The current security policy of JINR ________________________.

Презентация:



Advertisements
Похожие презентации
© 2005 Cisco Systems, Inc. All rights reserved.INTRO v Module Summary A WAN allows the transmission of data across broad geographic distances. There.
Advertisements

© 2006 Cisco Systems, Inc. All rights reserved.SNRS v Adaptive Threat Defense Examining Cisco IOS Firewall.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Categorizing VPNs.
© 2006 Cisco Systems, Inc. All rights reserved. SND v Module Summary IDS technology is passive; it monitors the network for suspicious activity and.
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Structuring and Modularizing the Network Designing the Network Hierarchy.
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Enterprise Campus and Data Center Design Review Analyze organizational requirements: –Type.
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Complex MPLS VPNs Introducing Overlapping VPNs.
Internet Structure. 1. The Definition Internet, WAN, connect, networks, are built, by different principles Internet, WAN, connect, networks, are built,
© 2007 Cisco Systems, Inc. All rights reserved.DESGN v Evaluating Security Solutions for the Network Selecting Network Security Solutions.
Designing Virtual Private Networks © 2004 Cisco Systems, Inc. All rights reserved. Designing Remote- Access VPNs ARCH v
Copyright 2003 CCNA 4 Chapter 22 Developing Network Security and Network Management Strategies By Your Name.
Payment Card Industry (PCI ) - Data Security Standard (DSS): Introduction and Best Practices Michael Jacobs Development Architect - OpenEdge Session 119.
Designing Network Management Services © 2004 Cisco Systems, Inc. All rights reserved. Designing the Network Management Architecture ARCH v
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Defining VLANs Implementing Best Practices for VLAN Topologies.
© 2004, Cisco Systems, Inc. All rights reserved. CSIDS Lesson 4 Cisco Intrusion Detection System Architecture.
© 2007 Cisco Systems, Inc. All rights reserved. Securing Networks with Cisco Routers and Switches (SNRS) v2.0 SNRS v2.01.
© 2006 Cisco Systems, Inc. All rights reserved.ISCW v IPsec VPNs Implementing the Cisco VPN Client.
Designing Enterprise Campus Networks © 2004 Cisco Systems, Inc. All rights reserved. Designing the Server Farm ARCH v
© 2006 Cisco Systems, Inc. All rights reserved. MPLS v Integrating Internet Access with MPLS VPNs Introducing Internet Access Models with MPLS VPNs.
© 2006 Cisco Systems, Inc. All rights reserved. BCMSN v Minimizing Service Loss and Data Theft in a Campus Network Securing Network Switches.
Транксрипт:

The current security policy of JINR ________________________

The current JINR local network structure

GRID Cluster Network Structure Cluster organized on L2 technology with one broadcast domain. Cluster connect to JINR BackBone by two redundant links

Site network security Центральный firewall построен на двух взаимо- резервируемых Cisco 6500 FW модулях и Cisco ACL. Firewall ОИЯИ контролируют доступ до каждого из незапрещенных сервисов внутри ОИЯИ. ACL на лабораторных свитчах обеспечивают безопасность локальной сети ОИЯИ. Доступ к сетевому оборудованию обеспечивается TACACS сервером и Cisco ACL (Login, DualUP, VPN). Kerberos V обеспечивает заход на центральный информационно-вычислительный комплекс. Доступ до домашних пользовательских директорий контролируется при помощи AFS token.

Accounts policy and system security Все пользовательские пароли сохранены в Kerberos V Домашние директории находятся на AFS Разрешены только безопасные прото- колы (SSL, SSH or Kerberos) Каждая лаборатория может иметь собственный Kerberos Server

AFS использует Kerberos V База Kerberos сохранена в LDAP LDAP используется для хранения пользовательск ой информации Kerberos V with LDAP backend

JINR Network DataBase (IPDB)

Monitoring (NMIS) Each cluster element use central logging server. Monitoring for alarms and troubles provided by NMIS.

AUDIT Network and System audit based on analyzing logs from central routers, firewalls and local switchboards. IDS (intrusion detect system) build on freeware flow-tools (Cisco NetFlow). In progress development works on own PDS, based on ROOT package.

Problem Problems with hardware filtration of hi speed incoming dataflow (more then 1Gb). Deficiency of common account dependent information system which provides information of security options for each node and possibility for tuning this options for each node. Deficiency of hardware dataflow encryption devices, for security data transfer.

Near Future Plans Particle replacement Linux iptable on Cisco ACL for increase data speed transmission. Installation LDAP authentication instead of /etc/passwd Future modification IDS and PDS system