presentation title national laboratories information technology
DESCRIPTION
TRANSCRIPT
Clark PiercyORNL Task Lead for Networking and Telecomm
Network Enhancements for DID at ORNL
National Laboratories Information Technology SummitJune 2007
ORNL DID Project Level 1 Milestones
1. Network – Information and Activity Segregation
2.0 System - Establish configuration standards
3.0 Property - Establish asset management (Software and Hardware)
4.0 Access - Establish strong authentication
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
ORNL DID Project Level 1 Milestones
1. Network – Information and Activity 1. Network – Information and Activity SegregationSegregation
2.0 System - Establish configuration standards
3.0 Property - Establish asset management (Software and Hardware)
4.0 Access - Establish strong authentication
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
1. Network – Information and Activity Segregation
Segregate systems with different levels of data sensitivity into protection zones with appropriate network controls between PZes
Create a method to quarantine/block systems not meeting security and configuration requirements
Put systems that can't meet security and configuration requirements behind a managed firewall
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
Protection Zones (PZes)
First had to define what different types of PZes were needed
Cyber Security dudes used FIPS 199 (confidentiality, availability, integrity) and other guidance to come up with first cut
Initially Highly Sensitive PZ, Infrastructure PZ, Admin PZ, Controlled Research PZ, Open Public PZ, Open Research PZ
Eventually settled on Moderate with Enhanced Controls (M/EC), Infrastructure, Admin/Controlled Research, Open Public, Open Research
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
Protection Zone Definitions
Moderate with Enhanced Controls : contains systems which process moderate information that ORNL has determined require additional (enhanced) controls to protect the information, including UCNI and C/FGI-Mod
Controlled Research: contains systems used by researchers to create, store and process proprietary, export controlled, protected CRADA, applied technology or similar information
Infrastructure: systems which provide laboratory infrastructure and general system support to other systems at ORNL
Administrative: systems which contains most of the general purpose desktop systems which create, access and process moderate information
NCCS: systems that comprise the National Center for Computational Sciences
Open/Public: systems containing web and ftp servers hosting public information that is accessible via anonymous access for any person or system on the Internet
Open Research: systems used to conduct open research that creates, stores, and processes fundamental research information.
Have initial protection zones defined, working to refine the rules and definitions:
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
Protection Zones: Where and How Many?
Which devices need to go in which protection zones?
How many devices in each protection zone type?
Where are they located?
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
What Are Rules for Protection Zones?
User Sys FIPS 199 To
From er Mgd C I A RO
RNCC RC
M/EC OP OA OI RAS V C I
R&D Open Y Y L L L L * t x x n x x t x p n NCCS Y Y M L L M p * t t p p p x
Controlled Y Y M L L M p t * t p p p x x p n
M/EC* Y Y M L L H p t p * p p p x x x x OPS Public N Y L M L M a a a x * a a x x a a Admin Y Y M M L M p t p t p * p x x p n Infra N Y M M M M as as as as as as * x x a a RAS Y Y ? ? ? ? p t p t p p p * x p x nonORNL Visitor U N N N N N p t x x n x x t * p n C&A Collab Y N ? ? ? ? p t x x n x x t x * n Internet Y N N N N N p t x x n x x t x x *
Y=CoreIT Mg'd p = password for protected info a = ITSD as sys admin w/token;
Y=Users allowed t = token required s = services provided by Infrastructure to others
U=Users/no Svrs n = no password for public info c = no pw required, but controlled; services
x = not allowed
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
Many Questions…
… but initially few answers to base network design on.
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
To NAC or Not to NAC?
Well defined requirements (quaratine, PZes) as well as fuzzy requirements (how many systems in each PZ and where are they?) lead us to look toward Network Access Control (NAC) as possible solution
ORNL network users are used to mobility on the wired network (known registered devices); wanted to preserve mobility
NAC was big buzz in trade press last Spring, so we decided to survey market and evaluate what was available
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
NAC Solution Search
Given the need to support multiple OSes (Windows, Mac, *nix), and no COTS NAC solution had an agent for all OSes, looked for solutions that worked with and without agents
Did not like in band solutions as they represent additional bottle necks and failure points
Needed a solution that had an open database so we could interface it to our home grown network registration system
Narrowed down to 2 solutions to test, Cisco’s NAC (Perfigo), and Lockdown Enforcer
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
Home Grown NAC Solution It was decided that the Admin and Controlled Research
systems required the same level of protection (CIA: Admin MML, Applied MLL, therefore M for the protection zone), thus could be in the same protection zone
The vast majority of systems (90%+) would be in the Admin/Applied Research protection zone
Therefore, we could maintain the current mobility for most systems since they will mostly be in the admin/applied zone by making our current network into the admin/applied zone
We then needed to add protection zones (read VLANs) for ME/C, Infrastructure, Open Research, and Open Public
We hoped most Infrastructure, Open Research, and Open Public systems would be relocated into one of our datacenters or content consolidated into servers in our datacenters. For systems that aren’t we’d create trunked VLANs up to the datacenter(s) for these protection zones.
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
Homegrown NAC (cont.)
Develop own quasi NAC that will rely upon DHCP, secondary subnets for registration, and quarantine/remediation, as well as controlling layer 2 ports to either force a system to do a DHCP discovery by bouncing its port, or blocking the system by disabling its port
It will rely upon polling of router ARP caches and layer 2 switch bridge tables frequently (every 3-5 minutes) so we know what port a device is connected and what IP address it is using.
A scan will be performed of all systems that have been off the network for 4 or more hours. If found wanting, the devices will be quarantined or blocked
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
Homegrown Quarantine/Remediation
Secondary subnets are being configured on each VLAN, one for Quarantine, one for Remediation (already have one for registration for unknown devices)
A device is put into quarantine by changing its record in our DHCP server so it is given a dummy DNS server and a very short lease IP address in the quarantine subnet that is filtered so it can only get to a Quarantine splash page.
The client the opens a browser and is directed to the splash page which indicates the device has been quarantined, the reason why, and how to fix the problem to get out of quarantine.
The user clicks on an acknowledgement button and the next DHCP update it is given changes its DNS server to a real one and changes its IP address to one in a remediation range that is filtered to block highly desirable apps (email, SAP) to encourage quick remediation
Once the user has fixed their problem, they click on button indicating so and device is moved to Parole (full network access but on a list to be double checked by IT)
See James Calloway and Paige Stafford Presentations for more details on Quarantine and ORNL NacMGR
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
PZ Deployment design
Based on assumption that numbers of systems in M/EC, Open Research, Open Public, and Infrastrcture will be relatively small and be mostly located in the datacenters, decided to deploy PZes by placing Cisco Firewall Service Modules (FWSMs) in Datacenter 6500 and use VLANs and trunking as needed to extend PZes/VLANs
Rules applied on FWSMs to control traffic between PZs
Installed a ASA5520 between M/EC and rest of network due to requirement to have One Time Password (OTP) for login to M/EC systems from outside M/EC.
We now have a better idea of how many systems in each PZ type (M/EC = 24 now w/potential for 500 with Protected PII, OP = 12 for now, OR = ~450, Infra = ~500, Admin/ContRes = ~10,000
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
Type 4 System Segregation
Type 4 systems cannot meet cyber security baseline requirements Instruments that can’t have autoupdates/reboots Non-standard OSes that can’t be changed due to one of a kind
software Etc.
Will place type systems behind firewalls managed by IT Many instances of one device behine one firewall Some instances of many associated devices behind one firewall
Looked at using Ciscos Private VLAN construct along with FWSMs in Cisco 6500 backbone routers, but would require Cisco switches at edge everywhere a type 4 existed and we didn’t know how many type 4s there would be
Elected to go with small ASA5505s for most systems and a few ASA5520s for a few situations
Turns out to be about 200 type 4 systems thus far Working on determining which can be grouped behind one firewall, and
which have to be solo
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
VPN NAC
Currenlty evaluating again the Cisco NAC for use with VPN
Testing it with IT folks at present
Has agent for Windoze (Vista, XP, 2000) and Mac
Windows agent working pretty well with a few glitches under Vista, Mac agent not working so well yet
Can use Nessus to scan other OSes (including MAC). For ORNL machines that we have admin rights on, may be able to us privileges to see further into system past any personal firewall.
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
ORNL DID Network Segregation Design
FANSTATUS
1
2
3
4
5
6
7
8
9
Power Supply 1 Power Supply 2
Catalyst 6500 SERIES
WS-SUP720
SUPERVISOR 720 WITH INTEGRATED SWITCH FABRIC
EJECT
DISK 0
EJECT
DISK 1
CONSOLE PORT 2
PORT 1
FIREWALL SERVICES MODULE
DO NOT REMOVE CARD WHILESTATUS LED IS GREEN OR
DISK CORRUPTION MAY OCCUR
WS-SVC-FWM-1
SHUTDOWN
STATUS
WS-X6748-GE-TX47
4837
3835
3625
2623
2413
1411
121
2
4 8 P O R T 10/100/1000GE MOD
FABRIC ENABLEDRJ45
WS-X6748-SFP48 PORT GIGABIT ETHERNET SFP
STATUS
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
Datacenter 6500 with FWSM
FANSTATUS
1
2
3
4
5
6
7
8
9
Power Supply 1 Power Supply 2
Catalyst 6500 SERIES
WS-SUP720
SUPERVISOR 720 WITH INTEGRATED SWITCH FABRIC
EJECT
DISK 0
EJECT
DISK 1
CONSOLE PORT 2
PORT 1
STATUS
WS-X6748-GE-TX47
4837
3835
3625
2623
2413
1411
121
2
4 8 P O R T 10/100/1000GE MOD
FABRIC ENABLEDRJ45
WS-X6748-SFP48 PORT GIGABIT ETHERNET SFP
STATUS
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
Backbone 6500 router
FANSTATUS
1
2
3
4
5
6
7
8
9
Power Supply 1 Power Supply 2
Catalyst 6500 SERIES
WS-SUP720
SUPERVISOR 720 WITH INTEGRATED SWITCH FABRIC
EJECT
DISK 0
EJECT
DISK 1
CONSOLE PORT 2
PORT 1
STATUS
WS-X6748-GE-TX47
4837
3835
3625
2623
2413
1411
121
2
4 8 P O R T 10/100/1000GE MOD
FABRIC ENABLEDRJ45
WS-X6748-SFP48 PORT GIGABIT ETHERNET SFP
STATUS
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
Backbone 6500 router
Datacenter Switches
Building Switches
Building Switches
CISCO ASA 5510
POWER STATUS ACTIVE VPN FLASH
Adaptive Security Appliance
SERIES
Type 4 Firewall
CISCO ASA 5520
POWER STATUS ACTIVE VPN FLASH
Adaptive Security Appliance
SERIES
ME/C 5520 Firewall
UID 1 2
Cisco Clean Access 3140
Cisco CCA NAC ApplianceCisco VPN 3060
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
ORNL DID Project Level 1 Milestones
1. Network – Information and Activity Segregation
2.0 System - Establish configuration standards
3.0 Property - Establish asset management (Software and Hardware)
4.0 Access - Establish strong 4.0 Access - Establish strong authenticationauthentication
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
4.0 Access - Establish strong authentication
All external access to sensitive info use one time passwords (OTP)
Needed to OTP VPN, dial up, remote SSH, and remote SSL
Had SecurID solution already in house working with VPN on small scale, so expanded to all VPN users
Moved Dialup server so it was outside VPN and now require dialup users to open vpn session to get inside
OTPed the SSH server
Installed Whale reverse proxy and now working on reducing authenticated http/https rules in border firewall and forcing users to Whale or VPN
OAK RIDGE NATIONAL LABORATORYU. S. DEPARTMENT OF ENERGY
More In-Depth Presentations related to ORNL’s Defense in Depth Project
Managing Unix/Linux at ORNL Brett Ellis
Defense in Depth Reporting at ORNL Steve Parham
Managing Macs in an Enterprise Brian Wallace
Quarantine: Controlling Network Access Using DHCPJames Calloway
Network Access Control at ORNLPaige Stafford