Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lanxin Ma Institute of High Energy physics (IHEP) Chinese Academy of Sciences September 30, 2004 CHEP 2004, Interlaken The Security Protection System at.

Published byLindsay Chase Modified over 8 years ago

Similar presentations

Presentation on theme: "Lanxin Ma Institute of High Energy physics (IHEP) Chinese Academy of Sciences September 30, 2004 CHEP 2004, Interlaken The Security Protection System at."— Presentation transcript:

1 Lanxin Ma Institute of High Energy physics (IHEP) Chinese Academy of Sciences September 30, 2004 CHEP 2004, Interlaken The Security Protection System at IHEP-Net

2 Outline  The Introduction  Why we need to improve IHEP-Net security protection capability  The measures we used –Firewall & VPN –Anti-Virus system –Anti-Spam system –The security control and management center –Emergency Response Team  Summary Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 2

3 The Introduction IHEP was the first to connect the computers to Internet in China at the beginning of 90s of last century The outlet bandwidth is 10M IHEP-Net backbone is Gigabit Ethernet The intranet bandwidth connected to each host is 100M The intranet has a star structure with a main switch connected to each laboratory Switch-based network There are more than 2000 hosts, many servers based on PC/Linux, Win2000,etc. IHEP-Net is for Providing computing environment for BESII and BESIII experiments Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 3

4 The Current Topology of IHEP-Net Main Building 2ndfloor Computerlab Big hammer6808 Main Building 2nd floor hammer3550-24 CSTNE T Physics Building 2ndfloor Computerlab Big hammer6808 Chemistry Building 2nd floor hammer3550-24 Physics building 2nd floor hammer3550-24 Main Buileing 5th floor hammer3550-24 Main Buileing 5th floor hammer3550-24 Main Building 2nd floor hammer3550-24 Main Building 426 Bes farm cisco catalyst3750 Physics building 2nd floor hammer3550-24 Blue line 100TX Purple line 100FX 1000LX PC-FARM BES - FARM Computing Center SSR8600 1000SX First Hall ELS100 Second Hall Library Building Report Building Online Building Computing center Cisco3640 Third hall ssr2000 Orb lab ssr2000 Bes Center control SSR2000 Twelfth Hall Second workshop SSR2000 Fourth Hall Fifth Hall Sixth Hall thirteenth Hall 4

5  Before 2002, The firewall system was too simple It was easy to be attacked by hackers There was no anti-virus system There was no anti-spam system The Security problem is one of the important issues at IHEP-net At the end of 2001, the network security group was organized in the computing center of IHEP to enact the security policy and strategy against the attacks and improve the IHEP-Net security Why need to improve IHEP-Net Security Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 5

6 The measures to improve IHEP-Net Security Re-Constructed IHEP-Net infrastructure: –IHEP-Net consists of 3 areas: one intranet, one DMZ and one special hosts area Re-Configured Firewall system: –Some servers and some special hosts move to DMZ and SA. –The new rules to control the access among Internet, the intranet, DMZ and special hosts area IDS (An intrusion detection system) –work with firewall so that all of packets from outside IHEP are checked and filtered VPN at IHEP-Net –Access to the hosts inside of IHEP from outside must be via FW or VPN Anti-Spam system Anti-Virus System The network security control and management center The emergency response team Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 6

7 The Security Protection System of IHEP-Net Internet Security Scanner System Administration platform Anti-virus,Anti- spam system DMZ Special using machine LAN The SOC of IHEP-Net Security Policy Administrator System Security Incident Response Team Monitor system —— Forensic agent —— Trap system —— survive system —— IDS agent —— backup system Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 7

8 The Secure IHEP-Net  Firewall system  VPN system  Access the hosts inside of IHEP from outside of IHEP must be via FW or VPN Interne t Intranet VPN DMZ SA FW Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 8

9 The Firewall System  Firewall system Has been reconfigured prevent unauthorized access to our network from other networks Control the access among Internet, intranet, DMZ and special hosts area Some servers and some special hosts move to DMZ and SA. Access each other among Internet, intranet,DMZ and SA are allowed as rules The intranet consists of the o The isolated hosts, which are not allowed to access Internet, just access the hosts inside IHEP o The hosts,which access Internet via NAT o The host outside of IHEP cannot connect to intranet directly Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 9 Internet Intranet DMZSA

10 The VPN System  VPN system The hosts outside of IHEP access IHEP intranet via FW or VPN VPN server + PPTP as a tunneling protocol Clients OS: Win2000/XP/2003/Linux Authentication USBKEY authentication The only IP address is assigned to the client host VPN server also have packet filtering function Control the access level of each VPN account through packet filtering rules Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 10

11 The Anti-Virus System  Anti-Virus Wall at gateway level provides real-time virus detection and cleanup for all SMTP,HTTP and FTP Internet traffic at gateway.  Desktop Anti-Virus system Desktop anti-virus system: offers centralized virus protection to all the Windows OS across the network Server/Client structure Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 11

12  For SMTP –All emails sent and received are filtered by this system –To support outbound mail processing, specify your local domains. –Enable anti-relay  Using web proxy to filter viruses for HTTP traffic  Using FTP proxy to filter viruses for FTP traffic. This system can acts as a file transfer proxy itself. The topology of Anti-Virus System at Gateway Interne t FW Route Anti-Virus system at gateway for SMTP, HTTP, FTP Web proxy server Mail Servers Clients Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 12

13 Refusing access from the IP address that attack the IHEP-Net at firewall All emails sent and received must be filtered by this system The anti-spam gateway is the only host sending emails to Internet and receiving emails from Internet Low filtering level is used normally in order not lose emails Spam mails decrease significantly The topology of Anti-Spam System at Gateway Interne t FW Route Anti-Spam system at gateway Mail Servers Clients Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 13

14  The anti-spam system work well with anti- virus system together so that all of emails sent and received are filtered by anti- spam system and anti-virus system. This makes it possible that the amount of spam emails reached to users mail boxes are as low as possible and no virus mails reach to users mail boxes. Anti-Spam and Anti-Virus Work Together Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 14

15 Some home-made software to Make statistics and analyze the network flux Detect and monitor the hosts that have exceptional flux Detect and monitor the hosts that scan other hosts and give response disconnect the host from the network if the hosts have security problem and cause the network does not work Connection is refused to mail server for the hosts that spread virus mails The Security Control and Management Center Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 15

16 The Emergency Response Team  Security problem response team for locale service –Respond to security problem (system/application) Cleanup virus for the host that is infected virus Patch their system Scan system leak for hosts, etc  The technique support methods –Hotline –Helpdesk system for users to submit service via webpage –Mail system for users to get our help Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 16

17  Now, We successfully –prevent attacking from outside and inside –prevent virus spread –Reduce spam dramatically –Respond and deal with security problems of local users  The IHEP-Net is becoming more and more secure  In the future, We should also consider that: –The VPN connection among IHEP-Net –Users can choose their own spam filtering level –The capability of the firewall system and SOC need to be improved Summary Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 17

Download ppt "Lanxin Ma Institute of High Energy physics (IHEP) Chinese Academy of Sciences September 30, 2004 CHEP 2004, Interlaken The Security Protection System at."

Similar presentations

Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.

Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Introduction to Firewall Technologies. Objectives Upon completion of this course, you will be able to: Understand basic concepts of network security Master.

Introduction to Firewall Technologies. Objectives Upon completion of this course, you will be able to: Understand basic concepts of network security Master.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
Guide to Computer Network Security

Guide to Computer Network Security

Similar presentations

Ads by Google