10/27/2003 Computational Infrastructure, Communications, and Networking James W Brunt Associate...
70
10/27/2003 Computational Infrastructure, Communications, and Networking James W Brunt Associate Director for Information Management LTER Network Office University of New Mexico
-
Upload
mark-dixon -
Category
Documents
-
view
218 -
download
0
Transcript of 10/27/2003 Computational Infrastructure, Communications, and Networking James W Brunt Associate...
10/27/2003
Computational Infrastructure, Communications, and Networking
James W BruntAssociate Director for Information Management
LTER Network OfficeUniversity of New Mexico
10/27/2003
Computer Systems for Research Design Considerations Cost Considerations
Networking LAN WAN Wireless
Software Services Mail Web Other
Security Mistakes Essential Measures Firewalls Recovery Network Design Considerations
Computers, Communication, Networking
10/27/2003
Computer Systems and Networking : Why do we need them?
To facilitate research by increasing communication and access to data, metadata, and applications for synthesis and integration across broad spatial and temporal scales.
10/27/2003
System Development Strategy
The ideal scalable system is one that is a ‘framework’ wherein the components are modular and can be upgraded through time without a complete overhaul of the system.
10/27/2003
Strategy
Plan
Prototype
Evaluate
Implement
Evaluate
Plan
10/27/2003
Computer Network Design: typical
Server for:•Mail•File systems•Software•Processing•Web •Database
10/27/2003
Computer Network Design: scalable
mail Web LAN Proc File
10/27/2003
Computer Network Design:scalable
mail LAN PROCNAS
10/27/2003
Network Attached Storage
Compared with a standard file or application server, network attached storage servers deliver:
Lower purchase cost NAS servers are streamlined – built only with hardware and software components needed for network storage, resulting in up to a 50% lower purchase cost.
Lower total cost of ownership (TCO) With a lower purchase cost, quick installation, support for heterogeneous client environments, minimal maintenance requirements and simplified data storage and management, offers a significantly lower TCO.
Ease of Installation NAS is preconfigured and ready to plug into the network out of the box for deployment in under 15 minutes and no need to disrupt other servers or the network.
Simplified Management Setup and manage a NAS from anywhere on the network with an intuitive IT and web-browser-based administrative tool
Support for multiple client operating systems and data types With automatic support for Microsoft Windows 2000 and NT, Novell Netware, UNIX, Linux and Macintosh -- NAS provides minimal configuration input, maximum compatibility with existing clients and cross-platform data consolidation and file sharing.
Higher Data Availability A high degree of integration gives NAS enhanced stability and a reduced risk of failure
Releases Standard Server CPU from I/O requests Installing a NAS enhances network performance is with a reduction of potential throughput bottlenecks.
10/27/2003
Computer Network Design:scalable
DEDICATED NETWORK
10/27/2003
Computer Costs: Moore’s Law
•corollary to Moore's law: For each innovation in chip design, reports that Moore's Law is dead will appear within 48 hours.•Machrone’s Law – the machine you want always costs $5,000•Brunt’s corollary to Machrone’s Law – the machine you want always costs $2500 the day after you buy it for $5000
Moore’s Law
The number of transistors per integrated circuit will double every 18 months
10/27/2003
Computer
Processor – how many?
Memory – how much?
Power Supplies – how many?
Footprint – rack, floor, desktop
Operating System – unix, windows
Mass Storage – how much?
10/27/2003
Computer – Total Cost of Ownership
•Purchase price•Training costs•Application costs •Maintenance and support costs•Environmental change costs •Contracted technical support costs
10/27/2003
Computer – Total Cost of Ownership
10/27/2003
Computer – Total Cost of Ownership
Estimates by the Gartner group are that total cost of ownership of the average desktop computer is between $8K and $13K
10/27/2003
Computer Administration
Part of the total cost of ownership includes the Administration of the computer and the supporting Network infrastructure, including:
•System Monitoring•Software and OS Maintenance•Backup and Recovery•Hardware Maintenance•Preventative Maintenance•User Support•Administrative•System Documentation
10/27/2003
System Monitoring
•Network Traffic•Email Traffic•System Logs•Disk Utilization•Database Traffic
10/27/2003
Computer Administration
Activity Daily Weekly Monthly Yearly
System Monitoring 1 20
Software and OS Maintenance
Backup and Recovery 1 +2 +8 = 36
Hardware Maintenance 1 +4 +16=52
Preventative Maintenance
User Support
Administrative 1 +4 24
System Documentation 4 16
Totals
10/27/2003
Computer System Design - Main Points
DeCentralize functions
Consider Total Cost of Ownership
Work within available expertise
Develop Network Infrastructure
10/27/2003
Local-Area Network
A LAN connects network devices over a relatively short distance. A networked office building, school, or home usually contains a single LAN, though sometimes one building will contain a few small LANs, and occasionally a LAN will span a group of nearby buildings. LANs are typically owned, controlled, and managed by a single person or organization. They also use certain specific connectivity technologies, primarily Ethernet.
10/27/2003
Local-Area Networking Costs
Subject to benefits of Moore’s Law
Money
Speed
10/27/2003
Local-Area Network
10/27/2003
Local-Area Network
Standard to the desktop: 100 Mb/s switched
Gigabit in 3-4 years
Standard for backbones: Gigabit
100 Gb/s in 4-5 years
10/27/2003
Local Area Networking
•Over specify cabling and switching
•Avoid peak-use bottlenecks rather than providing per user bandwidth
•Consider redundant networks for backups, access, and special applications
•Plan for firewalls before you need them
10/27/2003
Wireless LAN
10/27/2003
Wide-Area NetworkingAs the term implies, a wide-area network spans a large physical distance. A WAN like the Internet spans most of the world! A WAN is a geographically-dispered collection of LANs. A network device called a router connects LANs to a WAN. In IP networking, the router maintains both a LAN address and a WAN address. WANs differ from LANs in several important ways. Like the Internet, most WANs are not owned by any one organization but rather exist under collective or distributed ownership and management. WANs use technology like ATM, Frame Relay and X.25 for connectivity.
10/27/2003
Wide-Area Networking Costs
What you pay is what you get
Money
Speed
10/27/2003
Wide area networkWide area network
10/27/2003
The Language of Wide-Area Networks
Speeds/Bandwidth
T-1/DS1 and Fractions
T-3/DS3 and Fractions
OC3
OC12
Ocx
10/27/2003
The Language of Wide Area Networking
Connections:
Point to Point
Frame Relay
Copper vs. Fiber
Dark Fiber
10/27/2003
Wide area network environmental considerations
Metro – located within a metropolitan area phone system where T-1 and higher speed connections easily available through a variety of carriers.
City – located near a city that is equipped to provide T-1 service but may or may not have available ISP to cover the internet connection.
Rural - outside of a regular metropolitan phone system but close enough that connections can be made into a metropolitan system.
Remote – area where only basic telephone service is typically provided.
Backcountry – area where not even basic telephone services are available.
10/27/2003
Wide area network capabilities
Speeds/Bandwidth
T-1/DS1- Email, Web, FTP
T-3/DS3 – File System Transparency
OC3-Real-time Video Conferencing
OC12-Real-Time Applications
OCn – Bus/Chip Transparency
10/27/2003
Wireless WAN
10/27/2003
Wide Area Networking
Work with independent 3rd Party
Get as much bandwidth as you can afford
Fiber scales; copper doesn’t
Don’t overlook options like dark fiber
10/27/2003
Wide Area Networking: Wireless
Satellite – 3T-1 Cost Prohibitive 256K Cost Effective
Microwave – 100 Mb/s Cost Effective for point-to-point
2.4 Ghz Spread Spectrum 100 Mb/s Better for LAN extensions
RF – 2 Mb/s Cost Effective for point-to-point
10/27/2003
Satellite Internet
10/27/2003
Satellite Internet Issues
Upload Speed Download Speed Maximum Mb/day? Costs:
Equipment Installation Monthly/Contract? IP?, Email, etc.
10/27/2003
DSL Internet Issues
Carrier - regulated ISP - not regulated Costs:
Equipment Installation Monthly/Contract? IP?, Email, etc.
10/27/2003
Network Software Services
Domain Name Service (DNS)
Web Server Email Server Directory Server (LDAP) PIM Server (to-do, calendar,
etc.)
10/27/2003
Email Considerations
Mail Transfer Agent (MTA) – SMTP server
POP, IMAP, Webmail Security (SSL/TLS) Virus Scanning Spam Filtering
10/27/2003
Getting a Domain Name
10/27/2003
Web Hosting Services
10/27/2003
Network Solutions for Small Stations
Internet Connectivity – Satellite DSL w/ wireless router
Website – hosted Email – hosted $200/month
10/27/2003
Computer Systems for Research Design Considerations Cost Considerations
Networking LAN WAN Wireless
Software Services Mail Web Other
Security Mistakes Essential Measures Firewalls Recovery Network Design Considerations
Computers, Communication, Networking
10/27/2003
"The fundamental problem with security is that it's everyone's problem, which means that no one is actually responsible." --InfoWorld Editor in Chief Michael
Vizard
Network Security
10/27/2003
The Problem - in the Large85% of respondents to Computer Security Institute/FBI 2001 survey reported security breaches (70%, 2000; 62% 1999)*
186 organizations (35%) able to quantify financial loss reported $377.8M (273 organizations [51%], $265.6M in 2000 survey)
theft of proprietary information and financial fraud most serious
70% cited their Internet connection as a frequent point of attack (59% in 2000 survey)
*Computer Crime and Security Survey, Computer Security Institute and the FBI, 2001, http://www.gocsi.com/prelea_000321.htm
10/27/2003
Why are Security Incidents Increasing?
Sophistication of Hacker Tools
Packet Forging/ Spoofing
19901980
Password Guessing
Self Replicating Code
Password Cracking
Exploiting Known Vulnerabilities
Back Doors
Sweepers
Sniffers
Stealth Diagnostics
Technical Knowledge Required
High
Low 2000
DDOS
-from Cisco Systems
Disabling Audits
10/27/2003
The Problem – as Viewed by System Administrators
Lack of management understanding and guidance
Arbitrary priorities
Lack of time, resources, and qualified staff
New and mutating attacks, new vulnerabilities
Insecure products, bad patches
10/27/2003
Network Security Threats
Any Internet connection is vulnerable to:
•Unauthorized Access to the network. •Denial of Service (DoS) attacks. •Viruses. •Capture of Private Data and Passwords. •Offensive and/or Unwanted Content.
10/27/2003
Top 20 Internet Vulnerabilities Top Vulnerabilities to Windows Systems
W1 Internet Information Services (IIS) W2 Microsoft SQL Server (MSSQL) W3 Windows Authentication W4 Internet Explorer (IE) W5 Windows Remote Access Services W6 Microsoft Data Access Components (MDAC) W7 Windows Scripting Host (WSH) W8 Microsoft Outlook and Outlook Express W9 Windows Peer to Peer File Sharing (P2P) W10 Simple Network Management Protocol (SNMP)
Top Vulnerabilities to UNIX Systems
U1 BIND Domain Name System U2 Remote Procedure Calls (RPC) U3 Apache Web Server U4 General UNIX Authentication Accounts with No Passwords or Weak Passwords U5 Clear Text Services U6 Sendmail U7 Simple Network Management Protocol (SNMP) U8 Secure Shell (SSH) U9 Misconfiguration of Enterprise Services NIS/NFS U10 Open Secure Sockets Layer (SSL)
Source: SANS
10/27/2003
SANS Ten Worst Security Mistakes IT People Make
1. Connecting systems to the Internet before hardening them.
2. Connecting test systems to the Internet with default accounts/passwords
3. Failing to update systems when security holes are found.
4. Using telnet and other unencrypted protocols for managing systems, routers, and firewalls.
5. Giving users passwords over the phone or changing user passwords in response to telephone or personal requests when the requester is not authenticated
10/27/2003
SANS Ten Worst Security Mistakes IT People Make
6. Failing to implement or update virus detection software
7. Failing to educate users on what to look for and what to do when they see a potential security problem.
8. Failing to maintain and test backups9. Running unnecessary services, especially ftpd,
telnetd, finger, rpc, mail, rservices.10. Implementing firewalls with rules that don't stop
malicious or dangerous traffic-incoming or outgoing.
10/27/2003
SANS Five Worst Security Mistakes End Users Make
1. Opening unsolicited e-mail attachments without verifying their source and checking their content first.
2. Failing to install security patches-especially for Microsoft Office, Microsoft Internet Explorer, and Netscape.
3. Installing screen savers or games from unknown sources.
4. Not making and testing backups. 5. Using a modem while connected through a
local area network.
10/27/2003
SANS 7 Top Management Errors That Lead to Computer Security Vulnerabilities
7) Pretend the problem will go away if they ignore it.6) Authorize reactive, short-term fixes so problems re-
emerge rapidly5) Fail to realize how much money their information and
organizational reputations are worth.6) Rely primarily on a firewall.7) Fail to deal with the operational aspects of security:
make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed
8) Fail to understand the relationship of information security to the business problem -- they understand physical security but do not see the consequences of poor information security.
1) Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.
10/27/2003
Ten Essential Security Measures
1. Develop a Security Policy. And let everyone know about it. Develop online warnings to inform users of the rules for accessing your network.
2. Use strong passwords. Choose passwords that are difficult or impossible to guess. Give different passwords to all accounts.
3. Make regular backups of critical data. Backups must be made on a regular basis and that restoration is possible.
10/27/2003
Ten Essential Security Measures
4. Use virus protection software. Install the software, check regularly for new virus signature updates, and scan all files periodically.
5. Use a firewall as a gatekeeper between your computer and the Internet. Firewalls can be hardware or software products.
6. Enable Logging for all important systems. Often Logging is turned off by default making it impossible to tell what happened.
10/27/2003
Ten Essential Security Measures
7. Do not open e-mail attachments from strangers, Be suspicious of any unexpected e-mail attachment from someone you do know.
8. Regularly download security patches from your software vendors. Visit www.windowsupdate.com and other update sites regularly. Don’t forget network devices (routers, hubs, etc).
9. Document your network and conduct vulnerability scans.
10. Educate your users and yourself. Security is a continual process.
10/27/2003
Computer Network Design:firewalls
FirewallInternet
10/27/2003
Computer Network Design:firewalls
DEDICATED NETWORK
Firewall
Internet
10/27/2003
Computer Network Design:firewalls
DEDICATED NETWORK
Firewall
Internet
web
10/27/2003
Summary
You can’t be totally secure, but there is a lot that you can do (relatively cheaply) to make your network more secure.
Most attacks play on well-known vulnerabilities.
Education is the key to a secure network.
Security is a continual process.
10/27/2003
More Resources
SANS – SANS Institute (www.sans.org)
CERT – Computer Security Coordination Center at Carnegie Mellon (www.cert.org)
CSI – Computer Security Institute (www.goCSI.com )
CoSN (www.cosn.org)
10/27/2003
What we didn’t talk about
Backup Solutions Archival Media Environmental Power
10/27/2003
10/27/2003
Harden/SecureInstall the minimum essential operating system and all applicable patches
Remove all privilege/access and then add back in only as needed (“deny first, then allow”)
Address user authentication mechanisms, backups, virus detection/eradication, remote administration, and physical access
Record and securely store integrity checking (characterization) information
10/27/2003
PrepareIdentify and prioritize critical assets, level of asset protection, potential threats, detection and response actions, authority to act.
Identify data to collect and collection mechanisms
Characterize all assets, establishing a trusted baseline for later comparison
Identify, install, and understand detection and response tools
Determine how to best capture, manage, and protect all recorded information
10/27/2003
DetectEnsure that the software used to examine systems has not been compromised
Monitor and inspect network and system activities
Inspect files and directories for unexpected changes
Investigate unauthorized hardware
Looks for signs of unauthorized physical access
Initiate response procedures
10/27/2003
RespondAnalyze all available information; determine what happened
Disseminate information per policy, using secure channels
Collect and preserve evidence, including chain of custody
Contain damage
Eliminate all means of intruder access
Return systems to normal operation
10/27/2003
ImproveIdentify lessons learned; collect security business case information
Install a new patch (re-harden); uninstall a problem patch
Update the configuration of alert, logging, and data collection mechanisms
Update asset characterization information
Install a new tool; retire an old tool
Update policies, procedures, and training
10/27/2003
For More Information
http://www.cert.org/security-improvementhttp://www.cert.org/traininghttp://www.cert.org/octave
The CERT® Guide to System and Network Security Practices, Addison-Wesley, June 2001
