Presentation is loading. Please wait.

Presentation is loading. Please wait.

Managed by UT-Battelle for the Department of Energy Clark Piercy ORNL Task Lead for Networking and Telecomm Update on Network Enhancements for Defense.

Published byJanis Parsons Modified over 8 years ago

Similar presentations

Presentation on theme: "Managed by UT-Battelle for the Department of Energy Clark Piercy ORNL Task Lead for Networking and Telecomm Update on Network Enhancements for Defense."— Presentation transcript:

1 Managed by UT-Battelle for the Department of Energy Clark Piercy ORNL Task Lead for Networking and Telecomm Update on Network Enhancements for Defense in Depth at ORNL National Laboratories Information Technology Summit May 2008

2 2Managed by UT-Battelle for the Department of Energy Enforcing Network Compliance – Stafford (Mon. 11 am) Update on Network Enhancements – Piercy (Mon. 3:30 pm) Who’s Your System Administrator – Willoughby (Tue. 4:15 pm) ORNL 30,000 foot IT strategy 20062008 Consolidate IT Staff Application Transformation 2007 IT Governance & Standards Cyber Security Revitalization Change Management/Control in the SAP Environment – Scoggins(Tue. 11 am) Central Helpdesk Standardization and Consolidation – Causby/Beane (Tue. 1:30 pm) Advanced Windows Operating System Imaging and Deployment – DeGuira (Tue. 4:15 pm) Lessons Learned in Implementing SCCM – Cunningham (Wed. 11:45 am) IT University – Overby (Mon. 2:15 pm) Sharepoint as ORNL Portal – Begovich (Tue. 11 am) Enhancing Communications through Unifying – Depp (Tue. 11:45 am)

3 3Managed by UT-Battelle for the Department of Energy ORNL DID Project Level 1 Milestones  1. Network – Information and Activity Segregation  2.0 System - Establish configuration standards  3.0 Property - Establish asset management (Software and Hardware)  4.0 Access - Establish strong authentication

4 4Managed by UT-Battelle for the Department of Energy 1. Network – Information and Activity Segregation  Protection Zones - Segregate systems with different levels of data sensitivity into protection zones (PZes) with appropriate network controls between PZes  Firewall Non-standard Systems - Put systems that can't meet security and configuration requirements behind a managed firewall (dubbed Type 4 Firewalls)  Network Access Control - Create a method to quarantine/block systems not meeting security and configuration requirements (ORNL NACMgr – See Paige Stafford Presentation)

5 5Managed by UT-Battelle for the Department of Energy Protection Zone Definitions  Moderate with Enhanced Controls (M/EC): –contains systems which process moderate information that ORNL has determined requires additional (enhanced) controls to protect the information, including UCNI, C/FGI-Mod, NNPI, and collections of enterprise PPII  Infrastructure: systems which provide laboratory infrastructure and general system support to other systems at ORNL (email servers, web portal servers, dns servers, etc.)  Administrative: systems which contains most of the general purpose desktop/office automation systems which create, access and process moderate information  Controlled Research: contains systems used by researchers to create, store and process proprietary, export controlled, protected CRADA, applied technology or similar information  Open/Public: systems containing web and ftp servers hosting public information that is accessible via anonymous access for any person or system on the Internet  Open Research: systems used to conduct open research that creates, stores, and processes fundamental research information.  NCCS: systems that comprise the National Center for Computational Sciences

6 6Managed by UT-Battelle for the Department of Energy Protection Zones (PZes) Presentation_name

7 7Managed by UT-Battelle for the Department of Energy Protection Zones: Where and How Many?  Which devices need to go in which protection zones?  How many devices in each protection zone type?  Where are they located?  Few answers to base network design on initially

8 8Managed by UT-Battelle for the Department of Energy PZ Deployment Network Design  Based on assumption that numbers of systems in M/EC, Open Research, Open Public, and Infrastructure will be relatively small and be mostly located in the datacenters, decided to deploy PZes by placing Cisco Firewall Service Modules (FWSMs) in Datacenter 6500 routers and use VLANs and trunking as needed to extend PZes/VLANs  Rules to be applied on FWSMs to control traffic between PZs  Installed a ASA5520 firewall appliance between M/EC PZ and rest of network due to requirement to have One Time Password (OTP) for login to M/EC systems from outside M/EC.  We now have a better idea of how many systems will be in each PZ type in the near term(M/EC = ~35 NNPI/UCNI/CFGIMOD, Enterprise PPII ?, OP = 5, OR = ~25, Infra = ~325, Admin/ContRes = ~12,000)

9 9Managed by UT-Battelle for the Department of Energy ORNL DID Network Segregation Design

10 10Managed by UT-Battelle for the Department of Energy PZ Deployment Technical Issues  Initial firewall insertion into Open Research PZ resulted in an app breaking due to default connection timeout on firewall, even with no rules  Routing problem when migrating system between Infra and Open Public PZ. System had dual interfaces, one in each PZ, and one was default path. Firewall blocked session,  Independent FWSMs vs Active/Active FWSMs Presentation_name

11 11Managed by UT-Battelle for the Department of Energy Non Technical Issues  Characterizing type of data on systems –Device/information owners requested to categorize data on systems –Protected PII vs. Non-Protected PII, Incidental PPII vs. Enterprise Collection of PPII  Approval process for systems to be in Open Research and M/EC  Process for identifying and approving firewall rules for specific systems in OR and MEC  Determining what standard Firewall rule sets will be Presentation_name

12 12Managed by UT-Battelle for the Department of Energy Remaining PZ Deployment Tasks Presentation_name  Insert Virtual FWs in front of remainder of Open Research, Open Public, and Infrastructure PZ VLANS/Subnets  Determine and apply rules to PZ Virtual FWs and M/EC Firewall

13 13Managed by UT-Battelle for the Department of Energy Non-compliant System Segregation  Some systems cannot meet cyber security baseline requirements (called Type 4 systems) –Instruments that can’t have autoupdates/reboots during experiment run –Non-standard OSes that can’t be changed due to one of a kind software –Etc.  Will place systems that cannot be compliant behind firewalls managed by IT (called Type 4 Firewalls) –Many instances of one device behind one firewall –Some instances of many associated devices behind one firewall  Using small ASA5505s for most systems, have a few ASA5520s available for higher bandwidth needs  ~400 systems unable to be compliant  Systems owners required to write security plan detailing application needs (including TCP/UDP ports) and if multiple system with an affinity can be group behind a single firewall  Have ~100 firewalls purchased with 3 in place at present

14 14Managed by UT-Battelle for the Department of Energy Non-compliant System Segregation Example Presentation_name

15 15Managed by UT-Battelle for the Department of Energy Non-Compliant System Firewall Deployment Technical Issues  One Cisco ASA5505 connected to a Cisco 3750 switch did not autonegotiate properly, now hardcoding speed/duplex to 100/Full Presentation_name

16 16Managed by UT-Battelle for the Department of Energy Non Technical Issues  Motivating device owners to write their plans –Provided a “working on plan exception” –Now removing “working on plan exceptions” and giving deadlines to have plans completed or device will be blocked from network –Many owners need help from a IT savvy person (have trained some IT staff to assist)  Motivating device owners to work with IT staff to implement firewall once plan is approved Presentation_name

17 17Managed by UT-Battelle for the Department of Energy Questions??? Presentation_name

Download ppt "Managed by UT-Battelle for the Department of Energy Clark Piercy ORNL Task Lead for Networking and Telecomm Update on Network Enhancements for Defense."

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Information Security in Real Business

Information Security in Real Business
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Presenter: Vikash Nath MCP, CCNA, MCTS. On-Premise Private Cloud Public Cloud Hybrid Cloud.

Presenter: Vikash Nath MCP, CCNA, MCTS. On-Premise Private Cloud Public Cloud Hybrid Cloud.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Firewalls and the Campus Grid: an Overview Bruce Beckles University of Cambridge Computing Service.

Firewalls and the Campus Grid: an Overview Bruce Beckles University of Cambridge Computing Service.
Firewalls CS158B Don Tran. What is a Firewall? A firewall can be a program or a device that controls access to a network.

Firewalls CS158B Don Tran. What is a Firewall? A firewall can be a program or a device that controls access to a network.
Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Additional SugarCRM details for complete, functional, and portable deployment.

Additional SugarCRM details for complete, functional, and portable deployment.
Data Center Network Redesign using SDN

Data Center Network Redesign using SDN
BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.
Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.

Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.

Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.

Similar presentations

Ads by Google