Presentation is loading. Please wait.

Presentation is loading. Please wait.

2005 FNAL Computer Security Peer Review and Self Assessment Networking – Current Status FNAL Computer Security Peer Review Phil DeMar March 22, 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "2005 FNAL Computer Security Peer Review and Self Assessment Networking – Current Status FNAL Computer Security Peer Review Phil DeMar March 22, 2005."— Presentation transcript:

1 2005 FNAL Computer Security Peer Review and Self Assessment Networking – Current Status FNAL Computer Security Peer Review Phil DeMar March 22, 2005

2 2005 FNAL Computer Security Peer Review and Self Assessment Outline FNAL Network Overview Perimeter Controls & Tools Internal Network Controls & Tools Network Critical System* * Termed ‘Major Application’ in the new CSPP under development

3 2005 FNAL Computer Security Peer Review and Self Assessment FNAL Network Overview A centrally-managed campus-wide network –Restricted central services (FNAL Policy on Computing…): Routing & bridging –Separately admin’ed AD network grandfathered in policy Address, name, & time services Exemptions rarely granted Architecture based on work group model: –Affinity groups w/ their own dedicated LANs Based on experiment, organization, geography Mostly physical LANs; a few vLANs w/ trunking Detachable from campus network, if necessary

4

5 2005 FNAL Computer Security Peer Review and Self Assessment Core Network Facilities & Essential Network Services Core network facilities: –FCC collapsed backbone –WH core router –Border router Essential network services –Name service –Address allocation services Static addresses DHCP service –Time service –VPN service

6 2005 FNAL Computer Security Peer Review and Self Assessment Internal Network A single, general network access zone: –No customized access restrictions for individual work groups Critical System* LANs: –Networks supporting collection of related systems who’s compromise could seriously impact the laboratory’s science programmatic operations Designated by the CSExec –Individual plans, typically with customized network access & protections * Termed ‘Major Applications’ in the new CSPP under development

7 2005 FNAL Computer Security Peer Review and Self Assessment Critical Systems (aka Major Applications) Critical SystemNetwork Access ProtectionOperational Management Accelerator controls network Firewall w/ VPNAD Business systems network Firewall w/ border router ACLs BSS CDF Online networkRouter ACLsCD Networking D0 Online networkRouter ACLsCD Networking NetworkFirewall w/ VPNCD Networking Authentication systemsHost-based protectionsCD Security Team MetaSys building controls Isolated vLAN w/ Firewall & VPN CD Networking

8 2005 FNAL Computer Security Peer Review and Self Assessment Off-site Network Access (I) Current site perimeter access policy: –Open inbound access with a few protections: –Netbios (TCP ports 135, 137 – 139, 445) –SunRPC* (TCP/UDP port 111) –Web Servers (TCP ports 80, 443) »Exemption process available –SMTP (TCP port 25) except for facility mail servers –DNS (TCP port 53) except for facility DNS servers –SNMP* (UDP port 161) –Open outbound access with minimal restrictions: –IRC (TCP default ports 6667-6669) * also blocked outbound

9 2005 FNAL Computer Security Peer Review and Self Assessment Off-site Network Access (II) An alternate very high bandwidth offsite path now in place: –Via dark fiber connection to StarLight –Intended use – high impact data movement –Redundant path for production offsite link Default-deny inbound access w/ ACL exceptions - Redundant path traffic goes thru border router

10 2005 FNAL Computer Security Peer Review and Self Assessment Border router flow data Logs all off-site network connections –Useful for investigating computer security incidents Generates daily & hourly Top 20 reports on: –Top talkers, top listeners, top conversations –Breakouts by number of flows, bytes, or packets –Unusual traffic patterns Large numbers of offsite hosts contacted Large amounts of data transferred Unusual consumption of network resources Now collecting flow data on internal routers

11 2005 FNAL Computer Security Peer Review and Self Assessment AutoBlocker Based on quasi-realtime flow record analysis Blocks “greedy” users (perceived as scanners…) –Outbound or inbound scanners –Address-based scans or port-based scans –Automated unblocked after behavior stops Proven useful in blocking infected local systems –Alerts for out-of-ordinary flow patterns –Occasionally blocks “greedy”, but legit apps Mostly nuisance apps, such as P2P, games… New version should minimize those disruptions

12 2005 FNAL Computer Security Peer Review and Self Assessment Telecommuting Access VPN service available –Encrypted tunnel capability to the Laboratory –Assigns virtual local Fermilab address –Allows site access to protocols blocked at Border –Must use Cisco VPN client & FNAL-provided profile Standard configuration forced onto users Split-tunneling restricts tunnel data flows to FNAL-related traffic Dial-up: –Uses Radius authentication –Limited to on-site access only

13 2005 FNAL Computer Security Peer Review and Self Assessment Node Registration System registration is required to be granted a usable address on the facility network –Permanent registration in MISCOMP database for either static or automatic DHCP address: Key information required: MACs, sysadmin –Temporary DHCP service available for transient users not registered in MISCOMP: Provides DHCP lease good for rest of the day Re-registration necessary every day –5 day limit per 30 day period

14 2005 FNAL Computer Security Peer Review and Self Assessment Node Registration Monitoring Currently checking for unregistered static IP systems via simple ping utility –Doesn’t work so well with software firewalls… –Not useful at all for DHCP subnets Have developed a prototype to check ARP table information for proper registration: –Verifies IP/MAC tuples observed on network correlates to registered MISCOMP information –2-3 months away from being production use tool

15 2005 FNAL Computer Security Peer Review and Self Assessment Node Tracking Router ARP & switch FDB tables gathered every 20 minutes Node Locator utility manipulates ARP & switch FDB data to: –Identify location of IP or MAC address on the network –Provide switch port information for the system –Provide traffic utilization for switch port

16 2005 FNAL Computer Security Peer Review and Self Assessment Infrastructure Monitoring & Response Network management stations monitor status of network devices & servers: –Device and server reachability & uptime monitored –Service response (DNS, DHCP, & NTP) also monitored Off-hours support: –Automated device/service paging during off-hours Two people on call at all times –Escalation procedures to Section, Dept., then Division Heads –User problem reporting via HelpDesk off-hours service

17 2005 FNAL Computer Security Peer Review and Self Assessment Wireless Support WLANs cover major work areas of the site Not treated differently than wired access –Broadcast SSID –Authentication not required –Encryption not required –Node registration required But tightening down on vulnerabilities: –Migrating to wireless subnets (70% complete) –Rogue detection based on Cisco Wireless LAN Solution Engine (WLSE) & war drives –Site border scans checking for offsite bleed-thru

18 2005 FNAL Computer Security Peer Review and Self Assessment The Network Critical System* Network Critical System*: – “Those parts or components of the network necessary to sustain the operation of the general facility network as a functioning entity” – “Those parts or components of the network that are an integral part of an activity or operation whose compromise could seriously impact the Laboratory’s science programmatic operations” CSPP Network Critical System* Plan: –Protects network critical system components themselves –Current plan is version 2; revised 4/7/2003 Next revision due in line with new CSPP * also known as Major Application

19 2005 FNAL Computer Security Peer Review and Self Assessment Components Facility core network devices: –FCC & WH core routers –Border router Servers for essential network services: –DNS, DHCP, NTP Run-II experiment network “core” routers –Off-line network core router –On-line network router

20 2005 FNAL Computer Security Peer Review and Self Assessment Network Management LAN Isolated LAN to controlled access to: –Network Critical System* core & border routers Also other major network devices in the FCC & WH –Enterprise DNS/DHCP server & NTP time sources Misc other servers (ie., Radius server … ) Used for: –Remote console access & configuration management –O/S upgrades –snmp/statistical data collection * also known as Major Application

21 2005 FNAL Computer Security Peer Review and Self Assessment Network Mgmt LAN Figure

22 2005 FNAL Computer Security Peer Review and Self Assessment Network Mgmt LAN (cont) Physically separate from campus LAN –Dedicated fiber; dedicated switches Firewall protected w/ default deny inbound –Exceptions for necessary server traffic & monitoring: DNS/DHCP traffic NTP traffic w/ stratum-2 NTP servers (ie., routers) Remote terminal access via VPN Network management system dual-homed to general LAN & network management LAN

23 2005 FNAL Computer Security Peer Review and Self Assessment Questions… ?

Download ppt "2005 FNAL Computer Security Peer Review and Self Assessment Networking – Current Status FNAL Computer Security Peer Review Phil DeMar March 22, 2005."

Similar presentations

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Top-Down Network Design Chapter Nine Developing Network Management Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
FNAL Site Perspective on LHCOPN & LHCONE Future Directions Phil DeMar (FNAL) February 10, 2014.

FNAL Site Perspective on LHCOPN & LHCONE Future Directions Phil DeMar (FNAL) February 10, 2014.
Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.

Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Wireless and Switch Security NETS David Mitchell.

Wireless and Switch Security NETS David Mitchell.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Terri Lahey LCLS Facility Advisory Committee 20 April 2006 LCLS Network Security Terri Lahey.

Terri Lahey LCLS Facility Advisory Committee 20 April 2006 LCLS Network Security Terri Lahey.
Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.

Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.
Institute of Technology, Sligo Dept of Computing Semester 3, version 2.1.3 Semester 3 Chapter 3 VLANs.

Institute of Technology, Sligo Dept of Computing Semester 3, version Semester 3 Chapter 3 VLANs.
Advanced Internet Bandwidth and Security Strategies Fred Miller Illinois Wesleyan University.

Advanced Internet Bandwidth and Security Strategies Fred Miller Illinois Wesleyan University.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
INTRODUCTION TO COMPUTER NETWORKS Navpreet Singh Computer Centre Indian Institute of Technology Kanpur Kanpur INDIA (Ph : 2597371,

INTRODUCTION TO COMPUTER NETWORKS Navpreet Singh Computer Centre Indian Institute of Technology Kanpur Kanpur INDIA (Ph : ,
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study

Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
Fermilab VPN Service What is a VPN ?.

Fermilab VPN Service What is a VPN ?.
CHEP2006 Network Information and Management Infrastructure Igor Mandrichenko, Eileen Berman, Phil DeMar, Maxim Grigoriev, Joe Klemencic, Donna Lamore,

CHEP2006 Network Information and Management Infrastructure Igor Mandrichenko, Eileen Berman, Phil DeMar, Maxim Grigoriev, Joe Klemencic, Donna Lamore,
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Questionaire answers D. Petravick P. Demar FNAL. 7/14/05 DLP -- GDB2 FNAL/T1 issues In interpreting the T0/T1 document how do the T1s foresee to connect.

Questionaire answers D. Petravick P. Demar FNAL. 7/14/05 DLP -- GDB2 FNAL/T1 issues In interpreting the T0/T1 document how do the T1s foresee to connect.

Similar presentations

Ads by Google