Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Deep packet inspection wikipedia , lookup
Net neutrality law wikipedia , lookup
Computer security wikipedia , lookup
Airborne Networking wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
Wireless security wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft IT Security - Regulations and Technical Aspects Network concepts The following presentations have been used for System Administrator training at FZK and are thus specific to their environment. However many features will be common to most institutes and thus the slides could make a good basis for producing customized training material Authors: Andreas Lorenz and Thomas Brandel Revised for the ISSeG Project by Ursula Epting, Bruno Hoeft and Tobias Koenig © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Overview: Network Concepts • Access from inside • Access from outside • Access by guests • LAN regulations • Network protection technology © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Access of the Network from Inside (1) © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Access of the Network from Inside (2) General description Each end device (PC, printer, server) in the LAN requires an unambiguous IP address for network communication. An IP address consists of 4 bytes and is represented by 4 decimals separated by points (for example: 192.168.89.16). An IP address may be allocated by manual configuration (static address) or dynamically (by a DHCP server). Other TCP/IP parameters (subnet mask, default gateway, DNS domain, DNS and WINS servers) are fixed. Prerequisites for use Connection of an end device to the intranet is subject to the internal regulations and principles ( internal document). © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Overview: Network Concepts • Access from inside • Access from outside • Access by guests • LAN regulations • Network protection technology © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft • Access from Outside Remote Access (1) VPN (Virtual Private Network) – – – – Access via any internet provider After VPN setup, complete intranet access Access to internal DNS Firewall is by-passed Problem: An infected computer may infect the entire intranet • Solution: – Access via VPN / reverse proxy server – Check of the accessing Windows computers (host check) for • Supported antivirus clients, current antivirus definition • Personal firewall • Security updates – If check fails, direct updating is possible – Optional 2-factor authentification (RSA token) © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft • Access from Outside Remote Access (2) RSA Token for 2-factor Authentication – 2 factors: • PIN (knowledge) • Device with constantly changing combination of figures (possession) – Generation of one-time passwords – Key loggers are undermined – Attention: If a system is accessed via user name / password after successful VPN log-on, this may be overheard by a key logger. © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft • Access from Outside Remote Access (3) RAS (Log-on access) – – – – – Analog log-on or ISDN With or without call-back Complete access to intranet Internal DNS Firewall is by-passed Same problem as for VPN, but worse: – Computers without a rapid internet access are difficult to be kept updated, as the updates have become very large in the meantime – RAS without call-back is not reasonable for the user, as log-on accesses with commercial providers usually are much cheaper RAS should only be used in exceptional cases! © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Access from Outside Remote Access (4) • Direct SSH access from the internet – Requires clearance of the port in the firewall – (nearly) any port may be selected – Recommendation: Avoid standard port, as it is frequently the target of automatic attacks – Cleared computers are checked regularly for security exposures © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Overview: Network Concepts • Access from inside • Access from outside • Access by guests • LAN regulations • Network protection technology © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Access of Guests (1) • Computers of guests, who require access to the network, must not be allowed to enter the intranet unchecked • Via WLAN, PCs of guests may access a special guest network: – – – – – Call of any external web site by the web browser Important: without proxy server! Creation of a guest account when a valid watchword is input The watchword is known to the LAN coordinators Log-on with user name and password Guest has access to the internet, no access to the intranet • If a LAN socket with a configured guest network is available, the same procedure may be used to access the guest network via cable © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Access by Guests (2) • • If the guest needs access to the intranet, he/she has to sign an agreement to observe data protection and IT security If the intranet is to be accessed from a computer of the guest (e.g. notebook), the following conditions have to be fulfilled (Windows): – Active personal firewall – Active virus protection – Updated patch state of the operating system • In principle, access of guests to the intranet should be the exception! © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Overview: Network Concepts • Access from inside • Access from outside • Access by guests • LAN regulations • Network protection technology © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Overview: LAN Regulations • Definitions • Principles • Rules • Log-on, change of registration, and log-off of end devices • Network security • Control and correcting measures • Restrictions © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft LAN Regulations (1) Definitions The LAN comprises the entire network infrastructure of the intranet. The organizational unit is any organizational unit shown in the organizational chart as well as any external institution that is legally independent of the Research Center, which operates end devices on the LAN. LAN coordinators (LAN-KO) are central partners at each organizational unit as far as network operation is concerned. Each organizational unit appoints one LAN coordinator and at least one deputy. An end device is any source or sink of data flows that can be identified in the LAN. © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft LAN Regulations (2) Principles LAN operation is subject to aspects of security, performance, cost efficiency, and legitimacy. For the operation of an end device, the organizational unit, to which this end device is allocated, is responsible. Operation of an end device must not adversely affect LAN operation. The LAN-KOs settle network matters of and disseminate information to the members of the organizational unit and the network operator. They act as an interface between the network operator and the user of the end device. © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft LAN Regulations (3) 1. 2. 3. 4. Rules (Conditions for the operation of end devices) The computing center has to possess the following information: a. Name of the device, i.e. the host name or computer name b. Hardware address of the network interface card c. Responsible operator. The operator must be entered in the central database d. Place of installation (building and room) of the end device Exceptions are made for the rules of DHCPs. As far as network security and compatibility are concerned, the end device has to fulfill the conditions made on the LAN in terms of equipment and configuration. The transmission protocol of the backbone router is the internet protocol (IP). © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft LAN Regulations (4) Log-on, Change of Registration, and Log-off of End Devices First log-on of an end device is associated with a registration, during which the information required for operation is transmitted to the computing center. The operating organizational unit must immediately notify changes of the information required for the operation of an end device. Log-off is required, if the end device is no longer operated in the network. © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft LAN Regulations (5) Network Security Communication links are subject to the general network security rules of the site ( see document on the intranet). © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft LAN Regulations (6) Control and Correcting Measures Operation of the LAN is controlled and failures are eliminated as rapidly as possible. Control is subject to the provisions of the Telecommunications Act and the Telecommunication Data Protection Ordinance as well as to site-specific in-house agreements and bilateral agreements with associated external institutions. End devices that significantly disturb operation or do not fulfill the conditions for the operation of end devices may be separated from the LAN by the computing center. This also applies to entire LAN areas. . © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft LAN Regulations (7) Restrictions Moreover, modifications of the LAN shall require approval by the responsible staff members of the computing center. © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Overview: Network Concepts • Access from inside • Access from outside • Access by guests • LAN regulations • Network protection technology © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Overview: Network Protection Technology • • • • • Firewall structure Central firewall Decentralized firewall Desktop firewall Danger warning © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Network Protection Technology (1) Firewall Structure © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Network Protection Technology (2) Central Firewall • It controls the connection between the network of the site (LAN) and the internet. • It protects against computers on the internet that want to access devices of the site. • It restricts connections of internal computers to services on the internet. • It is called “central”, because it is effective for all devices connected to the LAN. • It provides effective protection against specific attacks from computers on the internet to computers of the site (protection against hackers). • It does not offer any protection in case of connections from a LAN computer to a computer on the internet. • Clearances may be provided in the firewall in order to make selected computers accessible for special services. • The central firewall is designed in a redundant manner. © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Network Protection Technology (3) Decentralized Firewall The decentralized firewall of the site acts like a blocked safety door to the organizational units that have an increased need for network security and data protection in their network area (sub network). The decentralized firewall protects the organizational unit from attacks from the intranet, i.e. from the other organizational units of the Center. © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Network Protection Technology (4) Desktop Firewall © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Network Protection Technology (5) Desktop Firewall Why a personal firewall? • Due to certain regulations, incoming or outgoing data packages are blocked by the personal firewall or may pass the firewall. • As each employee uses his/her PC for various purposes, these rules cannot be defined centrally. In case of new and unknown connections, the desktop firewall generally asks the user how it is supposed to react. © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Network Protection Technology (6) Danger Warning Why can worms infect the intranet? Notebooks are frequent travelers. On these travels, they are linked to other networks at other institutions, for instance. Here, they may catch “the virus” which then spreads all over the site. Unprotected log-on PCs also are a risk for the intranet. A virus spreads in various ways. It may also be sent by e-mail as a program for execution. Some people like to use password-protected archives, as these are not controlled by the virus scanner. If the recipient is so uncareful to open them, the virus may enter the intranet in this way. © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Final Remark Thank you for your attention © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/ Forschungszentrum Karlsruhe in der Helmholtz-Gemeinschaft Copyright © Members of the ISSeG Collaboration, 2008. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this material except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, Work distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. © Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/