Embed Size (px)
Citation preview
Lanxin MaInstitute of High Energy physics (IHEP)
Chinese Academy of Sciences
September 30, 2004
CHEP 2004, Interlaken
The Security Protection System
at IHEP-Net
Outline
The Introduction Why we need to improve IHEP-Net security
protection capability The measures we used
– Firewall & VPN– Anti-Virus system– Anti-Spam system– The security control and management center– Emergency Response Team
Summary
Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 2
The Introduction
• IHEP was the first to connect the computers to Internet in China at the beginning of 90s of last century
• The outlet bandwidth is 10M• IHEP-Net backbone is Gigabit Ethernet• The intranet bandwidth connected to each host is 100M• The intranet has a star structure with a main switch
connected to each laboratory • Switch-based network• There are more than 2000 hosts, many servers based on
PC/Linux, Win2000,etc.• IHEP-Net is for Providing computing environment for
BESII and BESIII experiments
Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 3
The Current Topology of IHEP-Net
Main Building 2ndfloor Computerlab
Big hammer6808
Main Building 2nd floor
hammer3550-24
CSTNET
Physics Building 2ndfloor Computerlab
Big hammer6808
Chemistry Building 2nd floor
hammer3550-24
Physics building 2nd floor
hammer3550-24
Main Buileing 5th floor
hammer3550-24Main Buileing 5t
h floorhammer3550-24
Main Building 2nd floor
hammer3550-24
Main Building 426 Bes farm
cisco catalyst3750
Physics building 2nd floor
hammer3550-24
Blue line 100TX
Purple line 100FX
1000LX
PC-FARM BES-FARM
Computing CenterSSR8600
1000SX
First Hall ELS100
Second Hall
Library BuildingReport Building
Online Building
Computing center
Cisco3640
Third hall ssr2000
Orb lab ssr2000
Bes Center control SSR2000
Twelfth Hall
Second workshop SSR2000
Fourth HallFifth Hall
Sixth Hall
thirteenth Hall
4
Before 2002, • The firewall system was too simple• It was easy to be attacked by hackers• There was no anti-virus system• There was no anti-spam system
The Security problem is one of the important issues at IHEP-net
At the end of 2001, the network security group was organized in the computing center of IHEP to enact the security policy and strategy against the attacks and improve the IHEP-Net security
Why need to improve IHEP-Net Security
Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 5
The measures to improve IHEP-Net Security
• Re-Constructed IHEP-Net infrastructure:– IHEP-Net consists of 3 areas: one intranet, one DMZ and one special hosts
area
• Re-Configured Firewall system:– Some servers and some special hosts move to DMZ and SA.– The new rules to control the access among Internet, the intranet, DMZ
and special hosts area• IDS (An intrusion detection system)
– work with firewall so that all of packets from outside IHEP are checked and filtered
• VPN at IHEP-Net– Access to the hosts inside of IHEP from outside must be via FW or VPN
• Anti-Spam system• Anti-Virus System• The network security control and management center• The emergency response team
Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 6
The Security Protection System of IHEP-Net
Internet
Security Scanner System
Administration platform
Anti-virus,Anti-spam system
DMZ
Special using machine
LAN
The S
OC
of IHE
P-N
et
Security Policy
Administrator System
Security Incident Response Team
Monitor system——Forensic agent
——Trap system
——survive system
——IDS agent ——backup system
Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 7
The Secure IHEP-Net
Firewall system
VPN system
Access the hosts inside of IHEP from outside of IHEP must be via FW or VPN
Internet
Intranet
VPN DMZ
SA
FW
Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 8
The Firewall System
Firewall system• Has been reconfigured• prevent unauthorized access to our network
from other networks• Control the access among Internet, intranet,
DMZ and special hosts area • Some servers and some special hosts move to
DMZ and SA. Access each other among Internet, intranet,DMZ and SA are allowed as rules
• The intranet consists of the o The isolated hosts, which are not allowed to access
Internet, just access the hosts inside IHEPo The hosts,which access Internet via NATo The host outside of IHEP cannot connect to intranet
directlyInterlaken,Switzerland CHEP2004, 30 September Lanxin Ma 9
Internet
Intranet DMZ SA
The VPN System
VPN system• The hosts outside of IHEP access IHEP intranet via FW
or VPN• VPN server + PPTP as a tunneling protocol• Clients OS: Win2000/XP/2003/Linux• Authentication• USBKEY authentication• The only IP address is assigned to the client host• VPN server also have packet filtering function• Control the access level of each VPN account through
packet filtering rules
Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 10
The Anti-Virus System
Anti-Virus Wall at gateway level
provides real-time virus detection and cleanup for all SMTP,HTTP and FTP Internet traffic at gateway.
Desktop Anti-Virus system Desktop anti-virus system: offers centralized virus
protection to all the Windows OS across the network
Server/Client structure
Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 11
For SMTP– All emails sent and received are filtered
by this system
– To support outbound mail processing, specify your local domains.
– Enable anti-relay
Using web proxy to filter viruses for HTTP traffic
Using FTP proxy to filter viruses for FTP traffic. This system can acts as a file transfer proxy itself.
The topology of Anti-Virus System at Gateway
Internet
FW
Route
Anti-Virus system at gateway for
SMTP, HTTP, FTP
Web proxy server
Mail Servers
Clients
Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 12
• Refusing access from the IP address that attack the IHEP-Net at firewall
• All emails sent and received must be filtered by this system
• The anti-spam gateway is the only host sending emails to Internet and receiving emails from Internet
• Low filtering level is used normally in order not lose emails
• Spam mails decrease significantly
The topology of Anti-Spam System at Gateway
Internet
FW
Route
Anti-Spam system at gateway
Mail Servers
Clients
Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 13
The anti-spam system work well with anti-virus system together so that all of emails sent and received are filtered by anti-spam system and anti-virus system. This makes it possible that the amount of spam emails reached to users mail boxes are as low as possible and no virus mails reach to users mail boxes.
Anti-Spam and Anti-Virus Work Together
Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 14
• Some home-made software to • Make statistics and analyze the network flux
• Detect and monitor the hosts that have exceptional flux
• Detect and monitor the hosts that scan other hosts and give response
• disconnect the host from the network if the hosts have security problem and cause the network does not work
• Connection is refused to mail server for the hosts that spread virus mails
The Security Control and Management Center
Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 15
The Emergency Response Team
Security problem response team for locale service– Respond to security problem (system/application)
• Cleanup virus for the host that is infected virus
• Patch their system
• Scan system leak for hosts, etc
The technique support methods– Hotline
– Helpdesk system for users to submit service via webpage
– Mail system for users to get our help
Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 16
Now, We successfully– prevent attacking from outside and inside– prevent virus spread– Reduce spam dramatically– Respond and deal with security problems of local users
The IHEP-Net is becoming more and more secure In the future , We should also consider that:
– The VPN connection among IHEP-Net– Users can choose their own spam filtering level – The capability of the firewall system and SOC need to be i
mproved
Summary
Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 17
