The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security...
-
Upload
patricia-stewart -
Category
Documents
-
view
218 -
download
0
Transcript of The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security...
![Page 1: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/1.jpg)
The Fermilab Network, Computer Security,
and you….
Phil DeMar / Donna Lamore
Computer Security Awareness Day
March 8, 2005
![Page 2: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/2.jpg)
Fermilab Network Overview
~10,000 systems Organized on model of work group LANs
Organizational: AD, CD, PPD, TD, BSS, DIR, ESH, FESS, LSS
Experiment: CDF, D0, CMS, MINOS, mBoone, SDSS
Geographical: Fixed Target, Site 38, Village
Work groups supported on switches that connect to the core network
![Page 3: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/3.jpg)
![Page 4: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/4.jpg)
Core Network Facilities & Essential Network Services
Core network facilities: FCC core router WH core router Border router
Essential network services: Name service Dynamic address
allocation service Time service
ADLAN
Site 38
Off-Site[Internet]
FCC Offices
FCCComputingResources
WH OfficeLANs
FCCCollapsedBackbone
Switch/Router
WHCollapsedBackbone
Switch/Router
SiteBorderRouter
622Mb/s
TD/IC
Village
CDF
D0
SDSS
MiniBoone
CMS
FTArea
MINOS
![Page 5: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/5.jpg)
![Page 6: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/6.jpg)
Off-site Network Access
Off-site traffic traverses border router: Delineation point between onsite & offsite Our 1st line of defense against the Internet
Flow data collected on border router: Logs all off-site network connections
Source/destination IP addresses & ports Flow timestamp & duration, bytes/packets sent & received
Useful for detecting infected systems & investigating computer security incidents
We are also collecting flow data on internal routers
![Page 7: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/7.jpg)
Off-site Network Access (II)
Current site perimeter access policy: Open inbound access with a few protections Open outbound access with minimal restrictions
Changes to default inbound openness under discussion: Likely a multi-level security zone architecture
Green zone = default inbound allow Yellow zone = default inbound deny
Openness for open science collaboration is recognized as a requirement
![Page 8: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/8.jpg)
Off-site Network Access (III)
An alternate very high bandwidth offsite path now in place:
Via dark fiber connection to StarLight
Intended use – high impact scientific data movement
StarLight
ESnet
FNALBorderRouter
ESnetRouter
CERN
SD1648 SM
Communication Subsystem Shelf
SD1648 SM
Communication Subsystem Shelf
FNALDWDMgear
FNALDWDMgear
Onsite
Off-site
FNALDark Fiber
to StarLight FNAL
FNAL6500
@StarLight
FNALStarLight
Router
622
Mb
/s
FNALNetwork
Abilene
GeneralInternet
ProductionNetwork (10GE)
StarLight10GE Path
ProductionNetwork (1GE)
(NBC Bldg)
UltraScience
Net
UltraLightUKLight
CAnet4
![Page 9: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/9.jpg)
Restrictions on Network Facilities & Services at Fermilab
The network is a restricted central service Per the Fermilab Policy on Computing
http://computing.fnal.gov/cd/policy/cpolicy.pdf
Prohibited activities include: Routing & bridging (switching…) on systems
attached to the campus network Using IP addresses not assigned to you Offering DNS, DHCP, or NTP services
![Page 10: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/10.jpg)
Routing/Bridging Restrictions:
Applies to systems directly or indirectly attached to the facility network
Backend networks with dual-homed (gateway) systems are allowed, but No forwarding of traffic through the gateway system No use of Network Address translation (NAT) Use Fermilab-assigned (RFC1918) address blocks
Private hardwire networks with no direct or indirect connection to the facility network is OK Sorry, no private wireless networks…
![Page 11: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/11.jpg)
Accessing the Fermilab Network
System registration is required to be granted a usable address on the facility network
Two types of network addresses are allocated: DHCP – dynamic, but temporary IP address
Useful for mobile systems Convenient for proper network configuration on a system
Static – fixed, but constant IP address Immobile; address is bound to a specific subnet Necessary for systems offering services
![Page 12: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/12.jpg)
Static IP address registration
Static IP address : Requested via MISCOMP
https://fncdug1.fnal.gov/misnet/
MAC address(es) required to receive an IP address Additional necessary information:
Sysadmin Location Hardware information
Plan to require static IP renewal once a year
![Page 13: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/13.jpg)
DHCP address registration
Two Types of DHCP address registration Permanently registered DHCP (Normal)
Register via MISCOMP (https://fncdug1.fnal.gov/misnet/) MAC address(es) must be registered Same sysadmin, location, & hardware info as for static IP Yearly renewal will become necessary soon
Temporary – Cinderella Registration Initial browser access forces Web Registration page
− Registration info: name, e-mail addr., contact info IP address good till midnight; then you must re-register Maximum 5 Cinderella leases per 30 days
![Page 14: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/14.jpg)
Wired Connection to Site LAN
DHCP supported on most subnets: Plug in & registered systems are on the network
Static IP address requires proper configuration for the local subnet Contact local support person for assistance
Helpdesk – 2345 to report problems
![Page 15: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/15.jpg)
Accessing the Wireless Network
DHCP support only
Wireless LAN support covers most of the site 802.11B – 11 Mbs Beginning to deploy 802.11G – 54 Mbs
Authentication: Currently no authentication for wireless access SSID is broadcast Likely to change in the future
![Page 16: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/16.jpg)
Wireless Network No-No’s
You can’t install your own Access Points (AP): See Fermilab Policy on Computing – a restricted
central service Or enable any AP capability on your notebook Developing automated rogue AP detection tool
Bridging must be turned OFF on user devices A known problem with Windows XP Switches set to shutdown ports on systems with
bridging enabled
![Page 17: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/17.jpg)
Remote Access – Dial-up
Dial-up: Now uses Radius authentication V.34 – typically 28.8kbps
No plans for further upgrades If the obsolete, out of warranty modem pool dies, no
replacement…
Limited to on-site access only Last resort ?
Dial-up ISDN phased out completely
![Page 18: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/18.jpg)
Remote Access – VPN
VPN Provides encrypted tunnel through internet Assigns virtual local Fermilab address
Allows access to Fermilab machines restricted from offsite Allows access to protocols blocked at Border
Must use Cisco VPN client & FNAL-provided profile Yearly renewal necessary:
Involves updating FNAL-provided VPN profile
Request account at: https://www-dcn.fnal.gov/vpn/vpn_reg.cgi Need ID number, Associated Workgroup
![Page 19: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/19.jpg)
Appropriate Use
From the Fermilab Policy on Computing:
“ Fermilab encourages effective use of computing technologies in all aspects of its activities. Fermilab maintains an open scientific environment where the free exchange of ideas is encouraged and protected. We permit a wide range of computer activities including incidental use for private purposes. We encourage use of the Web and other Internet communication channels. With this comes the responsibility for every Fermilab employee and user to exercise common sense and good judgment. “
![Page 20: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/20.jpg)
Appropriate Use (cont.)
Network Appropriate Use primary concerns: Potential public embarrassment to the Laboratory Consuming Significant Resources (excessive use)
Examples of traffic where common sense and good judgment should come into play : Acting as a server for P2P distributed file systems
Kazaa, eDonkey, Gnutella, NAPster, Skype, etc…
Game Sites Auctions
![Page 21: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/21.jpg)
Traffic monitoring thru the border router
Flow data generates daily & hourly Top 20 reports on: Top talkers, top listeners, top conversations Breakouts by number of flows, bytes, or packets
Primarily checking for: Unusual consumption of network resources Unusual traffic patterns
Large numbers of offsite hosts contacted Large amounts of data transferred
![Page 22: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/22.jpg)
Border Router Network Blocks
Border Router static blocks: Exceptions to inbound default-allow
Netbios IRC Web Servers require exception
Autoblocker: Based on quasi-realtime flow record analysis Blocks “greedy” users (perceived as scanners…)
Automated unblocked after behavior stops
Occasionally blocks “greedy”, but real applications New version should minimize those disruptions
![Page 23: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/23.jpg)
Internal Network Blocks
DHCP service: When requested by Computer Security Team (CST)
Typically to isolate a vulnerable or infected system Unblocked only upon approval from CST
For network Infractions – excessive use, restricted central service
Unblocked when corrected
Static IP address internal block: Normally at the request of CST
Unblocked only after approval from CST
![Page 24: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/24.jpg)
MAC address black-hole Implemented on local switch At request of FCIRT – during an incident
Unblocked at request of FCIRT
Network Infractions – illegal IP address use, excessive use, restricted central service
Unblocked when corrected
Switch port block Occasionally used for expedient network disconnect
Too easy to get around Can affect other users/systems on same switch port
Internal Network Blocks (cont)
![Page 25: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/25.jpg)
Helpful Links
Network info available on Data Comm web site http://www-dcn.fnal.gov/
Network Stats: http://fndcg0.fnal.gov/~netadmin/onsite/stats.html Node Locator: to find point-of-attachment & associated
switch traffic graphs NDT Tester: useful in testing for connectivity/duplex
problems
Trouble Reporting – x2345 – helpdesk
![Page 26: The Fermilab Network, Computer Security, and you…. Phil DeMar / Donna Lamore Computer Security Awareness Day March 8, 2005.](https://reader036.fdocuments.us/reader036/viewer/2022062321/56649e2b5503460f94b19913/html5/thumbnails/26.jpg)
Questions…
??