310 likes | 470 Views
WMO TECO-WIS - Korea 2006 INTERNET SERVICES, VPN and SECURITY. Jean-François Gagnon Director, Network and Voice Operations Information Technology Infrastructure Directorate Chief Information Officer Branch Environment Canada .
E N D
WMO TECO-WIS - Korea 2006INTERNET SERVICES, VPN and SECURITY Jean-François Gagnon Director, Network and Voice Operations Information Technology Infrastructure Directorate Chief Information Officer Branch Environment Canada . Co-Chair, Expert Team on WIS-GTS Communication Techniques and Structures Information System and Services, CBS, WWW TECO-WIS, Seoul
Definition of the Internet • Network of networks • millions of smaller domestic, academic, business, and government networks • Uses TCP/IP protocol suite • Carries various information and services, such as electronic mail, online chat, file transfer, documents of the World Wide Web. • Internet and the World Wide Web are not synonymous: • the Internet is a collection of interconnected computer networks, linked by telecommunication media • the Web is a collection of interconnected documents, linked by hyperlinks and URLs. TECO-WIS, Seoul
Deployment of the Internet in the World TECO-WIS, Seoul
Internet Status as viewed by WMO ET-CTS • Noted some progress in implementation of TCP/IP procedures around the various WMO administrative regions • recently for smaller sites • major centers had already reported conversion at previous meetings • Experience is good and reports on reliability are reassuring • Still not recommended as unique method of data acquisition for mission critical activities • Internet does not provide guaranteed service levels • No operator has complete Internet responsibility, since amalgamation of numerous telecommunication systems • Security is an important concern, requires efforts and strong commitment by all TECO-WIS, Seoul
TCP/IP Protocol Suite – RFC112 and RFC 1123 TECO-WIS, Seoul
Use of TCP/IP on the GTS • As recommended TCP/IP on the GTS for several years • Benefits equate direct savings in financial and human resource costs to Members • reduced costs for communications equipment purchase and maintenance • reduced software development work - use of industry standard software systems TECO-WIS, Seoul
Common Protocols allow Coexistence • Internet can be used as: • an underlying technology for some components of the GTS in special conditions • as a backup to the GTS • as a complement to the GTS TECO-WIS, Seoul
Telecommunication Options TECO-WIS, Seoul
Internet Access Types • Dial-up • Based on public telephone system • Typically 64 Kbps or less • Usually billed on time • Short connections initiated by user’s (or centre’s) end • Permanent • Broadband (cable, DSL) or dedicated link • Typically 1 Mbps or better • Higher cost • Faster • Connection always established • Good for data providers TECO-WIS, Seoul
Implementation for Client-only Usage • Simple computer is sufficient to access Internet • Usually limited to small interactions initiated by user • Non-dedicated link (dial-up, DSL, cable) might be sufficient • Important to secure computer against unautorized incoming threats • Usually the simplest rules – deny all incoming • PC based « personal use » firewall software, such as • http://www.zonelabs.com/ • http://www.personalfirewall.comodo.com/ • http://www.sunbelt-software.com/kerio.cfm • Small « personal use » firewall, such as • http://www.linksys.com • http://dlink.com TECO-WIS, Seoul
Implementation for Servers • Usually requires a dedicated link • May be implemented with servers • within your organization • Completely under your responsibility • Usually more flexible, more control • Contracted to a hosting service provider • May be more attractive if little expertise in system and security management • May have less control and flexibility • Requires very clear statement of work and deliverables, especially regarding Service Level Agreements (support issues) TECO-WIS, Seoul
Official IP Addresses • It is essential to have a standard in the addressing scheme • Currently IPv4 most widely spread • IPv6 being deployed slowly. Not used in GTS yet. • It is essential to have uniqueness in the allocation of addresses • Since the GTS (and of course Internet) is not built as a unique network under the complete authority of a single organization, the allocation of addresses must therefore go through the official bodies TECO-WIS, Seoul
The Internet Security Threat • Motivation • Obtain information or resources • An attack can be motivated by the will to obtain information, for strategic, ideological, financial or intelligence reasons, or resources like storage, supercomputing or a link to an organization’s partner. • Desire to cause harm • Another motivation can be to prevent an organization to fulfil its mission properly, by blocking or modifying services or information, for revenge, terrorism, blackmail or malicious reasons. • Playful or exploration • Another kind of motivation is curiosity, boredom, game or challenge. Many famous governmental institutions have been hit by such motivated attacks, degrading their reputation. • Accident • The last category is human or physical accident. It can take many forms and touch any part of the information system (network, hardware and software), and can be prevented by an adequate disaster recovery procedures, such as implementing system redundancy and automatic failover procedures. • Regardless of motivation, the threat is real TECO-WIS, Seoul
The Internet Security Threat – Common Threats • Malicious codes: viruses, worms, Trojan horses • Denial of service • Malicious hacking • Spying • Compromising and abuse of system resources TECO-WIS, Seoul
Impacts of Security Breaches • System and service impacts that disrupt or incapacitate actual systems or services • System slow down: the events cause the systems to slow down for no apparent reason. • System rendered unavailable: the events cause the systems to stop functioning altogether. • System or component of system destroyed: the events cause not only the systems and services not to be available for a period of time, but cause the destruction of resources. • System apparently normal, but information stolen or compromised: the events that lead to these impacts usually reside on the systems in a way not to be detected. Often, the reason is to steal or spy. The impacts can be severe, as stolen information can be of sensitive or commercial nature. Compromised information may have public safety implications or political, religious, sexual or racial contents. The organization’s reputation and future may be at stakes as well as safety of life. • System used to compromise others: the events would compromise an organization’s systems in a way not to be detected, and may be left unused for a long time. However, these components can be used to compromise other systems. Although the impact on a given organization may seem negligible, harm to other organizations is possible. An organization could be falsely accused of being the source of trouble because of this technique. • Administrative, legal and reputation impacts • All organizations have a “network” responsibility. They must mitigate the problems of security and ensure they are not the cause of problems to others. Failure to do so may eventually lead to legal action. It is also obvious that bad information and poor service will certainly have administrative impacts as well as loss of reputation impacts. TECO-WIS, Seoul
Information Technology Security Best Practices • Network architecture • Local Area Networks • Wide Area Networks • Wireless LAN • Firewall systems • Remote access • Server access and security • File system authorisation rules • Security policies • The requirement for a security policy • Developing a policy • Threat and Risk Assessments (TRA) • Policy control • Procedures • System management • New system installation and change management • Installation of security patches • User account management • Backup / restore procedures and regular testing • Detection procedures • Response/recovery procedures • Public server configuration TECO-WIS, Seoul
Most Basic Security Tool: Firewalls • Types • Packet filters • Application Layer firewalls • By default should block all unauthorized traffic • Protects systems against unwanted access • Can be used in many places in the networks • Not just for security with the internet TECO-WIS, Seoul
Possible Placement of Firewalls TECO-WIS, Seoul
VPN Concept TECO-WIS, Seoul
Virtual Private Networks (VPN) Create the equivalent of a dedicated private link using the Internet as a connection media TECO-WIS, Seoul
100Mbps (max) China 100Mbps (max) Japan 10Mbps (max) Hong Kong 2Mbps India 100Mbps (max) Australia 4Mbps Iran Internet 256Mbps (min)-440Mbps (max) 1Mbps Brunei Korea 3Mbps Malaysia 512Kbps Oman 2Mbps 2Mbps New Zealand Saudi Arabia 1Mbps 2Mbps Vietnam Singapore Established VPN-link with Japan Soon established VPN-link with Japan WIS VPN Pilot Project in Regions II and V (as of Sept 2006) TECO-WIS, Seoul
Establishing a VPN Link • VPN links have many parameters • Confirm the protocols to be used, such as IPsec, pre-shared secrets • Define the pre-shared secret. This “password” must be defined and be the same on both sides • Confirm the VPN platform to be used • Agree on IP addresses to exchange on the link • Modify filter rules on the firewall • Implement the define configuration • Test TECO-WIS, Seoul
File Transfers and FTP servers • Uses File Transfer Protocol • Can be used for dissemination or exchange of bulk meteorological data through Internet, GTS or other local/wide area networks • Recommended for predefined users • Efficient data exchange protocol • Good for both push and pull configurations • File Naming is important – see Man 386 Att II.15 TECO-WIS, Seoul
FTP Server Implementation TECO-WIS, Seoul
Electronic Mail • Uses the Simple Mail Transfer Protocol (SMTP) • Complementary method of data input into the GTS • Should not be used to replace GTS data exchanges for mission critical components • Usually can not guarantee real time data delivery • Requires sites to collect messages (some examples: Washington, New Zealand, Tokyo, Beijing) • Requires a strong quality control at the collecting center as the collected messages often contain several typing or format mistakes • Mostly a push mechanism • May be used for notification (for example that a file is available for delivery while the file itself is placed on an FTP server) • Excellent general communication tool • Important entry point for virusses, worms and Trojan Horses • Must deal with SPAM problem • Spamming is the abuse of electronic messaging systems to send unsolicited, undesired bulk messages TECO-WIS, Seoul
Email Implementation TECO-WIS, Seoul
Web Servers • Based primarily on Hyper Text Transfer Protocol (HTTP) • Used to make available various data and reports, available to users who request the information by downloading the various « web pages » (pull mechanism) • Offers an intuitive approach to presentation of data and links between data elements • Allows complex scripts and data management tools to be added • Requires permanent connection to the Internet • Requires careful and significant planning and maintenance • Weather data is updated very often • Demand for weather data can be very high • In large sites can become very complex TECO-WIS, Seoul
Web Server Implementation TECO-WIS, Seoul
Conclusion • Internet is part of the « Network Structure » of the WIS • Should be used mostly for non real time, non mission critical traffic • It complements the information exchange infrastructure • As a separate network • As a backup network • As an underlying technology to simulate dedicated links for the GTS where no other means are possible or economically sustainable • Security is an essential concern and must be addressed TECO-WIS, Seoul
Important Documents http://www.wmo.int/web/www/documents.html • Manual 386, Attachment II.15 – Use of TCP/IP on the GTS (Revision 3, Sept 2006) • Guide on Information Technology Security (Sept 2006) • Guide on Internet Practices (Sept 2006) • Guide on use of FTP and FTP servers at WWW centres (Sept 2006) • Guidance on IPSec-based VPNs over the Internet (April 2004) TECO-WIS, Seoul
Questions? TECO-WIS, Seoul