Lanxin Ma Institute of High Energy physics (IHEP) Chinese Academy of Sciences September 30, 2004 CHEP 2004, Interlaken The Security Protection System at IHEP-Net
Outline The Introduction Why we need to improve IHEP-Net security protection capability The measures we used –Firewall & VPN –Anti-Virus system –Anti-Spam system –The security control and management center –Emergency Response Team Summary Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 2
The Introduction IHEP was the first to connect the computers to Internet in China at the beginning of 90s of last century The outlet bandwidth is 10M IHEP-Net backbone is Gigabit Ethernet The intranet bandwidth connected to each host is 100M The intranet has a star structure with a main switch connected to each laboratory Switch-based network There are more than 2000 hosts, many servers based on PC/Linux, Win2000,etc. IHEP-Net is for Providing computing environment for BESII and BESIII experiments Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 3
The Current Topology of IHEP-Net Main Building 2ndfloor Computerlab Big hammer6808 Main Building 2nd floor hammer CSTNE T Physics Building 2ndfloor Computerlab Big hammer6808 Chemistry Building 2nd floor hammer Physics building 2nd floor hammer Main Buileing 5th floor hammer Main Buileing 5th floor hammer Main Building 2nd floor hammer Main Building 426 Bes farm cisco catalyst3750 Physics building 2nd floor hammer Blue line 100TX Purple line 100FX 1000LX PC-FARM BES - FARM Computing Center SSR SX First Hall ELS100 Second Hall Library Building Report Building Online Building Computing center Cisco3640 Third hall ssr2000 Orb lab ssr2000 Bes Center control SSR2000 Twelfth Hall Second workshop SSR2000 Fourth Hall Fifth Hall Sixth Hall thirteenth Hall 4
Before 2002, The firewall system was too simple It was easy to be attacked by hackers There was no anti-virus system There was no anti-spam system The Security problem is one of the important issues at IHEP-net At the end of 2001, the network security group was organized in the computing center of IHEP to enact the security policy and strategy against the attacks and improve the IHEP-Net security Why need to improve IHEP-Net Security Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 5
The measures to improve IHEP-Net Security Re-Constructed IHEP-Net infrastructure: –IHEP-Net consists of 3 areas: one intranet, one DMZ and one special hosts area Re-Configured Firewall system: –Some servers and some special hosts move to DMZ and SA. –The new rules to control the access among Internet, the intranet, DMZ and special hosts area IDS (An intrusion detection system) –work with firewall so that all of packets from outside IHEP are checked and filtered VPN at IHEP-Net –Access to the hosts inside of IHEP from outside must be via FW or VPN Anti-Spam system Anti-Virus System The network security control and management center The emergency response team Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 6
The Security Protection System of IHEP-Net Internet Security Scanner System Administration platform Anti-virus,Anti- spam system DMZ Special using machine LAN The SOC of IHEP-Net Security Policy Administrator System Security Incident Response Team Monitor system —— Forensic agent —— Trap system —— survive system —— IDS agent —— backup system Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 7
The Secure IHEP-Net Firewall system VPN system Access the hosts inside of IHEP from outside of IHEP must be via FW or VPN Interne t Intranet VPN DMZ SA FW Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 8
The Firewall System Firewall system Has been reconfigured prevent unauthorized access to our network from other networks Control the access among Internet, intranet, DMZ and special hosts area Some servers and some special hosts move to DMZ and SA. Access each other among Internet, intranet,DMZ and SA are allowed as rules The intranet consists of the o The isolated hosts, which are not allowed to access Internet, just access the hosts inside IHEP o The hosts,which access Internet via NAT o The host outside of IHEP cannot connect to intranet directly Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 9 Internet Intranet DMZSA
The VPN System VPN system The hosts outside of IHEP access IHEP intranet via FW or VPN VPN server + PPTP as a tunneling protocol Clients OS: Win2000/XP/2003/Linux Authentication USBKEY authentication The only IP address is assigned to the client host VPN server also have packet filtering function Control the access level of each VPN account through packet filtering rules Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 10
The Anti-Virus System Anti-Virus Wall at gateway level provides real-time virus detection and cleanup for all SMTP,HTTP and FTP Internet traffic at gateway. Desktop Anti-Virus system Desktop anti-virus system: offers centralized virus protection to all the Windows OS across the network Server/Client structure Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 11
For SMTP –All s sent and received are filtered by this system –To support outbound mail processing, specify your local domains. –Enable anti-relay Using web proxy to filter viruses for HTTP traffic Using FTP proxy to filter viruses for FTP traffic. This system can acts as a file transfer proxy itself. The topology of Anti-Virus System at Gateway Interne t FW Route Anti-Virus system at gateway for SMTP, HTTP, FTP Web proxy server Mail Servers Clients Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 12
Refusing access from the IP address that attack the IHEP-Net at firewall All s sent and received must be filtered by this system The anti-spam gateway is the only host sending s to Internet and receiving s from Internet Low filtering level is used normally in order not lose s Spam mails decrease significantly The topology of Anti-Spam System at Gateway Interne t FW Route Anti-Spam system at gateway Mail Servers Clients Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 13
The anti-spam system work well with anti- virus system together so that all of s sent and received are filtered by anti- spam system and anti-virus system. This makes it possible that the amount of spam s reached to users mail boxes are as low as possible and no virus mails reach to users mail boxes. Anti-Spam and Anti-Virus Work Together Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 14
Some home-made software to Make statistics and analyze the network flux Detect and monitor the hosts that have exceptional flux Detect and monitor the hosts that scan other hosts and give response disconnect the host from the network if the hosts have security problem and cause the network does not work Connection is refused to mail server for the hosts that spread virus mails The Security Control and Management Center Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 15
The Emergency Response Team Security problem response team for locale service –Respond to security problem (system/application) Cleanup virus for the host that is infected virus Patch their system Scan system leak for hosts, etc The technique support methods –Hotline –Helpdesk system for users to submit service via webpage –Mail system for users to get our help Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 16
Now, We successfully –prevent attacking from outside and inside –prevent virus spread –Reduce spam dramatically –Respond and deal with security problems of local users The IHEP-Net is becoming more and more secure In the future, We should also consider that: –The VPN connection among IHEP-Net –Users can choose their own spam filtering level –The capability of the firewall system and SOC need to be improved Summary Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 17