Kein Folientitel - ISSEG Training and Dissemination

Download Report

Transcript Kein Folientitel - ISSEG Training and Dissemination

Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
IT Security - Regulations and Technical Aspects
Network concepts
The following presentations have been used for System Administrator
training at FZK and are thus specific to their environment. However
many features will be common to most institutes and thus the slides
could make a good basis for producing customized training material
Authors: Andreas Lorenz and Thomas Brandel
Revised for the ISSeG Project by Ursula Epting, Bruno Hoeft and Tobias Koenig
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Overview: Network Concepts
• Access from inside
• Access from outside
• Access by guests
• LAN regulations
• Network protection technology
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Access of the Network from Inside (1)
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Access of the Network from Inside (2)
General description
Each end device (PC, printer, server) in the LAN requires an
unambiguous IP address for network communication.
An IP address consists of 4 bytes and is represented by 4 decimals
separated by points (for example: 192.168.89.16).
An IP address may be allocated by manual configuration (static address)
or dynamically (by a DHCP server).
Other TCP/IP parameters (subnet mask, default gateway, DNS domain,
DNS and WINS servers) are fixed.
Prerequisites for use
Connection of an end device to the intranet is subject to the internal
regulations and principles ( internal document).
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Overview: Network Concepts
• Access from inside
• Access from outside
• Access by guests
• LAN regulations
• Network protection technology
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
•
Access from Outside
Remote Access (1)
VPN (Virtual Private Network)
–
–
–
–
Access via any internet provider
After VPN setup, complete intranet access
Access to internal DNS
Firewall is by-passed
 Problem: An infected computer may infect the entire intranet
• Solution:
– Access via VPN / reverse proxy server
– Check of the accessing Windows computers (host check) for
• Supported antivirus clients, current antivirus definition
• Personal firewall
• Security updates
– If check fails, direct updating is possible
– Optional 2-factor authentification (RSA token)
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
•
Access from Outside
Remote Access (2)
RSA Token for 2-factor Authentication
– 2 factors:
• PIN (knowledge)
• Device with constantly changing combination of figures (possession)
– Generation of one-time passwords
– Key loggers are undermined
– Attention: If a system is accessed via user name / password after successful
VPN log-on, this may be overheard by a key logger.
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
•
Access from Outside
Remote Access (3)
RAS (Log-on access)
–
–
–
–
–
Analog log-on or ISDN
With or without call-back
Complete access to intranet
Internal DNS
Firewall is by-passed
Same problem as for VPN, but worse:
– Computers without a rapid internet access are difficult to be kept updated, as
the updates have become very large in the meantime
– RAS without call-back is not reasonable for the user, as log-on accesses with
commercial providers usually are much cheaper
 RAS should only be used in exceptional cases!
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Access from Outside
Remote Access (4)
•
Direct SSH access from the internet
– Requires clearance of the port in the firewall
– (nearly) any port may be selected
– Recommendation: Avoid standard port, as it is frequently the target
of automatic attacks
– Cleared computers are checked regularly for security exposures
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Overview: Network Concepts
• Access from inside
• Access from outside
• Access by guests
• LAN regulations
• Network protection technology
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Access of Guests (1)
• Computers of guests, who require access to the network,
must not be allowed to enter the intranet unchecked
• Via WLAN, PCs of guests may access a special guest
network:
–
–
–
–
–

Call of any external web site by the web browser
Important: without proxy server!
Creation of a guest account when a valid watchword is input
The watchword is known to the LAN coordinators
Log-on with user name and password
Guest has access to the internet, no access to the intranet
• If a LAN socket with a configured guest network is available,
the same procedure may be used to access the guest
network via cable
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Access by Guests (2)
•
•
If the guest needs access to the intranet, he/she has to sign an
agreement to observe data protection and IT security
If the intranet is to be accessed from a computer of the guest (e.g.
notebook), the following conditions have to be fulfilled (Windows):
– Active personal firewall
– Active virus protection
– Updated patch state of the operating system
•
In principle, access of guests to the intranet should be the exception!
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Overview: Network Concepts
• Access from inside
• Access from outside
• Access by guests
• LAN regulations
• Network protection technology
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Overview: LAN Regulations
• Definitions
• Principles
• Rules
• Log-on, change of registration, and log-off of end devices
• Network security
• Control and correcting measures
• Restrictions
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
LAN Regulations (1)
Definitions
The LAN comprises the entire network infrastructure of the
intranet.
The organizational unit is any organizational unit shown in
the organizational chart as well as any external institution that
is legally independent of the Research Center, which operates
end devices on the LAN.
LAN coordinators (LAN-KO) are central partners at each
organizational unit as far as network operation is concerned.
Each organizational unit appoints one LAN coordinator and at
least one deputy.
An end device is any source or sink of data flows that can be
identified in the LAN.
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
LAN Regulations (2)
Principles
LAN operation is subject to aspects of security, performance,
cost efficiency, and legitimacy. For the operation of an end
device, the organizational unit, to which this end device is
allocated, is responsible. Operation of an end device must not
adversely affect LAN operation. The LAN-KOs settle network
matters of and disseminate information to the members of the
organizational unit and the network operator. They act as an
interface between the network operator and the user of the
end device.
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
LAN Regulations (3)
1.
2.
3.
4.
Rules (Conditions for the operation of end devices)
The computing center has to possess the following information:
a. Name of the device, i.e. the host name or computer name
b. Hardware address of the network interface card
c. Responsible operator. The operator must be entered in the central
database
d. Place of installation (building and room) of the end device
Exceptions are made for the rules of DHCPs.
As far as network security and compatibility are concerned, the end
device has to fulfill the conditions made on the LAN in terms of
equipment and configuration.
The transmission protocol of the backbone router is the internet
protocol (IP).
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
LAN Regulations (4)
Log-on, Change of Registration, and Log-off of End
Devices
First log-on of an end device is associated with a registration,
during which the information required for operation is
transmitted to the computing center.
The operating organizational unit must immediately notify
changes of the information required for the operation of an
end device.
Log-off is required, if the end device is no longer operated in
the network.
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
LAN Regulations (5)
Network Security
Communication links are subject to the general network
security rules of the site ( see document on the intranet).
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
LAN Regulations (6)
Control and Correcting Measures
Operation of the LAN is controlled and failures are eliminated
as rapidly as possible.
Control is subject to the provisions of the Telecommunications
Act and the Telecommunication Data Protection Ordinance as
well as to site-specific in-house agreements and bilateral
agreements with associated external institutions.
End devices that significantly disturb operation or do not fulfill
the conditions for the operation of end devices may be
separated from the LAN by the computing center. This also
applies to entire LAN areas.
.
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
LAN Regulations (7)
Restrictions
Moreover, modifications of the LAN shall require approval by
the responsible staff members of the computing center.
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Overview: Network Concepts
• Access from inside
• Access from outside
• Access by guests
• LAN regulations
• Network protection technology
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Overview: Network Protection Technology
•
•
•
•
•
Firewall structure
Central firewall
Decentralized firewall
Desktop firewall
Danger warning
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Network Protection Technology (1)
Firewall Structure
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Network Protection Technology (2)
Central Firewall
• It controls the connection between the network of the site (LAN) and the
internet.
• It protects against computers on the internet that want to access devices of
the site.
• It restricts connections of internal computers to services on the internet.
• It is called “central”, because it is effective for all devices connected to the
LAN.
• It provides effective protection against specific attacks from computers on
the internet to computers of the site (protection against hackers).
• It does not offer any protection in case of connections from a LAN
computer to a computer on the internet.
• Clearances may be provided in the firewall in order to make selected
computers accessible for special services.
• The central firewall is designed in a redundant manner.
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Network Protection Technology (3)
Decentralized Firewall
The decentralized firewall of the site acts like a blocked safety
door to the organizational units that have an increased need for
network security and data protection in their network area (sub
network).
The decentralized firewall protects the organizational unit from
attacks from the intranet, i.e. from the other organizational units
of the Center.
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Network Protection Technology (4)
Desktop Firewall
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Network Protection Technology (5)
Desktop Firewall
Why a personal firewall?
• Due to certain regulations, incoming or outgoing data packages are
blocked by the personal firewall or may pass the firewall.
• As each employee uses his/her PC for various purposes, these
rules cannot be defined centrally. In case of new and unknown
connections, the desktop firewall generally asks the user how it is
supposed to react.
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Network Protection Technology (6)
Danger Warning
Why can worms infect the intranet?
Notebooks are frequent travelers. On these travels, they are linked to
other networks at other institutions, for instance. Here, they may catch
“the virus” which then spreads all over the site. Unprotected log-on
PCs also are a risk for the intranet. A virus spreads in various ways. It
may also be sent by e-mail as a program for execution. Some people
like to use password-protected archives, as these are not controlled
by the virus scanner. If the recipient is so uncareful to open them, the
virus may enter the intranet in this way.
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Final Remark
Thank you for your
attention
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/
Forschungszentrum Karlsruhe
in der Helmholtz-Gemeinschaft
Copyright © Members of the ISSeG Collaboration, 2008.
Licensed under the Apache License, Version 2.0 (the
"License"); you may not use this material except in
compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
Work distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR
CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing
permissions and limitations under the License.
© Members of the ISSeG Collaboration, 2008
See: http://www.isseg.eu/