1 / 11

Jefferson Lab Remote Access

Jefferson Lab Remote Access. Andy Kowalski December 1, 2010. Internet Connectivity. MATP McLean, VA Virginia Tech . Level3 Washington DC. ESnet core. NYC. MATP. ESnet Router. Atlanta. Lovitt. COX Communications (backup). Bute St CO. ODU*. JLAB Site Switch. Eastern LITE

elsu
Télécharger la présentation

Jefferson Lab Remote Access

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Jefferson Lab Remote Access Andy Kowalski December 1, 2010

  2. Internet Connectivity MATP McLean, VA Virginia Tech Level3 Washington DC ESnet core NYC MATP ESnet Router Atlanta Lovitt COX Communications (backup) Bute St CO ODU* JLAB Site Switch Eastern LITE (E-LITE) Old Dominion University NASA JLAB 10Gbps 10Gbps 2.5Gbps 45Mbps 10GE OC192 OC48 DS3 W&M* VMASC JTASC * SURA Site

  3. Local Area Network (LAN) • 10 Enclaves • 7 NIST Low Level • 3 NIST Moderate Level • Use NIST 800-53 Base Controls • Enclave level determined by potential impact from a loss of confidentiality, integrity, and availability • Impact on JLab, not DOE • Firewalls Between All Enclaves • Some within enclaves Collaborative Services Experimental Physics Scientific Computing Public Services Accelerator Guest Desktops Levels 1,2,3 Moderate Level Enclaves 10GigEthernet 1GigEthernet FEL Sensitive Business Services Core Services

  4. Network Management & Monitoring • JNet registration required for network access • Manages both wired and wireless • JNet database manages/tracks • User to MAC address registration • Asset tracking (property, contact information) • History of machine locations and registrations • Auto VLAN assignment (users may move about, VLAN assignments change when they plug in) • Network Intrusion Detection System (NIDS) • Monitor network traffic looking for intrusions • Taps at VLAN ingress/egress points

  5. Moderate Enclave Protections • BSN • Firewall restricts remote access • RDP limited to a Terminal Server from select desktops • SSH from select IT areas for management • 2-factor authentication • Core & FEL • Firewall restricts remote access • SSH and RDP open to all systems • 2-factor authentication on Windows • 2-factor authentication on Linux (Core only)

  6. Additional Core Enclave Protections • Firewall restricts SSH and RDP by network of origin • Guest network support is isolated • Printing Utilizes a dedicated print server • Printers are on their own VLAN and firewalled • Otherwise, access to JLab is as from the Internet • Web servers on separate VLAN and firewalled • Interactive general purpose machines on separate VLAN and firewalled • IT administration, development and desktops • Each on separate VLANs and firewalled • 2-factor authentication for administration • Use least privilege model for accounts

  7. 2-Factor Authentication Used Today • Used to access moderate enclaves and VPN • BSN, FEL • Core Services -> System and Network Administrators

  8. Remote Access Today • Internet to JLab is via centrally managed gateway servers

  9. Enclave Access Today • Enclave to enclave is direct or via gateway servers

  10. Known Issues • Stolen username/password pairs • SSH tunnels • If SSH is allowed, everything is open • Network traffic is encrypted (good and bad) • Portable devices • Laptops, smart phones, iPads, iPods, etc. • Provide less security than managed desktops • Unmanaged devices • Personal laptops, PDAs, etc.

  11. Proposed Enhancements • VPN • Add more robust client side scanning/admission control • Direct enclave access through gateway systems requiring 2-factor authentication • Accelerator • Halls • 2-factor authentication support for Linux and Mac

More Related