Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network Policies and Procedures Presentation for DoE Office of Assurance Cybersecurity Review visit to SLAC August 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Network Policies and Procedures Presentation for DoE Office of Assurance Cybersecurity Review visit to SLAC August 2005."— Presentation transcript:

1 Network Policies and Procedures Presentation for DoE Office of Assurance Cybersecurity Review visit to SLAC August 2005

2 Written policies http://www2.slac.stanford.edu/comp/teleco m/phone/phoneusersguide/PhoneUsersGu ide.htm#tamperhttp://www2.slac.stanford.edu/comp/teleco m/phone/phoneusersguide/PhoneUsersGu ide.htm#tamper No tampering with telephone, network cables or equipment –Disconnect equipment when found and may charge back labor to discover, rectify situation.

3 Multi-homed hosts http://www.slac.stanford.edu/comp/net/poli cy/multi-homed.htmlhttp://www.slac.stanford.edu/comp/net/poli cy/multi-homed.html Outlines reason for multi-homed hosts and problem –Consult with net-admin –Do not turn on routing

4 Network devices inventory & access http://www.slac.stanford.edu/comp/net/poli cy/device-inv.htmlhttp://www.slac.stanford.edu/comp/net/poli cy/device-inv.html Outlines reasons for needing a policy Devices must be in database Password must be available (escrow) Notification of testing new devices

5 Remote Access server policy http://www.slac.stanford.edu/comp/securit y/csc-policies/remote-access.htmlhttp://www.slac.stanford.edu/comp/securit y/csc-policies/remote-access.html Why do we need to be concerned Policies: –Ways to access SLAC –How to add more remote access servers –How to admin RAS

6 Policy for Visitor & Wireless networks http://www.slac.stanford.edu/comp/net/poli cy/visitor.htmlhttp://www.slac.stanford.edu/comp/net/poli cy/visitor.html General Guidelines for all SLAC subnets Define Visitor subnet and how it is to be used Wireless network and how it is to be used

7 Support Infrastructure Database of equipment – CANDO open to users, integrated with other processes (security, reports etc.) DNS registration forms Password escrow, password changed every 6 months, passwords chosen well Router & switch configuration –SSH access to routers with escrowed passwords, on a separate Internet Free subnet (accessible only from within SLAC) –SNMP access to routers/switches restricted –Emails if configuration changes –Router configurations archived in AFS, local disk and USB memory stick, restoration done when necessary Network topology knowledge: –Switch ports disabled by default –Twice daily automatically map network (CDP, ARP …) –Track what is connected to ports –Automatically look for duplicate IPs Firewalls, border & internal Migrate away from legacy protocols to focus on main needs (no Netware, AppleTalk, very limited DECnet …) Try to make easy for user to request switch ports, Wireless APs rather than “Do It Yourself” Close cooperation with security (shared person), systems (Linux, Windows) Network problems –reported to net-admin, from Unix Trouble Ticket System, and HelpTrack, & archived –Network monitoring automatically paging when detects problems (e.g. router/switch problems, system availability etc.)

8 Monitoring NetFlow –Enables characterization of SLAC traffic, top talkers, top applications, length of flows etc. –Look for anomalies for intrusions, misuse –Detailed results have restricted access Automated network discover and monitoring (switch/router SNMP, CDP, ARP, ping …) –http://www.slac.stanford.edu/comp/net/quick- guide.htmlhttp://www.slac.stanford.edu/comp/net/quick- guide.html

9 Science Requirements Have to explain needs for security etc. to scientist, they need to be partners Collaborations worldwide –Most of traffic is with Europe (NOT with other DoE labs or even with US) –Access to data is with many countries Needs for high throughput –SLAC is one of the top production users of ESnet and one of the top users of Internet2 Connections via ESnet and CENIC/I2 currently 1Gbps ea soon to be 10Gbps

10 Terabytes/Month Fermilab (US)  WestGrid (CA) SLAC (US)  INFN CNAF (IT) SLAC (US)  RAL (UK) Fermilab (US)  MIT (US) SLAC (US)  IN2P3 (FR) IN2P3 (FR)  Fermilab (US) SLAC (US)  Karlsruhe (DE) Fermilab (US)  Johns Hopkins 12 10 8 6 4 2 0 LIGO (US)  Caltech (US) LLNL (US)  NCAR (US) Fermilab (US)  SDSC (US) Fermilab (US)  Karlsruhe (DE) LBNL (US)  U. Wisc. (US) Fermilab (US)  U. Texas, Austin (US) BNL (US)  LLNL (US) Fermilab (US)  UC Davis (US) Qwest (US)  ESnet (US) Fermilab (US)  U. Toronto (CA) BNL (US)  LLNL (US) CERN (CH)  BNL (US) NERSC (US)  LBNL (US) DOE/GTN (US)  JLab (US) U. Toronto (CA)  Fermilab (US) NERSC (US)  LBNL (US) CERN (CH)  Fermilab (US) DOE Lab-International R&E Lab-U.S. R&E (domestic) Lab-Lab (domestic) Lab-Comm. (domestic) Recent Monthly ESnet usage

11 Network Speed Internet Land Speed Record (twice, in 2004 Guinness Book of Records) SuperComputing 2004 and 2004 Bandwidth Challenge winners for maximum BW util (102Gbits/s) Network research: –evaluate achieving hi-speed network performance, –measure and track network achievable bandwidth, –monitoring of all places wherever there are physicists (> 100 countries, > 3000 sites) Set expectations, find problems etc. –Worldwide collaborators, e.g. Pakistan, Russia

12 Visitor Network http://www2.slac.stanford.edu/comp/net/wireless/visito r_net.htmhttp://www2.slac.stanford.edu/comp/net/wireless/visito r_net.htm Large numbers of visitors, conferences, guest house, vendors etc. requires easy access, low management overhead Outside SLAC firewall, NOT in SLAC class B IP address space, separate AS and routing Users treated as if on any commercial or public ISP “Do not place mission critical applications on the Visitor network” Assigned via DHCP, a 198.129.n.n IP address –No registration required

13 Wireless http://www2.slac.stanford.edu/comp/net/wireless/ On visitor subnet In process of extending procedures for wireless network monitoring –http://www.slac.stanford.edu/~antony/wireless-draft.htmlhttp://www.slac.stanford.edu/~antony/wireless-draft.html –War walking (Kismet/GPS), identify APs and find rogues (non registered APs) –Locate with protocol analyzer with directional antenna (YellowJacket) Evaluating management system –Have about 90 APs, all Cisco –Use to automatically identify rogue APs as they appear

14 DHCP http://www2.slac.stanford.edu/comp/net/dhcp/d hcp.htmhttp://www2.slac.stanford.edu/comp/net/dhcp/d hcp.htm Connection logs archived so can track back abnormal utilization Internal network DHCP is 100% registration driven –Users & sys-admins required to keep machines patched –Machines are scanned daily for security updates Visitor network: –DHCP no registration, –separate infrastructure

15 Dialup http://www2.slac.stanford.edu/comp/net/dialup Requires a dial-up account, password changed yearly –Accounts closed when people leave Use RADIUS for authentication In process of placing modem dial-up outside SLAC firewall (on visitor subnet) Guidelines on how to configure and use

16 Wireless Support for policy –War walking with Yellow Jacket etc. –Track APs offsite, and onsite, look for uknown

Download ppt "Network Policies and Procedures Presentation for DoE Office of Assurance Cybersecurity Review visit to SLAC August 2005."

Similar presentations

CN 8822. Objectives of the course To build and maintain a UNIX-based Network Systems & Servers Install Linux, fine tune the system, enable required server,

CN Objectives of the course To build and maintain a UNIX-based Network Systems & Servers Install Linux, fine tune the system, enable required server,
Remote Viewing Setup DVR & IP Video Devices

Remote Viewing Setup DVR & IP Video Devices
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Planning Network Access.
Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.

Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.
Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.

Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.
Controlling access with packet filters and firewalls.

Controlling access with packet filters and firewalls.
SLAC Vulnerability Scanning Cyber Security Working Group - LBL December 5, 2005 Teresa Downey - SLAC.

SLAC Vulnerability Scanning Cyber Security Working Group - LBL December 5, 2005 Teresa Downey - SLAC.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Terri Lahey LCLS Facility Advisory Committee 20 April 2006 LCLS Network Security Terri Lahey.

Terri Lahey LCLS Facility Advisory Committee 20 April 2006 LCLS Network Security Terri Lahey.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
MANAGED SERVICES OPERATIONS. Increasing IP Infrastructure Complexity Requires Greater Need for Services Data Center B2B Links Branch Offices Distribution.

MANAGED SERVICES OPERATIONS. Increasing IP Infrastructure Complexity Requires Greater Need for Services Data Center B2B Links Branch Offices Distribution.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
Network security policy: best practices

Network security policy: best practices
Chapter 11: Dial-Up Connectivity in Remote Access Designs

Chapter 11: Dial-Up Connectivity in Remote Access Designs
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
Terri Lahey EPICS Collaboration Meeting June 2006 15 June 2006 LCLS Network & Support Planning Terri Lahey.

Terri Lahey EPICS Collaboration Meeting June June 2006 LCLS Network & Support Planning Terri Lahey.
1 Remote Access July 10, 2007. 2 What we’ll cover Remote access to NCAR’s network Remote access to Servers, Routers, Switches.

1 Remote Access July 10, What we’ll cover Remote access to NCAR’s network Remote access to Servers, Routers, Switches.
Advanced Networking for DVRs

Advanced Networking for DVRs
Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.

Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.

Similar presentations

Ads by Google