1 / 17

Lanxin Ma Institute of High Energy physics (IHEP) Chinese Academy of Sciences September 30, 2004

The Security Protection System at IHEP-Net. Lanxin Ma Institute of High Energy physics (IHEP) Chinese Academy of Sciences September 30, 2004 CHEP 2004, Interlaken. Outline. The Introduction Why we need to improve IHEP-Net security protection capability The measures we used

kasten
Download Presentation

Lanxin Ma Institute of High Energy physics (IHEP) Chinese Academy of Sciences September 30, 2004

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Security Protection System at IHEP-Net Lanxin Ma Institute of High Energy physics(IHEP) Chinese Academy of Sciences September 30, 2004 CHEP 2004, Interlaken

  2. Outline • The Introduction • Why we need to improve IHEP-Net security protection capability • The measures we used • Firewall & VPN • Anti-Virus system • Anti-Spam system • The security control and management center • Emergency Response Team • Summary Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 2

  3. The Introduction • IHEP was the first to connect the computers to Internet in China at the beginning of 90s of last century • The outlet bandwidth is 10M • IHEP-Net backbone is Gigabit Ethernet • The intranet bandwidth connected to each host is 100M • The intranet has a star structure with a main switch connected to each laboratory • Switch-based network • There are more than 2000 hosts, many servers based on PC/Linux, Win2000,etc. • IHEP-Net is for Providing computing environment for BESII and BESIII experiments Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 3

  4. The Current Topology of IHEP-Net Chemistry Building 2nd floor hammer3550-24 Main Building 2nd floor hammer3550-24 Main Buileing 5th floor hammer3550-24 Main Building 426 Bes farm cisco catalyst3750 Main Building 2nd floor hammer3550-24 Physics building 2nd floor hammer3550-24 Physics building 2nd floor hammer3550-24 Main Buileing 5th floor hammer3550-24 Main Building 2ndfloor Computerlab Big hammer6808 Physics Building 2ndfloor Computerlab Big hammer6808 Computing Center SSR8600 First Hall ELS100 Twelfth Hall Bes Center control SSR2000 Second Hall thirteenth Hall Fourth Hall Fifth Hall Sixth Hall Library Building Second workshop SSR2000 Computing center Report Building Online Building Third hall ssr2000 Cisco3640 Orb lab ssr2000 PC-FARM BES-FARM Blue line 100TX 1000LX CSTNET Purple line 100FX 1000SX 4

  5. Why need to improve IHEP-Net Security • Before 2002, • The firewall system was too simple • It was easy to be attacked by hackers • There was no anti-virus system • There was no anti-spam system The Security problem is one of the important issues at IHEP-net At the end of 2001, the network security group was organized in the computing center of IHEP to enact the security policy and strategy against the attacks and improve the IHEP-Net security Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 5

  6. The measures to improve IHEP-Net Security • Re-Constructed IHEP-Net infrastructure: • IHEP-Net consists of 3 areas: one intranet, one DMZ and one special hosts area • Re-Configured Firewall system: • Some servers and some special hosts move to DMZ and SA. • The new rules to control the access among Internet, the intranet, DMZ and special hosts area • IDS (An intrusion detection system) • work with firewall so that all of packets from outside IHEP are checked and filtered • VPN at IHEP-Net • Access to the hosts inside of IHEP from outside must be via FW or VPN • Anti-Spam system • Anti-Virus System • The network security control and management center • The emergency response team Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 6

  7. ——Trap system ——Forensic agent ——survive system ——backup system ——IDS agent The Security Protection System of IHEP-Net Internet The SOC of IHEP-Net Security Policy Administrator System DMZ Anti-virus,Anti-spam system Administration platform Special using machine Security Scanner System LAN Security Incident Response Team Monitor system Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 7

  8. The Secure IHEP-Net • Firewall system • VPN system • Access the hosts inside of IHEP from outside of IHEP must be via FW or VPN Internet FW VPN DMZ SA Intranet Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 8

  9. The Firewall System • Firewall system • Has been reconfigured • prevent unauthorized access to our network from other networks • Control the access among Internet, intranet, DMZ and special hosts area • Some servers and some special hosts move to DMZ and SA. Access each other among Internet, intranet,DMZ and SA are allowed as rules • The intranet consists of the • The isolated hosts, which are not allowed to access Internet, just access the hosts inside IHEP • The hosts,which access Internet via NAT • The host outside of IHEP cannot connect to intranet directly Internet DMZ SA Intranet Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 9

  10. The VPN System • VPN system • The hosts outside of IHEP access IHEP intranet via FW or VPN • VPN server + PPTP as a tunneling protocol • Clients OS: Win2000/XP/2003/Linux • Authentication • USBKEY authentication • The only IP address is assigned to the client host • VPN server also have packet filtering function • Control the access level of each VPN account through packet filtering rules Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 10

  11. The Anti-Virus System • Anti-Virus Wall at gateway level provides real-time virus detection and cleanup for all SMTP,HTTP and FTP Internet traffic at gateway. • Desktop Anti-Virus system Desktop anti-virus system: offers centralized virus protection to all the Windows OS across the network Server/Client structure Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 11

  12. The topology of Anti-Virus System at Gateway • For SMTP • All emails sent and received are filtered by this system • To support outbound mail processing, specify your local domains. • Enable anti-relay • Using web proxy to filter viruses for HTTP traffic • Using FTP proxy to filter viruses for FTP traffic. This system can acts as a file transfer proxy itself. Internet Route FW Anti-Virus system at gateway for SMTP, HTTP, FTP Mail Servers Web proxy server Clients Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 12

  13. The topology of Anti-Spam System at Gateway • Refusing access from the IP address that attack the IHEP-Net at firewall • All emails sent and received must be filtered by this system • The anti-spam gateway is the only host sending emails to Internet and receiving emails from Internet • Low filtering level is used normally in order not lose emails • Spam mails decrease significantly Internet Route FW Anti-Spam system at gateway Mail Servers Clients Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 13

  14. Anti-Spam and Anti-Virus Work Together • The anti-spam system work well with anti-virus system together so that all of emails sent and received are filtered by anti-spam system and anti-virus system. This makes it possible that the amount of spam emails reached to users mail boxes are as low as possible and no virus mails reach to users mail boxes. Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 14

  15. The Security Control and Management Center • Some home-made software to • Make statistics and analyze the network flux • Detect and monitor the hosts that have exceptional flux • Detect and monitor the hosts that scan other hosts and give response • disconnect the host from the network if the hosts have security problem and cause the network does not work • Connection is refused to mail server for the hosts that spread virus mails Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 15

  16. The Emergency Response Team • Security problem response team for locale service • Respond to security problem (system/application) • Cleanup virus for the host that is infected virus • Patch their system • Scan system leak for hosts, etc • The technique support methods • Hotline • Helpdesk system for users to submit service via webpage • Mail system for users to get our help Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 16

  17. Summary • Now, We successfully • prevent attacking from outside and inside • prevent virus spread • Reduce spam dramatically • Respond and deal with security problems of local users • The IHEP-Net is becoming more and more secure • In the future , We should also consider that: • The VPN connection among IHEP-Net • Users can choose their own spam filtering level • The capability of the firewall system and SOC need to be improved Interlaken,Switzerland CHEP2004, 30 September Lanxin Ma 17

More Related