Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Update at KEK since Oct-2002 Fukuko Yuasa/KEK nwg Kiyoharu Hashimoto/KEK nwg 23 October 2003 HEPiX/HEPNT2003 at TRIUMF.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Update at KEK since Oct-2002 Fukuko Yuasa/KEK nwg Kiyoharu Hashimoto/KEK nwg 23 October 2003 HEPiX/HEPNT2003 at TRIUMF."— Presentation transcript:

1 Security Update at KEK since Oct-2002 Fukuko Yuasa/KEK nwg Kiyoharu Hashimoto/KEK nwg 23 October 2003 HEPiX/HEPNT2003 at TRIUMF

2 2 Plan of Talk KEK SecureNet MAC address registration KEK VPN Protection against Virus/Worm

3 3 KEK SecureNet In Aug. 2002, we had –About 1370 incoming hosts –About 4620 outgoing hosts Since Aug. 2002 to Aug. 2003, about 130 hosts moved from the incoming class to KEK DMZ. –Linux 40%, Win 19%, BSD 13%, Solaris 9.3% The rest becomes outgoing hosts

4 4 blue:registration magenta: policy

5 5 MAC address registration Since Aug. 2003, MAC address registration is required to use KEK network –Without the registration, packets are not transferred –4642 MAC address registered The port of the switch is configured dynamically –One MAC address belongs to one VLAN Also in the wireless LAN, MAC address registration is required since Apr. 2002. –KEK stuff: 150 and Collaborator: 728 –68 Cisco Aironet stations –WEP –Annual registration renewal

6 6 C6509 Edge SW VMPS server CNR (DHCP server) C6509 VMPS client VMPS Database VMPS server (secondary)

7 7 KEK VPN Cisco VPN5000 Ipsec + NAT mode # of users:294 –KEK stuff: 283 –Collaborators: 11 Annual account renewal New Server: Cisco VPN3000 Lab.IPSecNAT mode CERNOK FNALOK BNL (office) XOK BNL (dorm) OK SLACOK DESYXOK

8 8 Average : about 2900 connections/month

9 9 Internet CA 130.87.35.33 dcs00 LDAP 130.87.105.38 dcs01 Port710 Port709/829 Enrollment Web 130.87.105.40 dcs03 Enrollment VPN 130.87.105.39 dcs02 Port389 Port80 RA 130.87.35.32 130.87.4.67 130.87.30.1 FWVPN3030 DMZ KEK Intranet VPN + PKI + eToken

10 10 C=JP O=KEK OU=KEK-CertAuth Directory Tree OU=VPN- Users CN=Security Officer Policy CN=ASH Policy OU=VPN- Admin OU=VPN- Servers CN=End User Policy CN=CRL1 CN=First Officer CN=Administrator Policy CN=ASH Service CN=TEST USER CN=VPN Connector OU=VPNServersOU=VPNAdmi n OU=VPNUsers CN=Kiyoharu Hashimoto CN=Kiyoharu2 Hashimoto CN=Atsushi Manabe CN=VPN3K A CN=Fukuko Yuasa CN=Yoshiyuki Watase CN=Nobu Katayama CN=Hironori Nakao

11 11 Security Incidents at KEK since Oct. 2002 – Oct. 2003 Worm : 64%, unix root exploit: 28%

12 12 Protection against virus/worm 42 windows are infected by Welchi worm in Sep. and Oct 2003. We checked all PCs using –KB823980Scan.exe in Aug. –KB824146Scan.exe in Sep. SOBIG.F: max. 700 virus mail per day –6601 (Aug) + 2930 (Sep) = 9531 total –These are blocked by InterScan VirusWall UNIX at KEK central mail server AntiVirus software + windows update –Scan is managed by Computing Research center System Update Service inside KEK

13 13

Download ppt "Security Update at KEK since Oct-2002 Fukuko Yuasa/KEK nwg Kiyoharu Hashimoto/KEK nwg 23 October 2003 HEPiX/HEPNT2003 at TRIUMF."

Similar presentations

The Approach to Security in CLRC Gareth Smith With acknowledgements to all the members of the CLRC Computer Network and Security Group, especially Trevor.

The Approach to Security in CLRC Gareth Smith With acknowledgements to all the members of the CLRC Computer Network and Security Group, especially Trevor.
192.168.0.0/30 Host Name : R1 Serial 0/0/0.1.2 Host Name : R2 Router Lab 3 : 2 - Routers Connection DTE DCE.

/30 Host Name : R1 Serial 0/0/0.1.2 Host Name : R2 Router Lab 3 : 2 - Routers Connection DTE DCE.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Wireless and Switch Security NETS David Mitchell.

Wireless and Switch Security NETS David Mitchell.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Denise Heagerty, CERN, HEPiX Meeting Oct 20031 HEPiX Security Workshop Overview of talks Some extracts of general interest LCG Security Group FNAL, KEK,

Denise Heagerty, CERN, HEPiX Meeting Oct HEPiX Security Workshop Overview of talks Some extracts of general interest LCG Security Group FNAL, KEK,
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.

Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.
Lesson 17 – UNDERSTANDING OTHER NETWARE SERVICES.

Lesson 17 – UNDERSTANDING OTHER NETWARE SERVICES.
CNIL Report April 4 th, 2005. CNIL Report (Apr 4 th, 2005) Two Major Goals: –Improvement of Instructional Services –Strengthening research IT infrastructure.

CNIL Report April 4 th, CNIL Report (Apr 4 th, 2005) Two Major Goals: –Improvement of Instructional Services –Strengthening research IT infrastructure.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
Fermilab VPN Service What is a VPN ?.

Fermilab VPN Service What is a VPN ?.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

Similar presentations

Ads by Google