2005 FNAL Computer Security Peer Review and Self Assessment Networking – Current Status FNAL Computer Security Peer Review Phil DeMar March 22, 2005.

Slides:



Advertisements
Similar presentations
Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Advertisements

FNAL Site Perspective on LHCOPN & LHCONE Future Directions Phil DeMar (FNAL) February 10, 2014.
Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Wireless and Switch Security NETS David Mitchell.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Terri Lahey LCLS Facility Advisory Committee 20 April 2006 LCLS Network Security Terri Lahey.
Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.
Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
Advanced Internet Bandwidth and Security Strategies Fred Miller Illinois Wesleyan University.
COEN 252: Computer Forensics Router Investigation.
INTRODUCTION TO COMPUTER NETWORKS Navpreet Singh Computer Centre Indian Institute of Technology Kanpur Kanpur INDIA (Ph : ,
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Fermilab VPN Service What is a VPN ?.
CHEP2006 Network Information and Management Infrastructure Igor Mandrichenko, Eileen Berman, Phil DeMar, Maxim Grigoriev, Joe Klemencic, Donna Lamore,
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Questionaire answers D. Petravick P. Demar FNAL. 7/14/05 DLP -- GDB2 FNAL/T1 issues In interpreting the T0/T1 document how do the T1s foresee to connect.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.
Module 3: Planning and Troubleshooting Routing and Switching.
Module 7: Configuring TCP/IP Addressing and Name Resolution.
Hands-on Networking Fundamentals
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
Chapter 6: Packet Filtering
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Module 4: Planning, Optimizing, and Troubleshooting DHCP
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 6: Implement Wireless Scalability.
Chapter 8: Virtual LAN (VLAN)
NETWORKING COMPONENTS AN OVERVIEW OF COMMONLY USED HARDWARE Christopher Johnson LTEC 4550.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Cisco 3 - LAN Perrine. J Page 110/20/2015 Chapter 8 VLAN VLAN: is a logical grouping grouped by: function department application VLAN configuration is.
University of Palestine Faculty of Applied Engineering and Urban Planning Software Engineering Department INTRODUCTION TO COMPUTER NETWORKS Dr. Abdelhamid.
Page 1 TCP/IP Networking and Remote Access Lecture 9 Hassan Shuja 11/23/2004.
Resnet Enhancements and Directions Part 1, Bruce Campbell, Information Systems and Technology.
OS Services And Networking Support Juan Wang Qi Pan Department of Computer Science Southeastern University August 1999.
Cisco 3 - Switch Perrine. J Page 111/6/2015 Chapter 5 At which layer of the 3-layer design component would users with common interests be grouped? 1.Access.
Terri Lahey Control System Cyber-Security Workshop October 14, SLAC Controls Security Overview Introduction SLAC has multiple.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.
Chapter 3 - VLANs. VLANs Logical grouping of devices or users Configuration done at switch via software Not standardized – proprietary software from vendor.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Security fundamentals Topic 10 Securing the network perimeter.
Network Management CCNA 4 Chapter 7. Monitoring the Network Connection monitoring takes place every day when users log on Ping only shows that the connection.
Network and Computer Security in the Fermilab Accelerator Control System Timothy E. Zingelman Control System Cyber-Security Workshop (CS)2/HEP Knoxville,
IS3220 Information Technology Infrastructure Security
COMP1321 Digital Infrastructure Richard Henson March 2016.
Run - II Networks Run-II Computing Review 9/13/04 Phil DeMar Networks Section Head.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.
Ad Hoc – Wireless connection between two devices Backbone – The hardware used in networking Bandwidth – The speed at which the network is capable of sending.
Security fundamentals
CompTIA Security+ Study Guide (SY0-401)
Working at a Small-to-Medium Business or ISP – Chapter 8
Critical Security Controls
Virtual Local Area Networks or VLANs
Instructor Materials Chapter 9: Testing and Troubleshooting
Planning and Troubleshooting Routing and Switching
CompTIA Security+ Study Guide (SY0-401)
UNM Enterprise Firewall
– Chapter 3 – Device Security (B)
Chapter 3 VLANs Chaffee County Academy
Presentation transcript:

2005 FNAL Computer Security Peer Review and Self Assessment Networking – Current Status FNAL Computer Security Peer Review Phil DeMar March 22, 2005

2005 FNAL Computer Security Peer Review and Self Assessment Outline FNAL Network Overview Perimeter Controls & Tools Internal Network Controls & Tools Network Critical System* * Termed ‘Major Application’ in the new CSPP under development

2005 FNAL Computer Security Peer Review and Self Assessment FNAL Network Overview A centrally-managed campus-wide network –Restricted central services (FNAL Policy on Computing…): Routing & bridging –Separately admin’ed AD network grandfathered in policy Address, name, & time services Exemptions rarely granted Architecture based on work group model: –Affinity groups w/ their own dedicated LANs Based on experiment, organization, geography Mostly physical LANs; a few vLANs w/ trunking Detachable from campus network, if necessary

2005 FNAL Computer Security Peer Review and Self Assessment Core Network Facilities & Essential Network Services Core network facilities: –FCC collapsed backbone –WH core router –Border router Essential network services –Name service –Address allocation services Static addresses DHCP service –Time service –VPN service

2005 FNAL Computer Security Peer Review and Self Assessment Internal Network A single, general network access zone: –No customized access restrictions for individual work groups Critical System* LANs: –Networks supporting collection of related systems who’s compromise could seriously impact the laboratory’s science programmatic operations Designated by the CSExec –Individual plans, typically with customized network access & protections * Termed ‘Major Applications’ in the new CSPP under development

2005 FNAL Computer Security Peer Review and Self Assessment Critical Systems (aka Major Applications) Critical SystemNetwork Access ProtectionOperational Management Accelerator controls network Firewall w/ VPNAD Business systems network Firewall w/ border router ACLs BSS CDF Online networkRouter ACLsCD Networking D0 Online networkRouter ACLsCD Networking NetworkFirewall w/ VPNCD Networking Authentication systemsHost-based protectionsCD Security Team MetaSys building controls Isolated vLAN w/ Firewall & VPN CD Networking

2005 FNAL Computer Security Peer Review and Self Assessment Off-site Network Access (I) Current site perimeter access policy: –Open inbound access with a few protections: –Netbios (TCP ports 135, 137 – 139, 445) –SunRPC* (TCP/UDP port 111) –Web Servers (TCP ports 80, 443) »Exemption process available –SMTP (TCP port 25) except for facility mail servers –DNS (TCP port 53) except for facility DNS servers –SNMP* (UDP port 161) –Open outbound access with minimal restrictions: –IRC (TCP default ports ) * also blocked outbound

2005 FNAL Computer Security Peer Review and Self Assessment Off-site Network Access (II) An alternate very high bandwidth offsite path now in place: –Via dark fiber connection to StarLight –Intended use – high impact data movement –Redundant path for production offsite link Default-deny inbound access w/ ACL exceptions - Redundant path traffic goes thru border router

2005 FNAL Computer Security Peer Review and Self Assessment Border router flow data Logs all off-site network connections –Useful for investigating computer security incidents Generates daily & hourly Top 20 reports on: –Top talkers, top listeners, top conversations –Breakouts by number of flows, bytes, or packets –Unusual traffic patterns Large numbers of offsite hosts contacted Large amounts of data transferred Unusual consumption of network resources Now collecting flow data on internal routers

2005 FNAL Computer Security Peer Review and Self Assessment AutoBlocker Based on quasi-realtime flow record analysis Blocks “greedy” users (perceived as scanners…) –Outbound or inbound scanners –Address-based scans or port-based scans –Automated unblocked after behavior stops Proven useful in blocking infected local systems –Alerts for out-of-ordinary flow patterns –Occasionally blocks “greedy”, but legit apps Mostly nuisance apps, such as P2P, games… New version should minimize those disruptions

2005 FNAL Computer Security Peer Review and Self Assessment Telecommuting Access VPN service available –Encrypted tunnel capability to the Laboratory –Assigns virtual local Fermilab address –Allows site access to protocols blocked at Border –Must use Cisco VPN client & FNAL-provided profile Standard configuration forced onto users Split-tunneling restricts tunnel data flows to FNAL-related traffic Dial-up: –Uses Radius authentication –Limited to on-site access only

2005 FNAL Computer Security Peer Review and Self Assessment Node Registration System registration is required to be granted a usable address on the facility network –Permanent registration in MISCOMP database for either static or automatic DHCP address: Key information required: MACs, sysadmin –Temporary DHCP service available for transient users not registered in MISCOMP: Provides DHCP lease good for rest of the day Re-registration necessary every day –5 day limit per 30 day period

2005 FNAL Computer Security Peer Review and Self Assessment Node Registration Monitoring Currently checking for unregistered static IP systems via simple ping utility –Doesn’t work so well with software firewalls… –Not useful at all for DHCP subnets Have developed a prototype to check ARP table information for proper registration: –Verifies IP/MAC tuples observed on network correlates to registered MISCOMP information –2-3 months away from being production use tool

2005 FNAL Computer Security Peer Review and Self Assessment Node Tracking Router ARP & switch FDB tables gathered every 20 minutes Node Locator utility manipulates ARP & switch FDB data to: –Identify location of IP or MAC address on the network –Provide switch port information for the system –Provide traffic utilization for switch port

2005 FNAL Computer Security Peer Review and Self Assessment Infrastructure Monitoring & Response Network management stations monitor status of network devices & servers: –Device and server reachability & uptime monitored –Service response (DNS, DHCP, & NTP) also monitored Off-hours support: –Automated device/service paging during off-hours Two people on call at all times –Escalation procedures to Section, Dept., then Division Heads –User problem reporting via HelpDesk off-hours service

2005 FNAL Computer Security Peer Review and Self Assessment Wireless Support WLANs cover major work areas of the site Not treated differently than wired access –Broadcast SSID –Authentication not required –Encryption not required –Node registration required But tightening down on vulnerabilities: –Migrating to wireless subnets (70% complete) –Rogue detection based on Cisco Wireless LAN Solution Engine (WLSE) & war drives –Site border scans checking for offsite bleed-thru

2005 FNAL Computer Security Peer Review and Self Assessment The Network Critical System* Network Critical System*: – “Those parts or components of the network necessary to sustain the operation of the general facility network as a functioning entity” – “Those parts or components of the network that are an integral part of an activity or operation whose compromise could seriously impact the Laboratory’s science programmatic operations” CSPP Network Critical System* Plan: –Protects network critical system components themselves –Current plan is version 2; revised 4/7/2003 Next revision due in line with new CSPP * also known as Major Application

2005 FNAL Computer Security Peer Review and Self Assessment Components Facility core network devices: –FCC & WH core routers –Border router Servers for essential network services: –DNS, DHCP, NTP Run-II experiment network “core” routers –Off-line network core router –On-line network router

2005 FNAL Computer Security Peer Review and Self Assessment Network Management LAN Isolated LAN to controlled access to: –Network Critical System* core & border routers Also other major network devices in the FCC & WH –Enterprise DNS/DHCP server & NTP time sources Misc other servers (ie., Radius server … ) Used for: –Remote console access & configuration management –O/S upgrades –snmp/statistical data collection * also known as Major Application

2005 FNAL Computer Security Peer Review and Self Assessment Network Mgmt LAN Figure

2005 FNAL Computer Security Peer Review and Self Assessment Network Mgmt LAN (cont) Physically separate from campus LAN –Dedicated fiber; dedicated switches Firewall protected w/ default deny inbound –Exceptions for necessary server traffic & monitoring: DNS/DHCP traffic NTP traffic w/ stratum-2 NTP servers (ie., routers) Remote terminal access via VPN Network management system dual-homed to general LAN & network management LAN

2005 FNAL Computer Security Peer Review and Self Assessment Questions… ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.