hardware and Software ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
Supporting a Wireless Network By Gareth Ayres.
Lesson 11: Configuring and Maintaining Network Security
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Chapter 3 - VLANs. VLANs Logical grouping of devices or users Configuration done at switch via software Not standardized – proprietary software from vendor.
NetTech Solutions Common Connectivity Problems Lesson Eight.
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
KYUNG-HWA KIM HENNING SCHULZRINNE 12/09/2008 INTERNET REAL-TIME LAB, COLUMBIA UNIVERSITY DYSWIS.
ITE PC v4.0 Chapter 8 1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Public  Networks are systems that are formed by links.  People use different.
1 Welcome to Designing a Microsoft Windows 2000 Network Infrastructure.
ORNL Site Report ESCC July 15, 2013 Susan Hicks David Wantland.
Windows Vista Configuration MCTS : Network Security.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
Open source IP Address Management Software Review
Jefferson Lab Site Update Winter 2010 ESCC Meeting Andy Kowalski Bryan Hess February 4, 2010.
IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.
SECURE LAB: CREATING A CISCO 3550 VLSM NETWORK
Network Admission Control: A Survey of Approaches Educause 2008
Introducing To Networking
Welcome To : Group 1 VC Presentation
Lesson #10 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 10 Configuring Network and Firewall Settings.
2018 Real CompTIA N Exam Questions Killtest
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
Design Unit 26 Design a small or home office network
Zhihui Sun , Fazhi Qi, Tao Cui
Presentation transcript:

Network Asset Management at Jefferson Lab Bryan Hess, Andy Kowalski, Brent Morris,

Topics Network redesign & segmentation The management system hardware & software The end user experience The help desk staff experience Next steps

Motivation & Goals 1.Network Segmentation: To enforce that only those machines that need to communicate can. 2.Admission Control: To ensure that the networks stays segmented 3.Registration: To know who is in charge of each machine 4.Reporting: To be able to know the state of the network 5.Management Console: Simplify Adds/Moves/Changes with a web interface

Segmentation & Network Redesign

Segmentation: Design Move away from per-building non-firewalled networks Create vlans for machines based on their purpose and security profile. Examples: –Centrally managed desktop machines –User managed machines –Farm nodes –Data acquisition –… New IP addresses for every host on legacy building networks. Use firewalls between vlans to enforce who talks to whom

Segmentation: Firewall rules Group related vlans into Cisco FWSM contexts Implement most access control rules on the “inbound” side from router to vlan keep rules affecting network X on the inbound side of network X as much as possible

Segmentation: Scientific Systems For high throughput networks firewalls are not sufficient –We have no 10Gbit firewalls –We use a similar strategy for segmentation, but with simple router-based ACLs No direct internet access for these systems; Some web proxy access Avoid changing the way these complex existing systems work, but insulate them as much as possible

Segmentation: Admission Control Network Segmentation requires enforcement Must ensure that a given MAC address stays exclusively on its assigned network Port Security used an interim solution while we were “sorting” machines into vlans. Big headache –users are caught unaware by port security –Easy to make a mistake during moves

Segmentation: 802.1x MAB The real solution: switch port that change vlan assignments dynamically based on the MAC address connected 802.1x MAC Authentication Bypass (MAB) solves this problem nicely Cisco support for MAB is improving. Switch contacts a RADIUS server (backed by our database) to get its vlan assignment.

Segmentation: Auto-vlan assignment We call this use of 802.1x MAB “auto-vlan assignment” We have it in use in every office space on site and most lab spaces. We do not use it for data centers or embedded/data acquisition settings. Auto-vlan ports are authenticated based on MAC address when they connect. This is largely transparent to users. Moving to another network jack “just works” in many cases

The management system

Management System Hardware 802.1x capable switches –Cisco 2960, 4500, 6500 series MySQL database –Reliable hardware (RAID, N+1 power) –Live replica on a backup machine Redundant RADIUS servers Web servers on VMWare ESX cluster Why so much redundancy? 802.1x. If the system is down, machines are not admitted to the network as they are connected.

JLab developed Software Perl and PHP Monitoring dæmons & database back end (Gator) –SNMP monitoring of switches and routers –Aggregated into a single database –Wiring, Registration PHP Front End (Jnet) –Lots of scripts to glue everything together –DNS –DHCP –Switch configuration –Machine registration –Database queries and reporting

User Experience: New Machines Newly connected machines go to a “limbo” network where they can only access a registration web page This page requires a login, so it collects username and MAC address automatically. Final VLAN assignment is made by staff.

Management: Machine assignments Combines into one web page: DHCP, DNS, vlan assignment, and registration. Add/Move/Change process is greatly streamlined Many checks to avoid duplicates or errors All-or-nothing changes

Management: A change is made

Finding Machine Registrations

Finding a Switch

Switch View with Wiring, Registration

Room View: Wiring and Machines

Searches: Historical Information Recorded history of interesting associations MAC/IP MAC/VLAN MAC/Switch Port This data is very useful in conjunction with the wiring database Also used by –Missing Property –Cyber Security

Successes The network is segmented & firewalled We routinely locate the physical location of a machine based on owner, ip address, mac address, property tag, or host name. JNet prevents mismatches between DNS, DHCP, and vlan assignment. Add/Move/Change requests are trivial since all office space uses auto vlan assignment Network-related help desk requests are down

Next Steps: Host-based Introduction of host-based monitoring –admission control to fix the “Hey, that Linux machine was running XP last week” problem. –An agent on the machine? –External security monitoring Create a “Penalty Box” network for remediation –Quarantine Machines as needed –Allow them to patch or rebuild –Provide web notification that the machine is quarantined

Next Steps: Wireless Wireless networks are a different can of worms We currently do user-based authentication –Allows unvetted machines on the network Need to do machine-based (MAB-style) authentication to make wireless more like wired Moving to a different wireless solution to do this.

Questions? Bryan Hess Andy Kowalski Brent Morris

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.