Internet Service, VPN and Security
Download
Report
Transcript Internet Service, VPN and Security
WMO TECO-WIS - Korea 2006
INTERNET SERVICES, VPN and SECURITY
Jean-François Gagnon
Director, Network and Voice Operations
Information Technology Infrastructure Directorate
Chief Information Officer Branch
Environment Canada
.
Co-Chair, Expert Team on WIS-GTS Communication Techniques and Structures
Information System and Services, CBS, WWW
TECO-WIS, Seoul
November 2006
1
Definition of the Internet
• Network of networks
– millions of smaller domestic, academic, business, and
government networks
– Uses TCP/IP protocol suite
• Carries various information and services, such as
electronic mail, online chat, file transfer, documents of
the World Wide Web.
• Internet and the World Wide Web are not synonymous:
– the Internet is a collection of interconnected computer networks,
linked by telecommunication media
– the Web is a collection of interconnected documents, linked by
hyperlinks and URLs.
TECO-WIS, Seoul
November 2006
2
Deployment of the Internet in the World
TECO-WIS, Seoul
November 2006
3
Internet Status as viewed by WMO ET-CTS
• Noted some progress in implementation of TCP/IP procedures
around the various WMO administrative regions
– recently for smaller sites
– major centers had already reported conversion at previous meetings
• Experience is good and reports on reliability are reassuring
• Still not recommended as unique method of data acquisition for
mission critical activities
– Internet does not provide guaranteed service levels
– No operator has complete Internet responsibility, since amalgamation of
numerous telecommunication systems
• Security is an important concern, requires efforts and strong
commitment by all
TECO-WIS, Seoul
November 2006
4
TCP/IP Protocol Suite – RFC112 and RFC 1123
INTERNET PROTOCOL SUITE
APPLICATION
PRESENTATION
FTP, FTPS, TELNET,
SMTP, SNMP, HTTP,
HTTPS
SESSION
TRANSPORT
NETWORK
NFS
(Network File
Service)
XDR
(External Data
Representation)
RPC
(Remote
Procedure Call)
TCP, UDP
Routing
Protocols
IP
ICMP
ARP, RARP
DATA LINK
PHYSICAL
TECO-WIS, Seoul
November 2006
Not Specified
5
Use of TCP/IP on the GTS
• As recommended TCP/IP on the GTS for several years
• Benefits equate direct savings in financial and human
resource costs to Members
– reduced costs for communications equipment purchase and
maintenance
– reduced software development work - use of industry standard
software systems
TECO-WIS, Seoul
November 2006
6
Common Protocols allow Coexistence
• Internet can be used as:
– an underlying technology for some components of the GTS in special
conditions
– as a backup to the GTS
– as a complement to the GTS
Communication
Component
GTS
Internet
TECO-WIS, Seoul
November 2006
Function
Delivery of time critical communication for
weather, water and climate operations
Communication for less critical
requirements and possibly for large
volumes of data
7
Telecommunication Options
GTS
INTERNET
INTERNET
CENTER A
CENTER B
BROADCAST
NETWORK
OTHER NON-GTS LINKS
TECO-WIS, Seoul
November 2006
8
Internet Access Types
• Dial-up
–
–
–
–
Based on public telephone system
Typically 64 Kbps or less
Usually billed on time
Short connections initiated by user’s (or centre’s) end
• Permanent
–
–
–
–
–
–
Broadband (cable, DSL) or dedicated link
Typically 1 Mbps or better
Higher cost
Faster
Connection always established
Good for data providers
TECO-WIS, Seoul
November 2006
9
Implementation for Client-only Usage
•
•
•
•
Simple computer is sufficient to access Internet
Usually limited to small interactions initiated by user
Non-dedicated link (dial-up, DSL, cable) might be sufficient
Important to secure computer against unautorized incoming threats
– Usually the simplest rules – deny all incoming
– PC based « personal use » firewall software, such as
• http://www.zonelabs.com/
• http://www.personalfirewall.comodo.com/
• http://www.sunbelt-software.com/kerio.cfm
– Small « personal use » firewall, such as
• http://www.linksys.com
• http://dlink.com
ROUTER /
FIREWALL
TECO-WIS, Seoul
November 2006
INTERNET
10
Implementation for Servers
• Usually requires a dedicated link
• May be implemented with servers
– within your organization
• Completely under your responsibility
• Usually more flexible, more control
– Contracted to a hosting service provider
• May be more attractive if little expertise in system and security
management
• May have less control and flexibility
• Requires very clear statement of work and deliverables, especially
regarding Service Level Agreements (support issues)
TECO-WIS, Seoul
November 2006
11
Official IP Addresses
• It is essential to have a standard in the addressing
scheme
– Currently IPv4 most widely spread
– IPv6 being deployed slowly. Not used in GTS yet.
• It is essential to have uniqueness in the allocation of
addresses
– Since the GTS (and of course Internet) is not built as a unique
network under the complete authority of a single organization,
the allocation of addresses must therefore go through the official
bodies
TECO-WIS, Seoul
November 2006
12
The Internet Security Threat
• Motivation
– Obtain information or resources
• An attack can be motivated by the will to obtain information, for strategic,
ideological, financial or intelligence reasons, or resources like storage,
supercomputing or a link to an organization’s partner.
– Desire to cause harm
• Another motivation can be to prevent an organization to fulfil its mission
properly, by blocking or modifying services or information, for revenge,
terrorism, blackmail or malicious reasons.
– Playful or exploration
• Another kind of motivation is curiosity, boredom, game or challenge. Many
famous governmental institutions have been hit by such motivated attacks,
degrading their reputation.
– Accident
• The last category is human or physical accident. It can take many forms
and touch any part of the information system (network, hardware and
software), and can be prevented by an adequate disaster recovery
procedures, such as implementing system redundancy and automatic
failover procedures.
• Regardless of motivation, the threat is real
TECO-WIS, Seoul
November 2006
14
The Internet Security Threat – Common Threats
•
•
•
•
•
Malicious codes: viruses, worms, Trojan horses
Denial of service
Malicious hacking
Spying
Compromising and abuse of system resources
TECO-WIS, Seoul
November 2006
15
Impacts of Security Breaches
•
System and service impacts that disrupt or incapacitate actual systems or services
–
–
–
–
–
•
System slow down: the events cause the systems to slow down for no apparent reason.
System rendered unavailable: the events cause the systems to stop functioning altogether.
System or component of system destroyed: the events cause not only the systems and
services not to be available for a period of time, but cause the destruction of resources.
System apparently normal, but information stolen or compromised: the events that lead to
these impacts usually reside on the systems in a way not to be detected. Often, the reason
is to steal or spy. The impacts can be severe, as stolen information can be of sensitive or
commercial nature. Compromised information may have public safety implications or
political, religious, sexual or racial contents. The organization’s reputation and future may be
at stakes as well as safety of life.
System used to compromise others: the events would compromise an organization’s
systems in a way not to be detected, and may be left unused for a long time. However, these
components can be used to compromise other systems. Although the impact on a given
organization may seem negligible, harm to other organizations is possible. An organization
could be falsely accused of being the source of trouble because of this technique.
Administrative, legal and reputation impacts
–
All organizations have a “network” responsibility. They must mitigate the problems of
security and ensure they are not the cause of problems to others. Failure to do so may
eventually lead to legal action. It is also obvious that bad information and poor service will
certainly have administrative impacts as well as loss of reputation impacts.
TECO-WIS, Seoul
November 2006
16
Information Technology Security Best Practices
•
Network architecture
–
–
–
–
•
•
Remote access
Server access and security
–
•
The requirement for a security policy
Developing a policy
Threat and Risk Assessments (TRA)
Policy control
Procedures
–
–
–
–
–
–
–
•
File system authorisation rules
Security policies
–
–
•
•
•
Local Area Networks
Wide Area Networks
Wireless LAN
Firewall systems
System management
New system installation and change management
Installation of security patches
User account management
Backup / restore procedures and regular testing
Detection procedures
Response/recovery procedures
Public server configuration
TECO-WIS, Seoul
November 2006
17
Most Basic Security Tool: Firewalls
• Types
– Packet filters
– Application Layer firewalls
• By default should block all unauthorized traffic
– Protects systems against unwanted access
• Can be used in many places in the networks
– Not just for security with the internet
TECO-WIS, Seoul
November 2006
18
Possible Placement of Firewalls
WORKSTATION 1
LINK PROVIDED BY
TELECOM SUPPLIER
WEB PORTAL /
SERVER 1
WORKSTATION 2
WEB PORTAL /
SERVER 2
ACCESS DEVICE
ROUTER /
FIREWALL
WAFS RECEIVER
GTS
VPN
INTERFACE
DIGITAL VIDEO
BROADCAST
RECEIVER
MESSAGE
SWITCHING SERVER
1
DMZ
SUBNET
MESSAGE
SWITCHING SERVER
2
FIREWALL
FIREWALLS BLOCK
ALL TRAFFIC IN
BOTH DIRECTIONS BY
DEFAULT, ALLOWS
ONLY KNOWN
TRAFFIC
LINK PROVIDED BY
INTERNET SUPPLIER
OTHER SYSTEMS
ACCESS DEVICE
ROUTER /
FIREWALL
INTERNAL ROUTER /
FIREWALL
INTERNAL
PROTECTED
SUBNET
INTERNET
PUBLIC
SUBNET
CENTER A
TECO-WIS, Seoul
November 2006
19
VPN Concept
VPN
CLIENT
VPN
SERVER
INTERNET
TECO-WIS, Seoul
November 2006
20
Virtual Private Networks (VPN)
Create the equivalent of a dedicated private link using the Internet as a connection media
AND
TYPICAL VPN OVER INTERNET CONNECTION
WORKSTATION 1
LINK PROVIDED BY
TELECOM SUPPLIER
WEB PORTAL /
SERVER 1
WORKSTATION 2
WEB PORTAL /
SERVER 2
ACCESS DEVICE
ROUTER /
FIREWALL
WAFS RECEIVER
GTS
VPN
INTERFACE
DIGITAL VIDEO
BROADCAST
RECEIVER
MESSAGE
SWITCHING SERVER
1
DMZ
SUBNET
MESSAGE
SWITCHING SERVER
2
FIREWALL
LINK PROVIDED BY
INTERNET SUPPLIER
OTHER SYSTEMS
ACCESS DEVICE
ROUTER /
FIREWALL
INTERNAL ROUTER /
FIREWALL
INTERNAL
PROTECTED
SUBNET
INTERNET
PUBLIC
SUBNET
CENTER A
TECO-WIS, Seoul
November 2006
21
WIS VPN Pilot Project in Regions II and V (as of Sept 2006)
China
100Mbps (max)
Hong
Kong
10Mbps (max)
100Mbps (max)
India
2Mbps
Iran
4Mbps
Korea
Oman
256Mbps
(min)440Mbps
(max)
100Mbps
(max)
Internet
512Kbps
Japan
Australia
1Mbps
Brunei
3Mbps
Malaysia
Saudi
Arabia
2Mbps
2Mbps
New
Zealand
Vietnam
1Mbps
2Mbps
Singapore
Established VPN-link
with Japan
TECO-WIS, Seoul
November 2006
Soon established VPN-link
with Japan
22
Establishing a VPN Link
• VPN links have many parameters
– Confirm the protocols to be used, such as IPsec, pre-shared
secrets
– Define the pre-shared secret. This “password” must be defined
and be the same on both sides
– Confirm the VPN platform to be used
– Agree on IP addresses to exchange on the link
– Modify filter rules on the firewall
– Implement the define configuration
– Test
TECO-WIS, Seoul
November 2006
23
File Transfers and FTP servers
•
•
•
•
•
•
Uses File Transfer Protocol
Can be used for dissemination or exchange of bulk meteorological data
through Internet, GTS or other local/wide area networks
Recommended for predefined users
Efficient data exchange protocol
Good for both push and pull configurations
File Naming is important – see Man 386 Att II.15
TECO-WIS, Seoul
November 2006
24
FTP Server Implementation
TECO-WIS, Seoul
November 2006
25
Electronic Mail
• Uses the Simple Mail Transfer Protocol (SMTP)
• Complementary method of data input into the GTS
– Should not be used to replace GTS data exchanges for mission critical
components
– Usually can not guarantee real time data delivery
– Requires sites to collect messages (some examples: Washington, New
Zealand, Tokyo, Beijing)
– Requires a strong quality control at the collecting center as the collected
messages often contain several typing or format mistakes
• Mostly a push mechanism
• May be used for notification (for example that a file is available for
delivery while the file itself is placed on an FTP server)
• Excellent general communication tool
• Important entry point for virusses, worms and Trojan Horses
• Must deal with SPAM problem
– Spamming is the abuse of electronic messaging systems to send
unsolicited, undesired bulk messages
TECO-WIS, Seoul
November 2006
26
Email Implementation
TYPICAL EMAIL USER EXCHANGES
TYPICAL EMAIL SERVER EXCHANGES
WORKSTATION 1
LINK PROVIDED BY
TELECOM SUPPLIER
WEB PORTAL /
SERVER 1
WORKSTATION 2
WEB PORTAL /
SERVER 2
ACCESS DEVICE
ROUTER /
FIREWALL
WAFS RECEIVER
VPN
INTERFACE
DIGITAL VIDEO
BROADCAST
RECEIVER
MESSAGE
SWITCHING SERVER
1
DMZ
SUBNET
MESSAGE
SWITCHING SERVER
2
EMAIL
SERVER
GTS
FIREWALL
LINK PROVIDED BY
INTERNET SUPPLIER
VIRUS &
SPAM
FILTERS
ACCESS DEVICE
ROUTER /
FIREWALL
INTERNAL ROUTER /
FIREWALL
INTERNAL
PROTECTED
SUBNET
INTERNET
PUBLIC
SUBNET
CENTER A
TECO-WIS, Seoul
November 2006
27
Web Servers
• Based primarily on Hyper Text Transfer Protocol (HTTP)
• Used to make available various data and reports, available to users
who request the information by downloading the various « web
pages » (pull mechanism)
• Offers an intuitive approach to presentation of data and links
between data elements
• Allows complex scripts and data management tools to be added
• Requires permanent connection to the Internet
• Requires careful and significant planning and maintenance
– Weather data is updated very often
– Demand for weather data can be very high
– In large sites can become very complex
TECO-WIS, Seoul
November 2006
28
Web Server Implementation
TYPICAL WEB SERVER ACCESS
WORKSTATION 1
LINK PROVIDED BY
TELECOM SUPPLIER
WEB PORTAL /
SERVER 1
WORKSTATION 2
WEB PORTAL /
SERVER 2
ACCESS DEVICE
ROUTER /
FIREWALL
WAFS RECEIVER
GTS
VPN
INTERFACE
DIGITAL VIDEO
BROADCAST
RECEIVER
MESSAGE
SWITCHING SERVER
1
DMZ
SUBNET
MESSAGE
SWITCHING SERVER
2
FIREWALL
LINK PROVIDED BY
INTERNET SUPPLIER
OTHER SYSTEMS
ACCESS DEVICE
ROUTER /
FIREWALL
INTERNAL ROUTER /
FIREWALL
INTERNAL
PROTECTED
SUBNET
INTERNET
PUBLIC
SUBNET
CENTER A
TECO-WIS, Seoul
November 2006
29
Conclusion
• Internet is part of the « Network Structure » of the WIS
• Should be used mostly for non real time, non mission
critical traffic
• It complements the information exchange infrastructure
– As a separate network
– As a backup network
– As an underlying technology to simulate dedicated links for the
GTS where no other means are possible or economically
sustainable
• Security is an essential concern and must be addressed
TECO-WIS, Seoul
November 2006
31
Important Documents
http://www.wmo.int/web/www/documents.html
• Manual 386, Attachment II.15 – Use of TCP/IP on the
GTS (Revision 3, Sept 2006)
• Guide on Information Technology Security (Sept 2006)
• Guide on Internet Practices (Sept 2006)
• Guide on use of FTP and FTP servers at WWW centres
(Sept 2006)
• Guidance on IPSec-based VPNs over the Internet (April
2004)
TECO-WIS, Seoul
November 2006
32
Questions?
TECO-WIS, Seoul
November 2006
33