Jefferson Lab Remote Access Andy Kowalski December 1, 2010.

Slides:



Advertisements
Similar presentations
Encrypting Wireless Data with VPN Techniques
Advertisements

Network Security.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
Network Asset Management at Jefferson Lab Bryan Hess, Andy Kowalski, Brent Morris,
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or UCSF Campus VPN.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………
1 Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall.
12 GeV Era Computing (CNI) Andy Kowalski May 20, 2011.
Server 2008 Terminal Services and Remote Desktop Services Basic application access is possible without Citrix, and Server 2008 R2 adds on some key features.
Accelerator Controls Brad Cumbia Anthony Cuffe December 1, 2010 Remote Access Review.
Chapter 11: Dial-Up Connectivity in Remote Access Designs
Welcome to Networking! 1. Connect your computer to the network with a cable 2. Copy the Networking folder from the flash drive to the computer or your.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
PowerPoint Presentation to Accompany Chapter 9 Networks & Communications Visualizing TechnologyCopyright © 2014 Pearson Education, Inc. Publishing as Prentice.
Chapter 5 Networks Communicating and Sharing Resources
Computation for Physics 計算物理概論 Introduction to Linux.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Welcome to the Human Network Matt Duke 11/29/06.
Chapter 9: Novell NetWare
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Jefferson Lab Site Report Sandy Philpott Thomas Jefferson National Accelerator Facility Newport News, Virginia USA
DECS Community IT DIVISION OF ENGINEERING COMPUTING SERVICES Michigan State University College of Engineering.
70-411: Administering Windows Server 2012
1 Technology Coordinator Meeting Humanities 019 Friday, March 29, 2002.
1 Prepared by: Les Cottrell SLAC, for SLAC Network & Telecommunications groups Presented to Kimberley Clarke March 8 th 2011 SLAC’s Networks.
Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
Module 11: Remote Access Fundamentals
TECHNOLOGY GUIDE THREE Protecting Your Information Assets.
Paul Scherrer Institut 5232 Villigen PSI HEPIX_AMST / / BJ95 PAUL SCHERRER INSTITUT THE PAUL SCHERRER INSTITUTE Swiss Light Source (SLS) Particle accelerator.
NESDIS/ORA March 2004 IT Security Incident Recovery Plan and Status April 12, 2004 Joe Brust, ORA Technical Support Team Lead.
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Four Windows Server 2008 Remote Desktop Services,
Name Company A Day in the Life… A Demonstration of Application Delivery.
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Remote Access Using Citrix Presentation Server December 6, 2006 Matthew Granger IT665.
Sudarshan Yadav Sr. Program Manager, Microsoft
Shai Tirosh Windows Server Regional Director artNET Experts.
Network Security & Accounting
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
SonicWALL SSL-VPN Series Easy Secure Remote Access Cafferata Cristiano SE Italia.
Networks Am I hooked up?. Networks definition sizes of networks types advantages and disadvantages how data is sent transmission media business uses.
Network Components David Blakeley LTEC HUB A common connection point for devices in a network. Hubs are commonly used to connect segments of a LAN.
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.
Operated by the Southeastern Universities Research Association for the U.S. Depart. Of Energy Thomas Jefferson National Accelerator Facility Mike Memory.
Network and Computer Security in the Fermilab Accelerator Control System Timothy E. Zingelman Control System Cyber-Security Workshop (CS)2/HEP Knoxville,
Be Microsoft’s first and best customer Enabling world-class and predictable customer, client, and partner experience Protecting Microsoft’s physical and.
1 Overview of Microsoft Windows 2000 Multipurpose OS Reduces total cost of ownership (TCO)
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
JLAB Password Security Ian Bird Jefferson Lab HEPiX-SLAC 6 Oct 1999.
XXIII HTASC Meeting – CERN March 2003 LIP and the Traveling Physicist Jorge Gomes LIP - Computer Centre.
IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.
Jefferson Lab Site Update Winter 2010 ESCC Meeting Andy Kowalski Bryan Hess February 4, 2010.
Mobile equipment for vacuum control
Chapter 7: Using Windows Servers
Virtual Private Networks
Module Overview Installing and Configuring a Network Policy Server
TECHNOLOGY GUIDE THREE
Configuration for Network Security
Physics Network Integration
An Introduction to Computer Networking
Implementing Client Security on Windows 2000 and Windows XP Level 150
CEBAF Control System Access
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Jefferson Lab Remote Access Andy Kowalski December 1, 2010

Internet Connectivity NYC Atlanta MATP McLean, VA Virginia Tech 10GE OC192 OC48 DS3 ESnet core Eastern LITE (E-LITE) Old Dominion University W&M* JTASC VMASC Bute St CO ODU* NASA JLAB Site Switch Level3 Washington DC Lovitt MATP ESnet Router COX Communications (backup) JLAB 10Gbps 2.5Gbps 45Mbps * SURA Site

Local Area Network (LAN) 10 Enclaves –7 NIST Low Level –3 NIST Moderate Level Use NIST Base Controls –Enclave level determined by potential impact from a loss of confidentiality, integrity, and availability –Impact on JLab, not DOE Firewalls Between All Enclaves –Some within enclaves Moderate Level Enclaves Experimental Physics Accelerator Public Services Scientific Computing Collaborative Services Business Services FEL Sensitive 10GigEthernet 1GigEthernet Desktops Levels 1,2,3 Guest Core Services

Network Management & Monitoring JNet registration required for network access –Manages both wired and wireless JNet database manages/tracks –User to MAC address registration –Asset tracking (property, contact information) –History of machine locations and registrations –Auto VLAN assignment (users may move about, VLAN assignments change when they plug in) Network Intrusion Detection System (NIDS) –Monitor network traffic looking for intrusions –Taps at VLAN ingress/egress points

Moderate Enclave Protections BSN –Firewall restricts remote access RDP limited to a Terminal Server from select desktops SSH from select IT areas for management –2-factor authentication Core & FEL –Firewall restricts remote access SSH and RDP open to all systems –2-factor authentication on Windows –2-factor authentication on Linux (Core only)

Additional Core Enclave Protections Firewall restricts SSH and RDP by network of origin Guest network support is isolated –Printing Utilizes a dedicated print server –Printers are on their own VLAN and firewalled –Otherwise, access to JLab is as from the Internet Web servers on separate VLAN and firewalled Interactive general purpose machines on separate VLAN and firewalled IT administration, development and desktops –Each on separate VLANs and firewalled –2-factor authentication for administration –Use least privilege model for accounts

2-Factor Authentication Used Today Used to access moderate enclaves and VPN –BSN, FEL –Core Services -> System and Network Administrators TypeMethod Uses PIN Locks After Failed Attempts Works Off LAN Supports Remote Unlock One Time Cost Yearly Recurring Cost Comments Smart Card PKIYes3 $100 per card ($200 for Linux/Ma c) Replace every 3 years Supported in Windows 7 but requires drivers for other OSes; Not supported by all applications TokenOne- Time Password Yes15Limited to 15 logins No$100 per token $10 per token OS authenticates via RADIUS.

Remote Access Today Internet to JLab is via centrally managed gateway servers Service/ Protocol Server OSClient OSUsersEncryptedAuthentication Tunnel Support Comment SSHLinuxAll Yes Username/Passwo rd Yes To CNI managed gateway servers; Tunneling capabilities of SSH allow users to access any service behind a firewall SFTP (SSHFS) LinuxAll Yes Username/Passwo rd No Remotely Mount CUE Central File Systems VPNCiscoAll Moderate Enclave Users Yes (IPSec, SSL) 2-Factor (Smart Card, Token) No Requires Special Setup Per Group (VLAN) HTTP/HT TPS Linux, Windows All No/Yes None, Username/Passwo rd No HTTP/S can be used to tunnel, but we do not configure our servers to do that -> this is more of an outbound issue IMAP over SSL LinuxAll Yes Username/Passwo rd No SMTP/SM TP over SSL LinuxAll No/Yes Username/Passwo rd No

Enclave Access Today Enclave to enclave is direct or via gateway servers Service/ Protocol Server OSClient OSUsersEncryptedAuthentication Tunnel Support Comment SSHLinuxAll Yes Username & Password Yes To what machines is Enclave specific; Tunneling capabilities of SSH allow users to access any service behind a firewall RDPWindowsAll BSN, FEL, IT YesSmart CardNo To what machines is Enclave specific; Can access client disks from server VPNCiscoAll BSN, FEL, IT, & a few others Yes (IPSec, SSL) 2-Factor (Smart Card, Token) No Requires Special Setup Per Group (VLAN) HTTP/HT TPS Linux, Windows All No/Yes None/Username & Password No HTTP/S can be used to tunnel, but we do not configure our servers to do that -> this is more of an outbound issue Windows protocol suite WindowsAll Yes Username & Password No File sharing and username/password information from Core NFS/NISLinuxLinux/*nixAllNoHostnameNo File sharing and username/password information from Core

Known Issues Stolen username/password pairs SSH tunnels –If SSH is allowed, everything is open –Network traffic is encrypted (good and bad) Portable devices –Laptops, smart phones, iPads, iPods, etc. –Provide less security than managed desktops Unmanaged devices –Personal laptops, PDAs, etc.

Proposed Enhancements VPN –Add more robust client side scanning/admission control Direct enclave access through gateway systems requiring 2-factor authentication –Accelerator –Halls 2-factor authentication support for Linux and Mac

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.