Upload
tom-mcnaught
View
145
Download
2
Embed Size (px)
Citation preview
University of Washington Department of Transportation
Business Systems Asguard Networks Security System
6/12/2014
Asguard Networks Security System
Department of Transportation Services i University of Washington
Table of Contents
Overview ................................................................................................................................. 2
UTC Server ............................................................................................................................. 4
UWTS/Asguard Networks SimpleConnect™ System ............................................................ 5
Gatehouse 1 ............................................................................................................................. 6
Gatehouse 2 ............................................................................................................................. 8
Gatehouse 3 ........................................................................................................................... 10
Triangle Garage (Gatehouse 4) ............................................................................................. 12
Gatehouse 5 ........................................................................................................................... 14
Gatehouse 6 ........................................................................................................................... 16
TrainMe (Gatehouse 9) ......................................................................................................... 18
Logging on the SCMP .......................................................................................................... 20
Logging on the SCMP .......................................................................................................... 20
Navigating the SCMP ........................................................................................................... 21
Navigating the SCMP ........................................................................................................... 21
UTC Server Room Components ........................................................................................... 22
Appendix 1-Firewall Access Rules ....................................................................................... 23
Appendix- ISA temperatures ................................................................................................ 24
Asguard Networks Security System
Department of Transportation Services University of Washington Page 2
Asguard Networks Security System
Overview The University of Washington Transportation Services’ (UWTS) Gatehouses and Triangle Garage use Asguard Networks SimpleConnect™ to protect customer data. SimpleConnect™ is a centrally managed security system that creates a private network for the secure transmission of customer information. The system consists of the following devices.
x The SimpleConnect™ Management Platform (SCMP) x Industrial Security Appliances (ISAs)
The SCMP resides on a server in the University Transportation Center where it controls and interacts with ISA devices deployed at point-of-sale locations within campus Gatehouses and the Triangle Parking Garage.
Asguard SCMP
Asguard ISA 100
Asguard ISA 200
Asguard Networks Security System
Department of Transportation Services University of Washington Page 3
Base Case Scenario
A SimpleConnect™ deployment requires a SimpleConnect™ Management Platform (SCMP) and two or more Industrial Security Appliances (ISAs). The SCMP web user interface is used to configure and manage the Private Networks that are created by the ISAs. SimpleConnect™ operates on the principle of “Network Whitelisting”, which means only the communications specified are allowed. Each ISA has a unique cryptographic identity and the collection of ISA identities is what establishes a Private Network. Once ISAs know which peer ISAs they are allowed to communicate with, the ISAs establish point-to-point VPN tunnels to one another. The Network Devices behind each ISA communicate with one another as if they are connected to each other on a local switch, yet their communications are secured over the untrusted Shared Network. Additionally, the ISAs enforce the user–defined communications security policies as defined in SCMP, to further constrain Network Device connectivity to an absolute minimum. SimpleConnect™ strengthens the security posture of each Network Device by providing localized perimeter security.
UWTS Case
University of Washington Transportation Services oversees campus parking. The points in UW parking system that involve credit card data transmission include gatehouses and the Triangle Garage parking facility; these transmission points use the Asquard SimpleConnect™ deployment to ensure data security. The following pages provide details of the UW’s Asguard deployment.
Asguard Networks Security System
Department of Transportation Services University of Washington Page 4
UTC Server
Asgu
ard
Net
wor
ks S
ecur
ity S
yste
m
Dep
artm
ent o
f Tra
nspo
rtatio
n Se
rvic
es
U
nive
rsity
of W
ashi
ngto
n Pa
ge 5
UWTS
/Asg
uard
Net
wor
ks S
impl
eCon
nect
™ S
yste
m
Asguard Networks Security System
Department of Transportation Services University of Washington Page 6
Gatehouse 1
Asguard Networks Security System
Department of Transportation Services University of Washington Page 7
Gatehouse 1-continued
Gatehouse 1 Closet Configuration
1 100A3 Interconnection Unit (LIU) 2 Juniper Router 3 Telephony punch-down block 4 Switch for connecting multiple PCs to ISA 5 ISA power source (POE) 6 ISA 100e
Asguard Networks Security System
Department of Transportation Services University of Washington Page 8
Gatehouse 2
Asguard Networks Security System
Department of Transportation Services University of Washington Page 9
Gatehouse 2-continued
Gatehouse 2 Closet Configuration
1 Juniper Router
2 Switch for connecting multiple PCs to ISA 3 ISA 200e 4 ISA power source (POE)
Asguard Networks Security System
Department of Transportation Services University of Washington Page 10
Gatehouse 3
Asguard Networks Security System
Department of Transportation Services University of Washington Page 11
Gatehouse 3-continued
Gatehouse 3 Closet Configuration
1 Juniper Router 2 100A3 Interconnection Unit (LIU) 3 Telephony punch-down block 4 ISA 200e 5 ISA power source (POE)
Asguard Networks Security System
Department of Transportation Services University of Washington Page 12
Triangle Garage (Gatehouse 4)
Asguard Networks Security System
Department of Transportation Services University of Washington Page 13
Triangle Garage (Gatehouse 4)-continued
Gatehouse 4 Configuration (located below attendant counter)
1 ISA 200e 2 Switch for connecting multiple PCs to ISA 3 ISA power source (POE)
Asguard Networks Security System
Department of Transportation Services University of Washington Page 14
Gatehouse 5
Asguard Networks Security System
Department of Transportation Services University of Washington Page 15
Gatehouse 5-continued
Gatehouse 5 Closet Configuration
1 Telephony punch-down block 2 100A3 Interconnection Unit (LIU) 3 Juniper Router 4 ISA power source 6 ISA 200e
Asguard Networks Security System
Department of Transportation Services University of Washington Page 16
Gatehouse 6
Asguard Networks Security System
Department of Transportation Services University of Washington Page 17
Gatehouse 6-continued
Gatehouse 6 Closet Configuration
1 Juniper Switch 2 100A3 Interconnection Unit (LIU) 3 Telephony punch-down block 3A Telephony punch-down block 4 ISA 200e 5 ISA power source (POE)
Asguard Networks Security System
Department of Transportation Services University of Washington Page 18
TrainMe (Gatehouse 9)
Asguard Networks Security System
Department of Transportation Services University of Washington Page 19
TrainMe (Gatehouse 9)-continued
TrainMe (Gatehouse 9) Configuration
Asguard Networks Security System
Department of Transportation Services University of Washington Page 20
Logging on the SCMP
Logging on the SCMP
Business Systems manages the Asguard Networks system through a user interface provided by the SimpleConnect™ Management Platform (SCMP). The SCMP is shipped with a static IP address configured on its Shared Network port. To open the SCMP web application a user receives administrative login credentials from Business Services. Using a PC, a web browser, credentials, and a password, a user can type in the IP address and log into UWTS SimpleConnect network. Note: The following browsers are best for using SimpleConnect:
Firefox 19, Chrome 15, IE 9 or later.
1. Enter Username and Password at the Sign in page.
2. From the Dashboard use the tabs to perform various actions.
Asguard Networks Security System
Department of Transportation Services University of Washington Page 21
Navigating the SCMP
Navigating the SCMP
Users navigate within the SCMP primarily by accessing the Dashboard tabs. The SCMP interface allows the user to perform the following.
1. SCMP Private Network Creation
x Create People (users) x Create Private Networks x Add People to Private Networks
2. ISA Initial Setup x Connect ISAs to local devices x Connect ISAs to shared network x Supply power to ISAs
3. SCMP Private Network Configuration
x Add auto-discovered ISAs to a Private Network x Assign devices to each ISA x Select communications policies for the devices and between ISAs
4. SCMP Additional Administrative Functions
x Wireless settings x Firmware updates x Database backup and restore x Support bundle creation x Customer Certificates x Email Settings x Syslog Configuration x ISA Blink
5. ISA Additional Functions
x Factory reset x Diagnostic mode x Support bundle creation x Manual SCMP Configuration x Replacing an ISA x Dealing with a lost or stolen ISA
Note: Detailed software documentation for using the SCMP is available
from Business Systems or you may contact Asguard Networks at Email: [email protected]
Phone: (425) 213-4691
Asguard Networks Security System
Department of Transportation Services University of Washington Page 22
UTC Server Room Components
Asguard Networks Security System
Department of Transportation Services University of Washington Page 23
Appendix 1-Firewall Access Rules
Incoming Public Access Rules x VPN connections come through public internet interface. Access list is assigned to VPN
user once user authenticates to the firewall x No rules defined, so access from public internet will only be allowed when
communication is initiated from behind the firewall, with the exception of VPN connections.
VPN User Rules x Port 5635 for Remote administration software allowed to Gatehouses, Triangle Cashiers,
and internal servers x Port 3389 (RDP), and Windows File Sharing allowed to the Bastion Host (10.25.84.150) x ICMP (ping) allowed everywhere.
Incoming UW Network Access Rules x Gatehouses to Gatehouse/CC Server
- TCP ports 1800-1801, UDP Ports 1800-1801 x Triangle Cashiers to Triangle Server
- TCP Ports 1800-1801 - Windows File/Print Sharing Ports 137-139, 445
x Gatehouses to SQL Server - TCP port 1433 - UDP port 1434
x Wheels 140.142.16.107 to Internal Servers x Larry’s PC
- Windows File/Print Sharing Ports 137-139, 445 - Port 5635 for Remote administration
x McGann Report Printer - Windows File/Print Sharing Ports 137-139, 445
x ICMP (ping) allowed everywhere
Asguard Networks Security System
Department of Transportation Services University of Washington Page 24
Appendix- ISA temperatures
If you want to monitor the ISA temperatures, you can get a current reading of the ISA CPU temperature via the SCMP, as long as the ISA is on-line.
In the SCMP, navigate to the ISA details, and go to the Diagnostics tab. Select "Request a diagnostic report". Once the report is uploaded by the ISA, you can open it in Wordpad and near the top is a section titled "CPU Temperature".
The ISAs also log temperature (along with some other vital stats) persistently every 5 minutes. This information is part of a Support Bundle that can be analyzed by Asguard. We will be analyzing the ISA-100e units from GH3 and GH5.
Finally, it sounds like things are going fine so far today, but if you need anything, anytime, please email [email protected] for the fastest response.