Presentation is loading. Please wait.

Presentation is loading. Please wait.

Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LANL Unclassified Network Re-engineering.

Published byGyles Norton Modified over 8 years ago

Similar presentations

Presentation on theme: "Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LANL Unclassified Network Re-engineering."— Presentation transcript:

1 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LANL Unclassified Network Re-engineering Dale Land Chris Kemper Jim Clifford LA-UR 10-03321 July 2010

2 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR 10-03321 IT@LANL Over the next three years, LANL IT services will help the Laboratory to be more competitive, and support an agile, collaborative, highly mobile and fully networked workforce IT Vision – Classified & Unclassified Agile support of mission with security and compliance built in Separation of various levels of sensitive data via Network enclaves supported by role-based access control A single (non-colored) unclassified network vs. current state of parallel yellow, green, visitor networks Classified network centered on SVTRs supporting SRD, SNSI, SFRD, SIPRnet, etc. Agnostic support of mission computing platforms Tailoring the IT environment to give the staff what they need to do their jobs Key Technologies Virtual servers / Virtual Desktop Infrastructure (VDI) Strong identity management, network access controls for people, devices, information and applications

3 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR 10-03321 One view of the IT Vision 1. One ubiquitous mobile device (does everything!) 2. That docks back in the office 3. Tied into high availability central computing and storage

4 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR 10-03321 ICAM Unified Identity and Access Mgmt Access to Network, Computers, Applications, and Data Fine Grain Roles control access to resource. Auto-Provisioning for Business Roles; Employee, Program / Line Manager, Rad Worker, etc… Self-Serve Site for Specific Accesses; HPC, Data Warehouse, Network Connect/VPN, ISR Raptor Enclave, etc… — Automated approval workflow. Support for HSPD.12 Credentials Commercial Partner Oracle Proof-of-Concept Well placed in Gartner/Burton Group Magic Quadrant Replace IdM (eventually), EAS/SAS, Oracle Responsibilities (EBS), Register, … Does not cover all requirements so some local solutions needed.

5 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR 10-03321 Identity, Credential, & Access Mgmt Data Storage Syntax, Structure, Consistency, Integrity, Access Business Rules Import/Export with Sources/Subscribers Identity, Credential, & Access Mgmt Data Storage Syntax, Structure, Consistency, Integrity, Access Business Rules Import/Export with Sources/Subscribers User Interfaces Credential Mgmt IM/RBAC Scope User Account Access Mgmt Host / Device Mgmt HR (People) Organizations Property Training Authorities & Roles Foreign Visits Badging HPC Accounts Vulnerability Scanning CSIRT Authentication Radius, Kerberos, AD Web, LDAP, Encryption SSL Certs, User Data Credentials Token Cards, Certificates, CAC Cards, Passwords LDAP mail routing, radius web auth, white pages, Cyber security, departmental LDAP Accounts Mail & Calendar Entrust DNS / DHCP Maillists LDIF for LDAP challenge Enterprise Accounts Classified Network & ESN

6 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR 10-03321 Yellow Re-engineering Summary Current unclassified network architecture Flat network, >30,000 devices, wide spectrum of data sensitivity from open-unrestricted (LAUR) to UCNI Difficulty in simultaneously tracking people, devices, applications and data OCE is the start of where we need to go Re-engineered architecture Strong identity management (IM) – people, devices, data and applications Network enclaves – dividing the Yellow network into a series of enclaves based on information sensitivity which is proportional to risk. Reduced risk leads to increased ease of access Role based access control (RBAC) – finer grained controls based on intrinsic and assigned roles Defense in depth – controls at network, device, data, application layers All enclaves accessible from a common network infrastructure – we currently use parallel network equipment for each network “color” Support for 802.n wireless networks

7 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR 10-03321 Mild (OPEN) Enclaves OUO (MEDIUM) CORE (DNS, ?, etc) SENSITIVE UNCLASSIFIED Access Control Identity management / Role based access control (IM/RBAC) BUSINESS (personnel, financial) User Clients VISITOR (Legacy) GREEN (Legacy) Programmatic Open Science Internet

8 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR 10-03321 Open Science Enclave Open Science enclave chosen to meet long-standing needs of the Laboratory open research staff Better support of scientific and research collaborations based on the presence of only open research and science information Desire to test and evaluate “Federated Authentication” capability (from selected and approved sites) in open science enclave pilot Desire to test open science / Internet border configurations to increase data transfer rates for large data sets From a cyber security compliance perspective, open science is defined as research and development work which is openly shared and does not collect or process information that requires moderate or high controls for confidentiality, integrity or availability (CIA). CIA = {low, low, low} The long-term goal is to replace the OCE with the Open Science Enclave. The plan is for security controls for the Open Science Enclave to be equivalent or better than the OCE.

9 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR 10-03321 LANL Unclassified Network Re-Engineering Open Network Turquoise Visitor Green Red (up to SRD) Type 1 Encryption Internet ESNe t I-2 ESN SIPR Net SIPR Net Orange (up to SNSI) Type 1 Encryption Proposed 1 GE 10GE Shared circuit Central Services Yellow Network (Unclassified-Protected) General User Scientific Collaboration (segmented) Public Internet presence On-site visitor access Type 1 Encryption LLNL Sandia Restricted Subnets Limited amounts of and tight controls on presence of sensitive information

10 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR 10-03321 LANL Unclassified Network Re-Engineering Internet Core Unclassified Network IM / RBAC UCNI Open Science Visitor Green Turquoise Identity management / Role based access control

11 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR 10-03321 Enclave Network Design Model Inter-Enclave Policy Enforcement R R R R R R ES D D D D D D D D D D D D D D D D IEPE Internet CORE services CORE services Tagged DMZ

12 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR 10-03321 Network Architecture

13 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR 10-03321 How will you put devices on the network? Wired NAC Devices live in only one enclave (hostmaster). MAC authentication places it into the right Enclave (vlan). DHCP will provide network information (static or dynamic IP) Host Integrity Check (future, enclave specific) Wireless NAC SSID for Visitor & (Yellow, OCE, Open Science) Odyssey Client required to handle FIPS encryption for SUI networks (Yellow) & 802.1x Device Cert Authentication & User Authentication(*). Host Integrity Check (future, enclave specific) Remote Access to Yellow, OCE, Open Science. Network Connect requires 802.1x Device Cert Authentication and User Authentication(*). Host Integrity Check.

14 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR 10-03321 This year – FY10 Un-tethered Computing Wireless at TA-53 (more later outside the fence) Blackberry’s behind the fence Early production unclassified enclaves at TA-53 for yellow, OCE, open science and visitor from the same wall jack or WiFi connection.

15 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR 10-03321 TA-53 Pilot Scope Network Enclaves Initial enclaves — Yellow (includes OCE) — Open Science (!!!) — Visitor — Green Limited scope Enclaves accessible from a common network infrastructure – both wired and wireless Some compliance challenges for the open science enclave DAA needs convincing that we are not increasing risk Promising “Limited scope and limited duration” Documenting planned controls Wireless deployment 3 buildings 802-11n No compliance challenges

16 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR 10-03321 Scope is 4 buildings at TA-53 622 wired and wireless 30 wired 6 wireless (partial) 31 wireless (partial) Building selection based on - Site survey including Tempest - User provided prioritized list

17 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR 10-03321 Control Channels Edge Network (including wireless) Core Network User SEP-11 SCAP NAC Central Authentication AD, Radius, WebAuth, etc. Cert. Auth. CryptoCARD CAC Access Control Cert’s Block Commands User inputs (device & account info, groups, permissions, etc.) Host Cert. IM / RBAC NEW AD, Control Points and LDAP Business Rules Institutional Feeds HR, DIVA, Property Clearance, Authorities Training, etc. Monitoring Integrity Checks CPAT VLAN Control DHCP = new systems HPC Accounts Enterprise App’s Register Hostmaster LDAP AD Control Point Suppli- cant Workflow / authorities File groups Policies

18 Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LA-UR 10-03321 Portfolio of Projects Modernize & Unify Identity Mgmt & Access Control Unify Unclassified Network with Enclaves & NAC New Multi-Enclave Core Services Pilot demonstration of the above at TA-53 including Open Science Enclave Link Active Directory into Unified IM/AC Wireless network capability for open areas Wireless Networking Demonstration at TA-53 Telephony Modernization (including Blackberry service) Exchange e-mail/Calendar conversion Virtual Desktop Infrastructure Enterprise Business System Modernization

Download ppt "Operated by Los Alamos National Security, LLC for the U.S. Department of Energy’s NNSA U N C L A S S I F I E D LANL Unclassified Network Re-engineering."

Similar presentations

Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.

Copyright © 2012 AirWatch, LLC. All rights reserved. Proprietary & Confidential. Mobile Content Strategies and Deployment Best Practices.
1 A Partnership between the Office of the Chief Information Officer and the National Nuclear Security Administration Anil Karmel, NNSA M&O Chief Technology.

1 A Partnership between the Office of the Chief Information Officer and the National Nuclear Security Administration Anil Karmel, NNSA M&O Chief Technology.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
Page 1 MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their.

Page 1 MOTOROLA and the Stylized M Logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their.
CONFIDENTIAL © Copyright 2014. Aruba Networks, Inc. All rights reserved Adaptive Trust Security Policies for Today’s Enterprise Mobility Pete Ryan – ClearPass.

CONFIDENTIAL © Copyright Aruba Networks, Inc. All rights reserved Adaptive Trust Security Policies for Today’s Enterprise Mobility Pete Ryan – ClearPass.
The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant

The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
U N C L A S S I F I E D LA-UR-09-03103 LANL Exchange / Blackberry Deployment June 2, 2009 Anil Karmel Solutions Architect Network and Infrastructure Engineering.

U N C L A S S I F I E D LA-UR LANL Exchange / Blackberry Deployment June 2, 2009 Anil Karmel Solutions Architect Network and Infrastructure Engineering.
Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited.

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D LANS Company Sensitive — unauthorized release or dissemination prohibited.
Secure Computing Network

Secure Computing Network
LLNL and LANL Portal Update Cathy Aaron, Lawrence Livermore National Laboratory Katherine Norskog, Los Alamos National Laboratory Presented at InterLab.

LLNL and LANL Portal Update Cathy Aaron, Lawrence Livermore National Laboratory Katherine Norskog, Los Alamos National Laboratory Presented at InterLab.
Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 1 Roles Based Network Access Controls James R. Clifford Los Alamos.

Operated by Los Alamos National Security, LLC for NNSA U N C L A S S I F I E D Slide 1 Roles Based Network Access Controls James R. Clifford Los Alamos.
Sophos / Utimaco Data Loss Prevention Peter Szendröi, SOPHOS Nordics Jan 20, 2010.

Sophos / Utimaco Data Loss Prevention Peter Szendröi, SOPHOS Nordics Jan 20, 2010.
CNIL Report April 4 th, 2005. CNIL Report (Apr 4 th, 2005) Two Major Goals: –Improvement of Instructional Services –Strengthening research IT infrastructure.

CNIL Report April 4 th, CNIL Report (Apr 4 th, 2005) Two Major Goals: –Improvement of Instructional Services –Strengthening research IT infrastructure.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Borderless Networks Enabling the Borderless Organisation Mark Jackson,

Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Borderless Networks Enabling the Borderless Organisation Mark Jackson,
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Wireless LANs A Case Study of Baylor University’s Wireless Network Copyright Bob Hartland 2002 This work is the intellectual property of the author. Permission.

Wireless LANs A Case Study of Baylor University’s Wireless Network Copyright Bob Hartland 2002 This work is the intellectual property of the author. Permission.
RBAC Defense in Depth Authors: Brad Ruppert & Russell Meyer.

RBAC Defense in Depth Authors: Brad Ruppert & Russell Meyer.
All Rights Reserved © Alcatel-Lucent 2010 1 | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
Data Centers and IP PBXs LAN Structures Private Clouds IP PBX Architecture IP PBX Hosting.

Data Centers and IP PBXs LAN Structures Private Clouds IP PBX Architecture IP PBX Hosting.

Similar presentations

Ads by Google