Presentation is loading. Please wait.

Presentation is loading. Please wait.

November 2006 TECO-WIS, Seoul 1 WMO TECO-WIS - Korea 2006 INTERNET SERVICES, VPN and SECURITY Jean-François Gagnon Director, Network and Voice Operations.

Published byNoel Paul Modified over 8 years ago

Similar presentations

Presentation on theme: "November 2006 TECO-WIS, Seoul 1 WMO TECO-WIS - Korea 2006 INTERNET SERVICES, VPN and SECURITY Jean-François Gagnon Director, Network and Voice Operations."— Presentation transcript:

1 November 2006 TECO-WIS, Seoul 1 WMO TECO-WIS - Korea 2006 INTERNET SERVICES, VPN and SECURITY Jean-François Gagnon Director, Network and Voice Operations Information Technology Infrastructure Directorate Chief Information Officer Branch Environment Canada. Co-Chair, Expert Team on WIS-GTS Communication Techniques and Structures Information System and Services, CBS, WWW

2 November 2006 TECO-WIS, Seoul 2 Definition of the Internet Network of networks –millions of smaller domestic, academic, business, and government networks –Uses TCP/IP protocol suite Carries various information and services, such as electronic mail, online chat, file transfer, documents of the World Wide Web. Internet and the World Wide Web are not synonymous: –the Internet is a collection of interconnected computer networks, linked by telecommunication media –the Web is a collection of interconnected documents, linked by hyperlinks and URLs.

3 November 2006 TECO-WIS, Seoul 3 Deployment of the Internet in the World

4 November 2006 TECO-WIS, Seoul 4 Internet Status as viewed by WMO ET-CTS Noted some progress in implementation of TCP/IP procedures around the various WMO administrative regions –recently for smaller sites –major centers had already reported conversion at previous meetings Experience is good and reports on reliability are reassuring Still not recommended as unique method of data acquisition for mission critical activities –Internet does not provide guaranteed service levels –No operator has complete Internet responsibility, since amalgamation of numerous telecommunication systems Security is an important concern, requires efforts and strong commitment by all

5 November 2006 TECO-WIS, Seoul 5 TCP/IP Protocol Suite – RFC112 and RFC 1123

6 November 2006 TECO-WIS, Seoul 6 Use of TCP/IP on the GTS As recommended TCP/IP on the GTS for several years Benefits equate direct savings in financial and human resource costs to Members –reduced costs for communications equipment purchase and maintenance –reduced software development work - use of industry standard software systems

7 November 2006 TECO-WIS, Seoul 7 Common Protocols allow Coexistence Internet can be used as: –an underlying technology for some components of the GTS in special conditions –as a backup to the GTS –as a complement to the GTS Communication Component Function GTSDelivery of time critical communication for weather, water and climate operations InternetCommunication for less critical requirements and possibly for large volumes of data

8 November 2006 TECO-WIS, Seoul 8 Telecommunication Options

9 November 2006 TECO-WIS, Seoul 9 Internet Access Types Dial-up –Based on public telephone system –Typically 64 Kbps or less –Usually billed on time –Short connections initiated by user’s (or centre’s) end Permanent –Broadband (cable, DSL) or dedicated link –Typically 1 Mbps or better –Higher cost –Faster –Connection always established –Good for data providers

10 November 2006 TECO-WIS, Seoul 10 Implementation for Client-only Usage Simple computer is sufficient to access Internet Usually limited to small interactions initiated by user Non-dedicated link (dial-up, DSL, cable) might be sufficient Important to secure computer against unautorized incoming threats –Usually the simplest rules – deny all incoming –PC based « personal use » firewall software, such as http://www.zonelabs.com/ http://www.personalfirewall.comodo.com/ http://www.sunbelt-software.com/kerio.cfm –Small « personal use » firewall, such as http://www.linksys.com http://dlink.com

11 November 2006 TECO-WIS, Seoul 11 Implementation for Servers Usually requires a dedicated link May be implemented with servers –within your organization Completely under your responsibility Usually more flexible, more control –Contracted to a hosting service provider May be more attractive if little expertise in system and security management May have less control and flexibility Requires very clear statement of work and deliverables, especially regarding Service Level Agreements (support issues)

12 November 2006 TECO-WIS, Seoul 12 Official IP Addresses It is essential to have a standard in the addressing scheme –Currently IPv4 most widely spread –IPv6 being deployed slowly. Not used in GTS yet. It is essential to have uniqueness in the allocation of addresses –Since the GTS (and of course Internet) is not built as a unique network under the complete authority of a single organization, the allocation of addresses must therefore go through the official bodies

13 November 2006 TECO-WIS, Seoul 13 IP Address Authorities The Internet community provides official bodies to coordinate the distribution of official IP addresses –Internet Assigned Numbers Authority (IANA), and –Regional Internet Registries: AfriNIC (African Network Information Centre) – Africa region APNIC (Asia Pacific Network Information Centre) – Asia Pacific region ARIN (American Registry for Internet Numbers) – Americas and Southern Africa LACNIC (Regional Latin-American and Caribbean IP Address Registry) – Latin America and some Caribbean islands RIPE NCC (Réseaux IP Européens Network Coordination Centre) – Europe and surrounding areas –These may further delegate to national Internet registries and telcos WMO should not allocate IP addresses Since the GTS is not built as a unique network under the complete authority of a single organization, the allocation of addresses must therefore go through the official bodies WMO recognizes that this is not always possible. Manual 386, Att II.15 (revision 3) Appendix 7 provides guidelines to mitigate the problem

14 November 2006 TECO-WIS, Seoul 14 The Internet Security Threat Motivation –Obtain information or resources An attack can be motivated by the will to obtain information, for strategic, ideological, financial or intelligence reasons, or resources like storage, supercomputing or a link to an organization’s partner. –Desire to cause harm Another motivation can be to prevent an organization to fulfil its mission properly, by blocking or modifying services or information, for revenge, terrorism, blackmail or malicious reasons. –Playful or exploration Another kind of motivation is curiosity, boredom, game or challenge. Many famous governmental institutions have been hit by such motivated attacks, degrading their reputation. –Accident The last category is human or physical accident. It can take many forms and touch any part of the information system (network, hardware and software), and can be prevented by an adequate disaster recovery procedures, such as implementing system redundancy and automatic failover procedures. Regardless of motivation, the threat is real

15 November 2006 TECO-WIS, Seoul 15 The Internet Security Threat – Common Threats Malicious codes: viruses, worms, Trojan horses Denial of service Malicious hacking Spying Compromising and abuse of system resources

16 November 2006 TECO-WIS, Seoul 16 Impacts of Security Breaches System and service impacts that disrupt or incapacitate actual systems or services –System slow down: the events cause the systems to slow down for no apparent reason. –System rendered unavailable: the events cause the systems to stop functioning altogether. –System or component of system destroyed: the events cause not only the systems and services not to be available for a period of time, but cause the destruction of resources. –System apparently normal, but information stolen or compromised: the events that lead to these impacts usually reside on the systems in a way not to be detected. Often, the reason is to steal or spy. The impacts can be severe, as stolen information can be of sensitive or commercial nature. Compromised information may have public safety implications or political, religious, sexual or racial contents. The organization’s reputation and future may be at stakes as well as safety of life. –System used to compromise others: the events would compromise an organization’s systems in a way not to be detected, and may be left unused for a long time. However, these components can be used to compromise other systems. Although the impact on a given organization may seem negligible, harm to other organizations is possible. An organization could be falsely accused of being the source of trouble because of this technique. Administrative, legal and reputation impacts –All organizations have a “network” responsibility. They must mitigate the problems of security and ensure they are not the cause of problems to others. Failure to do so may eventually lead to legal action. It is also obvious that bad information and poor service will certainly have administrative impacts as well as loss of reputation impacts.

17 November 2006 TECO-WIS, Seoul 17 Information Technology Security Best Practices Network architecture –Local Area Networks –Wide Area Networks –Wireless LAN –Firewall systems Remote access Server access and security –File system authorisation rules Security policies –The requirement for a security policy –Developing a policy Threat and Risk Assessments (TRA) Policy control Procedures –System management –New system installation and change management –Installation of security patches –User account management –Backup / restore procedures and regular testing –Detection procedures –Response/recovery procedures Public server configuration

18 November 2006 TECO-WIS, Seoul 18 Most Basic Security Tool: Firewalls Types –Packet filters –Application Layer firewalls By default should block all unauthorized traffic –Protects systems against unwanted access Can be used in many places in the networks –Not just for security with the internet

19 November 2006 TECO-WIS, Seoul 19 Possible Placement of Firewalls

20 November 2006 TECO-WIS, Seoul 20 VPN Concept

21 November 2006 TECO-WIS, Seoul 21 Virtual Private Networks (VPN) Create the equivalent of a dedicated private link using the Internet as a connection media

22 November 2006 TECO-WIS, Seoul 22 WIS VPN Pilot Project in Regions II and V (as of Sept 2006) Hong Kong India Iran Korea Oman Saudi Arabia Vietnam Australia Brunei Malaysia New Zealand China Soon established VPN-link with Japan Established VPN-link with Japan Japan Singapore 10Mbps (max) 2Mbps 4Mbps 512Kbps 2Mbps 1Mbps 100Mbps (max) 3Mbps 2Mbps 1Mbps Internet 100Mbps (max) 256Mbps (min)- 440Mbps (max)

23 November 2006 TECO-WIS, Seoul 23 Establishing a VPN Link VPN links have many parameters –Confirm the protocols to be used, such as IPsec, pre-shared secrets –Define the pre-shared secret. This “password” must be defined and be the same on both sides –Confirm the VPN platform to be used –Agree on IP addresses to exchange on the link –Modify filter rules on the firewall –Implement the define configuration –Test

24 November 2006 TECO-WIS, Seoul 24 File Transfers and FTP servers Uses File Transfer Protocol Can be used for dissemination or exchange of bulk meteorological data through Internet, GTS or other local/wide area networks Recommended for predefined users Efficient data exchange protocol Good for both push and pull configurations File Naming is important – see Man 386 Att II.15

25 November 2006 TECO-WIS, Seoul 25 FTP Server Implementation

26 November 2006 TECO-WIS, Seoul 26 Electronic Mail Uses the Simple Mail Transfer Protocol (SMTP) Complementary method of data input into the GTS –Should not be used to replace GTS data exchanges for mission critical components –Usually can not guarantee real time data delivery –Requires sites to collect messages (some examples: Washington, New Zealand, Tokyo, Beijing) –Requires a strong quality control at the collecting center as the collected messages often contain several typing or format mistakes Mostly a push mechanism May be used for notification (for example that a file is available for delivery while the file itself is placed on an FTP server) Excellent general communication tool Important entry point for virusses, worms and Trojan Horses Must deal with SPAM problem –Spamming is the abuse of electronic messaging systems to send unsolicited, undesired bulk messages

27 November 2006 TECO-WIS, Seoul 27 Email Implementation

28 November 2006 TECO-WIS, Seoul 28 Web Servers Based primarily on Hyper Text Transfer Protocol (HTTP) Used to make available various data and reports, available to users who request the information by downloading the various « web pages » (pull mechanism) Offers an intuitive approach to presentation of data and links between data elements Allows complex scripts and data management tools to be added Requires permanent connection to the Internet Requires careful and significant planning and maintenance –Weather data is updated very often –Demand for weather data can be very high –In large sites can become very complex

29 November 2006 TECO-WIS, Seoul 29 Web Server Implementation

30 November 2006 TECO-WIS, Seoul 30 Comparison of TCP/IP Applications Web (HTTP)File transfer (FTP)Electronic mail (SMTP) Assurance of deliveryNoneGoodPoor Volume of information possible LargeVery largeSmall Ad hoc requestsExcellentPoor (good for ad hoc access) Acceptable for simple request Security riskHigh (low with HTTPS)Medium (low with FTPS)Very high Target audience for dissemination (push) WideSmallWide Target audience for access (pull) Wide Small Feed-back from usersGood (via forms or e-mail)NoGood DBMSDBMS accessGoodNo Multimedia / graphical information Excellent for viewingDelivery onlyCan be used to deliver small multimedia files

31 November 2006 TECO-WIS, Seoul 31 Conclusion Internet is part of the « Network Structure » of the WIS Should be used mostly for non real time, non mission critical traffic It complements the information exchange infrastructure –As a separate network –As a backup network –As an underlying technology to simulate dedicated links for the GTS where no other means are possible or economically sustainable Security is an essential concern and must be addressed

32 November 2006 TECO-WIS, Seoul 32 Important Documents http://www.wmo.int/web/www/documents.html Manual 386, Attachment II.15 – Use of TCP/IP on the GTS (Revision 3, Sept 2006) Guide on Information Technology Security (Sept 2006) Guide on Internet Practices (Sept 2006) Guide on use of FTP and FTP servers at WWW centres (Sept 2006) Guidance on IPSec-based VPNs over the Internet (April 2004)

33 November 2006 TECO-WIS, Seoul 33 Questions?

Download ppt "November 2006 TECO-WIS, Seoul 1 WMO TECO-WIS - Korea 2006 INTERNET SERVICES, VPN and SECURITY Jean-François Gagnon Director, Network and Voice Operations."

Similar presentations

Intermediate 2 Computing

Intermediate 2 Computing
November 2006 TECO-WIS, Seoul 1 Definition of the Internet Network of networks –millions of smaller domestic, academic, business, and government networks.

November 2006 TECO-WIS, Seoul 1 Definition of the Internet Network of networks –millions of smaller domestic, academic, business, and government networks.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
2 An Overview of Telecommunications and Networks Telecommunications: the _________ transmission of signals for communications (home net) (home net)

2 An Overview of Telecommunications and Networks Telecommunications: the _________ transmission of signals for communications (home net) (home net)
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.

Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
Mgt 20600: IT Management & Applications Telecommuncations and Networks Tuesday March 28, 2006.

Mgt 20600: IT Management & Applications Telecommuncations and Networks Tuesday March 28, 2006.
Web Server Administration

Web Server Administration
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.

SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.
Web and Internet Part I ST: Introduction to Web Interface Design Prof. Angela Guercio Spring 2007.

Web and Internet Part I ST: Introduction to Web Interface Design Prof. Angela Guercio Spring 2007.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Network security policy: best practices

Network security policy: best practices
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.

Similar presentations

Ads by Google