Security Update at KEK since Oct-2002 Fukuko Yuasa/KEK nwg Kiyoharu Hashimoto/KEK nwg 23 October 2003 HEPiX/HEPNT2003 at TRIUMF.

Slides:



Advertisements
Similar presentations
The Approach to Security in CLRC Gareth Smith With acknowledgements to all the members of the CLRC Computer Network and Security Group, especially Trevor.
Advertisements

/30 Host Name : R1 Serial 0/0/0.1.2 Host Name : R2 Router Lab 3 : 2 - Routers Connection DTE DCE.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Wireless and Switch Security NETS David Mitchell.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Denise Heagerty, CERN, HEPiX Meeting Oct HEPiX Security Workshop Overview of talks Some extracts of general interest LCG Security Group FNAL, KEK,
Chapter 7 HARDENING SERVERS.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.
Lesson 17 – UNDERSTANDING OTHER NETWARE SERVICES.
CNIL Report April 4 th, CNIL Report (Apr 4 th, 2005) Two Major Goals: –Improvement of Instructional Services –Strengthening research IT infrastructure.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
Fermilab VPN Service What is a VPN ?.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Case Study: Pat Lee’s Home PC Network Chapter 1a Updated January 2007 Panko’s Business Data Networks and Telecommunications, 6th edition Copyright 2007.
Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Virtual Company Group 8 Presentation Date: June /04/2017
Module 7: Configuring TCP/IP Addressing and Name Resolution.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
The Operator Neutral Access At KistaIP. KistaIP ? Is a student dorm with 144 apartments.
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
Chapter Overview Network Communications.
Networking Security Chapter 8 powered by dj. Chapter Objectives  Explain various security threats  Monitor security in Windows Vista  Explain basic.
“DMZ In a Box”. What is a DMZ? As a military term As a computing term.
Chapter 13 – Network Security
CERN’s Computer Security Challenge
DECS Community IT DIVISION OF ENGINEERING COMPUTING SERVICES Michigan State University College of Engineering.
Chapter 6: Windows Servers
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
Module 11: Remote Access Fundamentals
Module 7 Planning Server and Network Security. Module Overview Overview of Defense-in-Depth Planning for Windows Firewall with Advanced Security Planning.
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Lanxin Ma Institute of High Energy physics (IHEP) Chinese Academy of Sciences September 30, 2004 CHEP 2004, Interlaken The Security Protection System at.
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.
SECURE WIRELESS NETWORK IN IŞIK UNIVERSITY ŞİLE CAMPUS.
Wireless Network Design Principles Mobility Addressing Capacity Security.
Intro to Switching Lecture # 3 Hassan Shuja 03/14/2006.
Configuring Network Access Protection
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
Supporting a Wireless Network By Gareth Ayres.
Module 11: Designing Security for Network Perimeters.
CERN - European Organization for Nuclear Research Beyond ACB – VPN’s FOCUS June 13 th, 2002 Frédéric Hemmer & Denise Heagerty- IT Division.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Computer Security Status Update FOCUS Meeting, 28 March 2002 Denise Heagerty, CERN Computer Security Officer.
WINS Monthly Meeting 10/1/2004 WINS Monthly Meeting 10/1/2004.
Be Microsoft’s first and best customer Enabling world-class and predictable customer, client, and partner experience Protecting Microsoft’s physical and.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
WINS Monthly Meeting 06/05/2003 WINS Monthly Meeting 06/05/2003.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
Central Management of 300 Firewalls and Access-Lists Fabian Mauchle TNC 2012 Reykjavík, 21-May-2012.
Chapter 1 Introduction to Networking
Top 5 Open Source Firewall Software for Linux User
Implementing Network Access Protection
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
6.6 Firewalls Packet Filter (=filtering router)
Unit 27: Network Operating Systems
Cybersecurity Strategy
Information Security Session October 24, 2005
NETWORK SECURITY LAB Lab 8. Firewall and VPN.
CHAPTER Introduction to LANs
Presentation transcript:

Security Update at KEK since Oct-2002 Fukuko Yuasa/KEK nwg Kiyoharu Hashimoto/KEK nwg 23 October 2003 HEPiX/HEPNT2003 at TRIUMF

2 Plan of Talk KEK SecureNet MAC address registration KEK VPN Protection against Virus/Worm

3 KEK SecureNet In Aug. 2002, we had –About 1370 incoming hosts –About 4620 outgoing hosts Since Aug to Aug. 2003, about 130 hosts moved from the incoming class to KEK DMZ. –Linux 40%, Win 19%, BSD 13%, Solaris 9.3% The rest becomes outgoing hosts

4 blue:registration magenta: policy

5 MAC address registration Since Aug. 2003, MAC address registration is required to use KEK network –Without the registration, packets are not transferred –4642 MAC address registered The port of the switch is configured dynamically –One MAC address belongs to one VLAN Also in the wireless LAN, MAC address registration is required since Apr –KEK stuff: 150 and Collaborator: 728 –68 Cisco Aironet stations –WEP –Annual registration renewal

6 C6509 Edge SW VMPS server CNR (DHCP server) C6509 VMPS client VMPS Database VMPS server (secondary)

7 KEK VPN Cisco VPN5000 Ipsec + NAT mode # of users:294 –KEK stuff: 283 –Collaborators: 11 Annual account renewal New Server: Cisco VPN3000 Lab.IPSecNAT mode CERNOK FNALOK BNL (office) XOK BNL (dorm) OK SLACOK DESYXOK

8 Average : about 2900 connections/month

9 Internet CA dcs00 LDAP dcs01 Port710 Port709/829 Enrollment Web dcs03 Enrollment VPN dcs02 Port389 Port80 RA FWVPN3030 DMZ KEK Intranet VPN + PKI + eToken

10 C=JP O=KEK OU=KEK-CertAuth Directory Tree OU=VPN- Users CN=Security Officer Policy CN=ASH Policy OU=VPN- Admin OU=VPN- Servers CN=End User Policy CN=CRL1 CN=First Officer CN=Administrator Policy CN=ASH Service CN=TEST USER CN=VPN Connector OU=VPNServersOU=VPNAdmi n OU=VPNUsers CN=Kiyoharu Hashimoto CN=Kiyoharu2 Hashimoto CN=Atsushi Manabe CN=VPN3K A CN=Fukuko Yuasa CN=Yoshiyuki Watase CN=Nobu Katayama CN=Hironori Nakao

11 Security Incidents at KEK since Oct – Oct Worm : 64%, unix root exploit: 28%

12 Protection against virus/worm 42 windows are infected by Welchi worm in Sep. and Oct We checked all PCs using –KB823980Scan.exe in Aug. –KB824146Scan.exe in Sep. SOBIG.F: max. 700 virus mail per day –6601 (Aug) (Sep) = 9531 total –These are blocked by InterScan VirusWall UNIX at KEK central mail server AntiVirus software + windows update –Scan is managed by Computing Research center System Update Service inside KEK

13

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.