IHEP - Indico

Download Report

Transcript IHEP - Indico

The Security Protection System
at IHEP-Net
Lanxin Ma
Institute of High Energy physics (IHEP)
Chinese Academy of Sciences
September 30, 2004
CHEP 2004, Interlaken
Outline
 The Introduction
 Why we need to improve IHEP-Net security
protection capability
 The measures we used
–
–
–
–
–
Firewall & VPN
Anti-Virus system
Anti-Spam system
The security control and management center
Emergency Response Team
 Summary
Interlaken,Switzerland CHEP2004, 30 September
Lanxin Ma
2
The Introduction
• IHEP was the first to connect the computers to Internet in
•
•
•
•
•
•
•
China at the beginning of 90s of last century
The outlet bandwidth is 10M
IHEP-Net backbone is Gigabit Ethernet
The intranet bandwidth connected to each host is 100M
The intranet has a star structure with a main switch
connected to each laboratory
Switch-based network
There are more than 2000 hosts, many servers based on
PC/Linux, Win2000,etc.
IHEP-Net is for Providing computing environment for
BESII and BESIII experiments
Interlaken,Switzerland CHEP2004, 30 September
Lanxin Ma
3
The Current Topology of IHEP-Net
Main Building
2nd floor
hammer3550-24
Chemistry Building
2nd floor
hammer3550-24
Physics building
2nd floor
hammer3550-24
Main Buileing 5th
floor
hammer3550-24
Main Buileing
5th floor
hammer3550-24
Main Building
2nd floor
hammer3550-24
Physics building
2nd floor
hammer3550-24
Main Building 426
Bes farm
cisco catalyst3750
Main Building 2ndfloor
Computerlab
Big hammer6808
Bes Center control
SSR2000
Physics Building 2ndfloor
Computerlab
Computing Center Big hammer6808
SSR8600
First Hall ELS100
Twelfth Hall
Second Hall
Fourth Hall
thirteenth Hall
Fifth Hall
Sixth Hall
Second workshop
SSR2000
Library Building
Report Building
Online Building
Computing
center
Third hall ssr2000
PC-FARM
Blue line 100TX
1000LX
Purple line 100FX
1000SX
BES-FARM
Cisco3640
Orb lab ssr2000
CSTNE
T
4
Why need to improve IHEP-Net Security
 Before 2002,
•
•
•
•
The firewall system was too simple
It was easy to be attacked by hackers
There was no anti-virus system
There was no anti-spam system
The Security problem is one of the important issues at
IHEP-net
At the end of 2001, the network security group was organized
in the computing center of IHEP to enact the security policy
and strategy against the attacks and improve the IHEP-Net
security
Interlaken,Switzerland CHEP2004, 30 September
Lanxin Ma
5
The measures to improve IHEP-Net Security
• Re-Constructed IHEP-Net infrastructure:
– IHEP-Net consists of 3 areas: one intranet, one DMZ and one special hosts area
• Re-Configured Firewall system:
– Some servers and some special hosts move to DMZ and SA.
– The new rules to control the access among Internet, the intranet, DMZ
and special hosts area
• IDS (An intrusion detection system)
– work with firewall so that all of packets from outside IHEP are checked and
filtered
• VPN at IHEP-Net
– Access to the hosts inside of IHEP from outside must be via FW or VPN
•
•
•
•
Anti-Spam system
Anti-Virus System
The network security control and management center
The emergency response team
Interlaken,Switzerland CHEP2004, 30 September
Lanxin Ma
6
The Security Protection System of IHEP-Net
The SOC of IHEP-Net
Internet
Security Policy
Administrator
System
DMZ
Anti-virus,Antispam system
Administration
platform
Special
machine
Security Scanner
System
Security Incident
using
LAN
Response Team
Monitor system
——Forensic agent
——IDS agent
Interlaken,Switzerland CHEP2004, 30 September
——survive system
——backup system
Lanxin Ma
——Trap system
7
The Secure IHEP-Net
 Firewall system
Interne
t
 VPN system
VPN
 Access the hosts inside of
IHEP from outside of IHEP
must be via FW or VPN
Interlaken,Switzerland CHEP2004, 30 September
FW
DMZ
SA
Intranet
Lanxin Ma
8
The Firewall System
 Firewall system
• Has been reconfigured
• prevent unauthorized access to our network
from other networks
• Control the access among Internet, intranet,
DMZ and special hosts area
• Some servers and some special hosts move to
DMZ and SA. Access each other among
Internet, intranet,DMZ and SA are allowed as
rules
• The intranet consists of the
Internet
Intranet
DMZ
SA
o The isolated hosts, which are not allowed to access
Internet, just access the hosts inside IHEP
o The hosts,which access Internet via NAT
o The host outside of IHEP cannot connect to intranet
directly
Interlaken,Switzerland CHEP2004, 30 September
Lanxin Ma
9
The VPN System
 VPN system
• The hosts outside of IHEP access IHEP intranet via FW
•
•
•
•
•
•
•
or VPN
VPN server + PPTP as a tunneling protocol
Clients OS: Win2000/XP/2003/Linux
Authentication
USBKEY authentication
The only IP address is assigned to the client host
VPN server also have packet filtering function
Control the access level of each VPN account through
packet filtering rules
Interlaken,Switzerland CHEP2004, 30 September
Lanxin Ma
10
The Anti-Virus System
 Anti-Virus Wall at gateway level
provides real-time virus detection and cleanup for
all SMTP,HTTP and FTP Internet traffic at gateway.
 Desktop Anti-Virus system
Desktop anti-virus system: offers centralized virus
protection to all the Windows OS across the
network
Server/Client structure
Interlaken,Switzerland CHEP2004, 30 September
Lanxin Ma
11
The topology of Anti-Virus System at Gateway
 For SMTP
– All emails sent and received are filtered
by this system
– To support outbound mail processing,
specify your local domains.
– Enable anti-relay
 Using web proxy to filter viruses
for HTTP traffic
 Using FTP proxy to filter viruses
for FTP traffic. This system can
acts as a file transfer proxy itself.
Interlaken,Switzerland CHEP2004, 30 September
Interne
t
Route
FW
Mail
Servers
Anti-Virus system at
gateway for
SMTP, HTTP, FTP
Web proxy server
Clients
Lanxin Ma
12
The topology of Anti-Spam System at Gateway
• Refusing access from the IP address
•
•
•
•
that attack the IHEP-Net at firewall
All emails sent and received must be
filtered by this system
The anti-spam gateway is the only host
sending emails to Internet and
receiving emails from Internet
Low filtering level is used normally in
order not lose emails
Spam mails decrease significantly
Interlaken,Switzerland CHEP2004, 30 September
Interne
t
Route
FW
Anti-Spam system
at gateway
Mail Servers
Clients
Lanxin Ma
13
Anti-Spam and Anti-Virus Work Together
 The anti-spam system work well with antivirus system together so that all of emails
sent and received are filtered by anti-spam
system and anti-virus system. This makes
it possible that the amount of spam emails
reached to users mail boxes are as low as
possible and no virus mails reach to users
mail boxes.
Interlaken,Switzerland CHEP2004, 30 September
Lanxin Ma
14
The Security Control and Management Center
• Some home-made software to
• Make statistics and analyze the network flux
• Detect and monitor the hosts that have exceptional
flux
• Detect and monitor the hosts that scan other hosts
and give response
• disconnect the host from the network if the hosts
have security problem and cause the network does
not work
• Connection is refused to mail server for the hosts
that spread virus mails
Interlaken,Switzerland CHEP2004, 30 September
Lanxin Ma
15
The Emergency Response Team
 Security problem response team for locale service
– Respond to security problem (system/application)
• Cleanup virus for the host that is infected virus
• Patch their system
• Scan system leak for hosts, etc
 The technique support methods
– Hotline
– Helpdesk system for users to submit service via webpage
– Mail system for users to get our help
Interlaken,Switzerland CHEP2004, 30 September
Lanxin Ma
16
Summary
 Now, We successfully
–
–
–
–
prevent attacking from outside and inside
prevent virus spread
Reduce spam dramatically
Respond and deal with security problems of local users
 The IHEP-Net is becoming more and more secure
 In the future , We should also consider that:
– The VPN connection among IHEP-Net
– Users can choose their own spam filtering level
– The capability of the firewall system and SOC need to be
improved
Interlaken,Switzerland CHEP2004, 30 September
Lanxin Ma
17