Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jefferson Lab Remote Access Andy Kowalski December 1, 2010.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Jefferson Lab Remote Access Andy Kowalski December 1, 2010."— Presentation transcript:

1 Jefferson Lab Remote Access Andy Kowalski December 1, 2010

2 Internet Connectivity NYC Atlanta MATP McLean, VA Virginia Tech 10GE OC192 OC48 DS3 ESnet core Eastern LITE (E-LITE) Old Dominion University W&M* JTASC VMASC Bute St CO ODU* NASA JLAB Site Switch Level3 Washington DC Lovitt MATP ESnet Router COX Communications (backup) JLAB 10Gbps 2.5Gbps 45Mbps * SURA Site

3 Local Area Network (LAN) 10 Enclaves –7 NIST Low Level –3 NIST Moderate Level Use NIST 800-53 Base Controls –Enclave level determined by potential impact from a loss of confidentiality, integrity, and availability –Impact on JLab, not DOE Firewalls Between All Enclaves –Some within enclaves Moderate Level Enclaves Experimental Physics Accelerator Public Services Scientific Computing Collaborative Services Business Services FEL Sensitive 10GigEthernet 1GigEthernet Desktops Levels 1,2,3 Guest Core Services

4 Network Management & Monitoring JNet registration required for network access –Manages both wired and wireless JNet database manages/tracks –User to MAC address registration –Asset tracking (property, contact information) –History of machine locations and registrations –Auto VLAN assignment (users may move about, VLAN assignments change when they plug in) Network Intrusion Detection System (NIDS) –Monitor network traffic looking for intrusions –Taps at VLAN ingress/egress points

5 Moderate Enclave Protections BSN –Firewall restricts remote access RDP limited to a Terminal Server from select desktops SSH from select IT areas for management –2-factor authentication Core & FEL –Firewall restricts remote access SSH and RDP open to all systems –2-factor authentication on Windows –2-factor authentication on Linux (Core only)

6 Additional Core Enclave Protections Firewall restricts SSH and RDP by network of origin Guest network support is isolated –Printing Utilizes a dedicated print server –Printers are on their own VLAN and firewalled –Otherwise, access to JLab is as from the Internet Web servers on separate VLAN and firewalled Interactive general purpose machines on separate VLAN and firewalled IT administration, development and desktops –Each on separate VLANs and firewalled –2-factor authentication for administration –Use least privilege model for accounts

7 2-Factor Authentication Used Today Used to access moderate enclaves and VPN –BSN, FEL –Core Services -> System and Network Administrators TypeMethod Uses PIN Locks After Failed Attempts Works Off LAN Supports Remote Unlock One Time Cost Yearly Recurring Cost Comments Smart Card PKIYes3 $100 per card ($200 for Linux/Ma c) Replace every 3 years Supported in Windows 7 but requires drivers for other OSes; Not supported by all applications TokenOne- Time Password Yes15Limited to 15 logins No$100 per token $10 per token OS authenticates via RADIUS.

8 Remote Access Today Internet to JLab is via centrally managed gateway servers Service/ Protocol Server OSClient OSUsersEncryptedAuthentication Tunnel Support Comment SSHLinuxAll Yes Username/Passwo rd Yes To CNI managed gateway servers; Tunneling capabilities of SSH allow users to access any service behind a firewall SFTP (SSHFS) LinuxAll Yes Username/Passwo rd No Remotely Mount CUE Central File Systems VPNCiscoAll Moderate Enclave Users Yes (IPSec, SSL) 2-Factor (Smart Card, Token) No Requires Special Setup Per Group (VLAN) HTTP/HT TPS Linux, Windows All No/Yes None, Username/Passwo rd No HTTP/S can be used to tunnel, but we do not configure our servers to do that -> this is more of an outbound issue IMAP over SSL LinuxAll Yes Username/Passwo rd No SMTP/SM TP over SSL LinuxAll No/Yes Username/Passwo rd No

9 Enclave Access Today Enclave to enclave is direct or via gateway servers Service/ Protocol Server OSClient OSUsersEncryptedAuthentication Tunnel Support Comment SSHLinuxAll Yes Username & Password Yes To what machines is Enclave specific; Tunneling capabilities of SSH allow users to access any service behind a firewall RDPWindowsAll BSN, FEL, IT YesSmart CardNo To what machines is Enclave specific; Can access client disks from server VPNCiscoAll BSN, FEL, IT, & a few others Yes (IPSec, SSL) 2-Factor (Smart Card, Token) No Requires Special Setup Per Group (VLAN) HTTP/HT TPS Linux, Windows All No/Yes None/Username & Password No HTTP/S can be used to tunnel, but we do not configure our servers to do that -> this is more of an outbound issue Windows protocol suite WindowsAll Yes Username & Password No File sharing and username/password information from Core NFS/NISLinuxLinux/*nixAllNoHostnameNo File sharing and username/password information from Core

10 Known Issues Stolen username/password pairs SSH tunnels –If SSH is allowed, everything is open –Network traffic is encrypted (good and bad) Portable devices –Laptops, smart phones, iPads, iPods, etc. –Provide less security than managed desktops Unmanaged devices –Personal laptops, PDAs, etc.

11 Proposed Enhancements VPN –Add more robust client side scanning/admission control Direct enclave access through gateway systems requiring 2-factor authentication –Accelerator –Halls 2-factor authentication support for Linux and Mac

Download ppt "Jefferson Lab Remote Access Andy Kowalski December 1, 2010."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Network Security.

Network Security.
Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.

Avoid data leakage, espionage, sabotage and other reputation and business risks without losing employee performance and mobility.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
Network Asset Management at Jefferson Lab Bryan Hess, Andy Kowalski, Brent Morris,

Network Asset Management at Jefferson Lab Bryan Hess, Andy Kowalski, Brent Morris,
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or 415.514-3333 UCSF Campus VPN.

OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or UCSF Campus VPN.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………

Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………
1 Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall.

1 Copyright © 2011 Pearson Education, Inc. Publishing as Prentice Hall.
12 GeV Era Computing (CNI) Andy Kowalski May 20, 2011.

12 GeV Era Computing (CNI) Andy Kowalski May 20, 2011.
Server 2008 Terminal Services and Remote Desktop Services Basic application access is possible without Citrix, and Server 2008 R2 adds on some key features.

Server 2008 Terminal Services and Remote Desktop Services Basic application access is possible without Citrix, and Server 2008 R2 adds on some key features.
Accelerator Controls Brad Cumbia Anthony Cuffe December 1, 2010 Remote Access Review.

Accelerator Controls Brad Cumbia Anthony Cuffe December 1, 2010 Remote Access Review.
Chapter 11: Dial-Up Connectivity in Remote Access Designs

Chapter 11: Dial-Up Connectivity in Remote Access Designs
Welcome to Networking! 1. Connect your computer to the network with a cable 2. Copy the Networking folder from the flash drive to the computer or your.

Welcome to Networking! 1. Connect your computer to the network with a cable 2. Copy the Networking folder from the flash drive to the computer or your.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.

1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.

Similar presentations

Ads by Google