1 / 33

Construction and Management of a Secure Network in SPring-8

Construction and Management of a Secure Network in SPring-8. M. Ishii, T. Fukui, M. Kodera, T. Ohata, R. Tanaka SPring-8, JAPAN. ICALEPCS 2005, Geneva, Switzerland 11-Oct-2005. Contents. Introduction Network system in SPring-8 Worm attacks Toward a secure network

sanne
Download Presentation

Construction and Management of a Secure Network in SPring-8

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Construction and Management of a Secure Network in SPring-8 M. Ishii, T. Fukui, M. Kodera, T. Ohata, R. Tanaka SPring-8, JAPAN ICALEPCS 2005, Geneva, Switzerland 11-Oct-2005

  2. Contents • Introduction • Network system in SPring-8 • Worm attacks • Toward a secure network • Installation of Security Gateway • Operation • Summary

  3. Introduction • In August of 2003, the computer worm, W32/Blaster worm, explosively went around the world. • We couldn’t provide a fast, stable and secure network environment to the experimental usersbecause of the worm infection.

  4. We had introduced • a firewall system against attacks from outside, • Virtual-LAN (VLAN) and IP filtering to establish the independency of experiment environment. • A firewall, VLAN and IP filtering weren’t enough secure against worm attacks from inside. • We required a new technical solution…

  5. SPring-8 • SPring-8 was opened to the public use in 1997. • The total number of experimental users exceeded 9,000 in a year of 2003. Experimental Hall in the storage ring building

  6. Beamline SPring-8 has 48 beamlines for synchrotron radiation experiments. Beamline-No.2 Beamline-No.1 Each beamline has an experimental station.

  7. Network system

  8. Experimental users require a fast, stable and secure network environment. • We had provided • Gigabit Ethernet backbone (for fast) • redundant system (for stable) • firewall, VLAN, IP filtering (for secure)

  9. reject http, ftp, ping, ssh,… A firewall passes packets through only predefined IP addresses and opens limited service ports. IP packets directly can’t pass through from Office-LAN by NAT. The network switch performs access control by IP filtering. VLAN for a logically independent LAN Control-LAN is used to control accelerators, ID, BL. internet firewall Office-LAN is a network for the facility public. firewall SPring-8 like a firewall 100Mbps … 1GbE BL-USER-LAN is a network for the experimental station. Beamline-No.48 Beamline-No.1

  10. A firewall blocks worm attacks from the internet. A firewall blocks worm attacks fromthe BL-USER-LAN. A network switch blocks worm attacks from the Office-LAN by NAT. A network switch blocks worm attacks from a beamline to other beamlines by using VLAN and IP filtering. Control-LAN is used to control accelerators, ID, BL. internet firewall Office-LAN is a network for the facility public. firewall SPring-8 … BL-USER-LAN Beamline-No.48 Beamline-No.1

  11. Worm attacks

  12. 3. The network switch was overloaded by significantly increased ping traffic. 100% The CPU utilization of a network switch 2. The worm checked active machines as target for attack by sending ping. OA-LAN firewall internet It was caused by performing NAT on the CPU. The worm traffic was about 200 kbps.( A ping packet size was about 100 byte. ) 1. A user connects the worm-infected laptop PC to the BL-USER-LAN. Beamline-No.1

  13. Toward a secure network

  14. Necessity of technical solution • We have to protect the BL-USER-LAN from computer worms. • We installed a security gateway in the summer of 2004.

  15. Host type Host type needs many software licenses. The software guards each PC from worm attack. We don’t install software license to the PCs of many users coming from various institutions. Selection criteriaSecurity type : Host or Network Network type The security equipment is installed into the backbone. We selected Network type. security equipment

  16. Worm packet passes through. If IDS detects worm packet, it sends e-mail to a network administrator. IDS monitors a packet, it checks whether the packet is worm or not. Selection criteriaSecurity system : IDS or IPS IDS is Intrusion Detection System. Hub IDS

  17. Our requirement IPS blocks worm packet. We want to block the spread of worm A.S.A.P. “The greatest happiness of the greatest number” When IPS receives a packet, it checks whether the packet is worm or not. Selection criteriasecurity system : IDS or IPS IPS is Intrusion Prevention System. IPS We selected IPS.

  18. Selection criteriaother items • Traffic throughput of IPS • We required more than 200 Mbps. • Before installation of the security gateway, total throughput was about 100 Mbps at a maximum. • Easy management and easy operation • A modification has to be minimum for system installation.

  19. In the summer of 2004, we installed a Security Gateway, InterSpect, inside the BL-USER-LAN. Installation of Security Gateway Control-LAN firewall Office-LAN firewall BL-USER-LAN Beamline-No.48 Beamline-No.1

  20. InterSpect • InterSpect is a product of • It is invisible to the IP network. (transparent mode) • Traffic throughput is 500 Mbps. • We measured actual throughput. • InterSpect certainly guarantees a throughput up to 500 Mbps. • We will be able to integrate management the firewall and the InterSpect in the future.

  21. 1U • The Hardware is a Dell Inc computer. • We purchased an InterSpect at $ 25,000. • Additionally maintenance contract per year is $ 8,000. • It took about 4 hours to install an InterSpect. • unpacking • Mounting InterSpcet to 19” rack • Coffee break • Setting the configuration of InterSpect • Running START!!

  22. For 30 min, InterSpect drops all packets from the worm infected PC. TRASH BOX Quarantine (isolate) If the PC activity still exists at the end of quarantine period, it is once more automatically quarantined. When a PC performs many port scans, InterSpect automatically quarantines the PC for 30 min. Beamline-No.48 Beamline-No.1

  23. InterSpect passes through all packets from a clean PC in same beamline. User have to guard their PC by themselves. The worm infected PC can communicate with other PCs in same beamline. Beamline-No.48 Beamline-No.1

  24. Operation of InterSpect

  25. Operation experience • Block, ( i.e. quarantine ), the sweep port scanning (SPS) at the InterSpect ! • The Worm infection uses many SPS (ping) to seek target machines. • Merit : The blocking of SPS can prevent the preemptive attacks. • A PC that performs SPS is automatically quarantined. • Demerit : Once the SPS is blocked, we have no way to identify the variety of worms. • A quarantined host is classified just as “suspicious”. InterSpect

  26. We didn’t block SPS. Fewer suspicious hosts than usual zero Statistics “miss setting” was caused by the wrong detection of pattern string. A pattern string for detection worm is simple. The detection strings of Sasser worm is “\\sarpc$”. Normal connections such as Active Directory of Microsoft uses this string. Don’t make rules of a pattern string for the worm detection too strict !!

  27. “Identified worm” • When I checked “quarantine list” of InterSpect, I found a host scanning many ports. I rushed to the suspicious host and searched the worm by using the virus scan software. • “Bingo!!” -- > Trojan Horse. • The host turned from “suspicious” to “real”. • Anti-virus software was installed in the PC infected Trojan Horse, the definition file was old. • The license had already expired.

  28. 282 The total number of quarantined suspicious hosts : • For a year The total number of claim from quarantined users : 0 Quarantined PCs weren’t used for their experiment ??

  29. Summary

  30. We had introduced • a firewall system : against attacks from outside • VLAN and IP filtering : to established the independency of beamline. These technologies prevent the spread of worms between different beamlines. • We introduced a Security Gateway to protect the backbone of the BL-USER-LAN. • The total number of quarantined suspicious host was 282 for a year. • It requires the management policy to operate the Security Gateway well. The BL-USER-LAN has been working well for a year being protected by a Security Gateway.

  31. Take care of your PC by yourself.

  32. 2. When the network switch receives same sessions (same source and destination), it handles the sessions by using the ASIC (Application Specific IC). --> The CPU is released from the packet processing load. Worm infection sent ping packets to many different destination IP addresses, while swept one network segment. The CPU had to translate all of the received IP addresses. --> Finally reached to the performance limitations. Worm attacks damages the network switch. • It is related to the NAT architecture of the network switch. 1. When the network switch receives a packet, it translates IP address on the CPU. CPU ASIC

More Related