Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jefferson Lab Remote Access Andy Kowalski December 1, 2010.

Similar presentations


Presentation on theme: "Jefferson Lab Remote Access Andy Kowalski December 1, 2010."— Presentation transcript:

1 Jefferson Lab Remote Access Andy Kowalski December 1, 2010

2 Internet Connectivity NYC Atlanta MATP McLean, VA Virginia Tech 10GE OC192 OC48 DS3 ESnet core Eastern LITE (E-LITE) Old Dominion University W&M* JTASC VMASC Bute St CO ODU* NASA JLAB Site Switch Level3 Washington DC Lovitt MATP ESnet Router COX Communications (backup) JLAB 10Gbps 2.5Gbps 45Mbps * SURA Site

3 Local Area Network (LAN) 10 Enclaves –7 NIST Low Level –3 NIST Moderate Level Use NIST 800-53 Base Controls –Enclave level determined by potential impact from a loss of confidentiality, integrity, and availability –Impact on JLab, not DOE Firewalls Between All Enclaves –Some within enclaves Moderate Level Enclaves Experimental Physics Accelerator Public Services Scientific Computing Collaborative Services Business Services FEL Sensitive 10GigEthernet 1GigEthernet Desktops Levels 1,2,3 Guest Core Services

4 Network Management & Monitoring JNet registration required for network access –Manages both wired and wireless JNet database manages/tracks –User to MAC address registration –Asset tracking (property, contact information) –History of machine locations and registrations –Auto VLAN assignment (users may move about, VLAN assignments change when they plug in) Network Intrusion Detection System (NIDS) –Monitor network traffic looking for intrusions –Taps at VLAN ingress/egress points

5 Moderate Enclave Protections BSN –Firewall restricts remote access RDP limited to a Terminal Server from select desktops SSH from select IT areas for management –2-factor authentication Core & FEL –Firewall restricts remote access SSH and RDP open to all systems –2-factor authentication on Windows –2-factor authentication on Linux (Core only)

6 Additional Core Enclave Protections Firewall restricts SSH and RDP by network of origin Guest network support is isolated –Printing Utilizes a dedicated print server –Printers are on their own VLAN and firewalled –Otherwise, access to JLab is as from the Internet Web servers on separate VLAN and firewalled Interactive general purpose machines on separate VLAN and firewalled IT administration, development and desktops –Each on separate VLANs and firewalled –2-factor authentication for administration –Use least privilege model for accounts

7 2-Factor Authentication Used Today Used to access moderate enclaves and VPN –BSN, FEL –Core Services -> System and Network Administrators TypeMethod Uses PIN Locks After Failed Attempts Works Off LAN Supports Remote Unlock One Time Cost Yearly Recurring Cost Comments Smart Card PKIYes3 $100 per card ($200 for Linux/Ma c) Replace every 3 years Supported in Windows 7 but requires drivers for other OSes; Not supported by all applications TokenOne- Time Password Yes15Limited to 15 logins No$100 per token $10 per token OS authenticates via RADIUS.

8 Remote Access Today Internet to JLab is via centrally managed gateway servers Service/ Protocol Server OSClient OSUsersEncryptedAuthentication Tunnel Support Comment SSHLinuxAll Yes Username/Passwo rd Yes To CNI managed gateway servers; Tunneling capabilities of SSH allow users to access any service behind a firewall SFTP (SSHFS) LinuxAll Yes Username/Passwo rd No Remotely Mount CUE Central File Systems VPNCiscoAll Moderate Enclave Users Yes (IPSec, SSL) 2-Factor (Smart Card, Token) No Requires Special Setup Per Group (VLAN) HTTP/HT TPS Linux, Windows All No/Yes None, Username/Passwo rd No HTTP/S can be used to tunnel, but we do not configure our servers to do that -> this is more of an outbound issue IMAP over SSL LinuxAll Yes Username/Passwo rd No SMTP/SM TP over SSL LinuxAll No/Yes Username/Passwo rd No

9 Enclave Access Today Enclave to enclave is direct or via gateway servers Service/ Protocol Server OSClient OSUsersEncryptedAuthentication Tunnel Support Comment SSHLinuxAll Yes Username & Password Yes To what machines is Enclave specific; Tunneling capabilities of SSH allow users to access any service behind a firewall RDPWindowsAll BSN, FEL, IT YesSmart CardNo To what machines is Enclave specific; Can access client disks from server VPNCiscoAll BSN, FEL, IT, & a few others Yes (IPSec, SSL) 2-Factor (Smart Card, Token) No Requires Special Setup Per Group (VLAN) HTTP/HT TPS Linux, Windows All No/Yes None/Username & Password No HTTP/S can be used to tunnel, but we do not configure our servers to do that -> this is more of an outbound issue Windows protocol suite WindowsAll Yes Username & Password No File sharing and username/password information from Core NFS/NISLinuxLinux/*nixAllNoHostnameNo File sharing and username/password information from Core

10 Known Issues Stolen username/password pairs SSH tunnels –If SSH is allowed, everything is open –Network traffic is encrypted (good and bad) Portable devices –Laptops, smart phones, iPads, iPods, etc. –Provide less security than managed desktops Unmanaged devices –Personal laptops, PDAs, etc.

11 Proposed Enhancements VPN –Add more robust client side scanning/admission control Direct enclave access through gateway systems requiring 2-factor authentication –Accelerator –Halls 2-factor authentication support for Linux and Mac


Download ppt "Jefferson Lab Remote Access Andy Kowalski December 1, 2010."

Similar presentations


Ads by Google