WMO TECO-WIS - Korea 2006 INTERNET SERVICES, VPN and SECURITY

November 2006

TECO-WIS, Seoul 1

WMO TECO-WIS - Korea 2006

INTERNET SERVICES, VPN and SECURITY

Jean-François Gagnon

Director, Network and Voice OperationsInformation Technology Infrastructure Directorate

Chief Information Officer BranchEnvironment Canada .

Co-Chair, Expert Team on WIS-GTS Communication Techniques and StructuresInformation System and Services, CBS, WWW

November 2006

TECO-WIS, Seoul 2

Definition of the Internet

• Network of networks– millions of smaller domestic, academic, business, and

government networks– Uses TCP/IP protocol suite

• Carries various information and services, such as electronic mail, online chat, file transfer, documents of the World Wide Web.

• Internet and the World Wide Web are not synonymous:– the Internet is a collection of interconnected computer networks,

linked by telecommunication media– the Web is a collection of interconnected documents, linked by

hyperlinks and URLs.

November 2006

TECO-WIS, Seoul 3

Deployment of the Internet in the World

November 2006

TECO-WIS, Seoul 4

Internet Status as viewed by WMO ET-CTS

• Noted some progress in implementation of TCP/IP procedures around the various WMO administrative regions– recently for smaller sites

– major centers had already reported conversion at previous meetings

• Experience is good and reports on reliability are reassuring• Still not recommended as unique method of data acquisition for

mission critical activities– Internet does not provide guaranteed service levels

– No operator has complete Internet responsibility, since amalgamation of numerous telecommunication systems

• Security is an important concern, requires efforts and strong commitment by all

November 2006

TECO-WIS, Seoul 5

TCP/IP Protocol Suite – RFC112 and RFC 1123

APPLICATION

PRESENTATION

SESSION

TRANSPORT

NETWORK

DATA LINK

PHYSICAL

FTP, FTPS, TELNET, SMTP, SNMP, HTTP,

HTTPS

NFS(Network File

Service)XDR

(External Data Representation)

RPC(Remote

Procedure Call)

TCP, UDP

IPRouting Protocols

ICMP

ARP, RARP

Not Specified

INTERNET PROTOCOL SUITE

November 2006

TECO-WIS, Seoul 6

Use of TCP/IP on the GTS

• As recommended TCP/IP on the GTS for several years• Benefits equate direct savings in financial and human

resource costs to Members– reduced costs for communications equipment purchase and

maintenance– reduced software development work - use of industry standard

software systems

November 2006

TECO-WIS, Seoul 7

Common Protocols allow Coexistence

• Internet can be used as:– an underlying technology for some components of the GTS in special

conditions

– as a backup to the GTS

– as a complement to the GTS

Communication Component

Function

GTS Delivery of time critical communication for weather, water and climate operations

Internet Communication for less critical requirements and possibly for large volumes of data

November 2006

TECO-WIS, Seoul 8

Telecommunication Options

BROADCASTNETWORK

GTS

INTERNET

CENTER B

OTHER NON-GTS LINKS

CENTER A

INTERNET

November 2006

TECO-WIS, Seoul 9

Internet Access Types

• Dial-up– Based on public telephone system– Typically 64 Kbps or less– Usually billed on time– Short connections initiated by user’s (or centre’s) end

• Permanent– Broadband (cable, DSL) or dedicated link– Typically 1 Mbps or better– Higher cost– Faster– Connection always established– Good for data providers

November 2006

TECO-WIS, Seoul 10

Implementation for Client-only Usage

• Simple computer is sufficient to access Internet• Usually limited to small interactions initiated by user• Non-dedicated link (dial-up, DSL, cable) might be sufficient• Important to secure computer against unautorized incoming threats

– Usually the simplest rules – deny all incoming– PC based « personal use » firewall software, such as

• http://www.zonelabs.com/• http://www.personalfirewall.comodo.com/• http://www.sunbelt-software.com/kerio.cfm

– Small « personal use » firewall, such as• http://www.linksys.com• http://dlink.com

INTERNETROUTER /FIREWALL

http://www.zonelabs.com/

http://www.personalfirewall.comodo.com/

http://www.sunbelt-software.com/kerio.cfm

http://www.linksys.com/

http://dlink.com/

November 2006

TECO-WIS, Seoul 11

Implementation for Servers

• Usually requires a dedicated link• May be implemented with servers

– within your organization• Completely under your responsibility

• Usually more flexible, more control

– Contracted to a hosting service provider• May be more attractive if little expertise in system and security

management

• May have less control and flexibility

• Requires very clear statement of work and deliverables, especially regarding Service Level Agreements (support issues)

November 2006

TECO-WIS, Seoul 12

Official IP Addresses

• It is essential to have a standard in the addressing scheme– Currently IPv4 most widely spread– IPv6 being deployed slowly. Not used in GTS yet.

• It is essential to have uniqueness in the allocation of addresses– Since the GTS (and of course Internet) is not built as a unique

network under the complete authority of a single organization, the allocation of addresses must therefore go through the official bodies

November 2006

TECO-WIS, Seoul 14

The Internet Security Threat

• Motivation– Obtain information or resources

• An attack can be motivated by the will to obtain information, for strategic, ideological, financial or intelligence reasons, or resources like storage, supercomputing or a link to an organization’s partner.

– Desire to cause harm• Another motivation can be to prevent an organization to fulfil its mission

properly, by blocking or modifying services or information, for revenge, terrorism, blackmail or malicious reasons.

– Playful or exploration• Another kind of motivation is curiosity, boredom, game or challenge. Many

famous governmental institutions have been hit by such motivated attacks, degrading their reputation.

– Accident• The last category is human or physical accident. It can take many forms and

touch any part of the information system (network, hardware and software), and can be prevented by an adequate disaster recovery procedures, such as implementing system redundancy and automatic failover procedures.

• Regardless of motivation, the threat is real

November 2006

TECO-WIS, Seoul 15

The Internet Security Threat – Common Threats

• Malicious codes: viruses, worms, Trojan horses • Denial of service• Malicious hacking• Spying• Compromising and abuse of system resources

November 2006

TECO-WIS, Seoul 16

Impacts of Security Breaches

• System and service impacts that disrupt or incapacitate actual systems or services– System slow down: the events cause the systems to slow down for no apparent reason.– System rendered unavailable: the events cause the systems to stop functioning altogether. – System or component of system destroyed: the events cause not only the systems and

services not to be available for a period of time, but cause the destruction of resources. – System apparently normal, but information stolen or compromised: the events that lead to

these impacts usually reside on the systems in a way not to be detected. Often, the reason is to steal or spy. The impacts can be severe, as stolen information can be of sensitive or commercial nature. Compromised information may have public safety implications or political, religious, sexual or racial contents. The organization’s reputation and future may be at stakes as well as safety of life.

– System used to compromise others: the events would compromise an organization’s systems in a way not to be detected, and may be left unused for a long time. However, these components can be used to compromise other systems. Although the impact on a given organization may seem negligible, harm to other organizations is possible. An organization could be falsely accused of being the source of trouble because of this technique.

• Administrative, legal and reputation impacts– All organizations have a “network” responsibility. They must mitigate the problems of

security and ensure they are not the cause of problems to others. Failure to do so may eventually lead to legal action. It is also obvious that bad information and poor service will certainly have administrative impacts as well as loss of reputation impacts.

November 2006

TECO-WIS, Seoul 17

Information Technology Security Best Practices

• Network architecture– Local Area Networks– Wide Area Networks– Wireless LAN– Firewall systems

• Remote access• Server access and security

– File system authorisation rules• Security policies

– The requirement for a security policy– Developing a policy

• Threat and Risk Assessments (TRA)• Policy control• Procedures

– System management– New system installation and change management– Installation of security patches– User account management– Backup / restore procedures and regular testing– Detection procedures– Response/recovery procedures

• Public server configuration

November 2006

TECO-WIS, Seoul 18

Most Basic Security Tool: Firewalls

• Types– Packet filters– Application Layer firewalls

• By default should block all unauthorized traffic– Protects systems against unwanted access

• Can be used in many places in the networks– Not just for security with the internet

November 2006

TECO-WIS, Seoul 19

Possible Placement of Firewalls

CENTER A

PUBLIC SUBNET

GTS

INTERNET

WORKSTATION 1

WORKSTATION 2

WAFS RECEIVER

DIGITAL VIDEO BROADCAST

RECEIVER

INTERNAL ROUTER / FIREWALL

MESSAGE SWITCHING SERVER

1


2

ACCESS DEVICE ROUTER / FIREWALL

VPN INTERFACE

DMZ SUBNET

INTERNAL PROTECTED

SUBNET

OTHER SYSTEMS


FIREWALL

LINK PROVIDED BY TELECOM SUPPLIER

LINK PROVIDED BY INTERNET SUPPLIER

WEB PORTAL / SERVER 1


FIREWALLS BLOCK ALL TRAFFIC IN

BOTH DIRECTIONS BY DEFAULT, ALLOWS

ONLY KNOWN TRAFFIC

November 2006

TECO-WIS, Seoul 20

VPN Concept

VPN CLIENT

VPN SERVER

INTERNET

November 2006

TECO-WIS, Seoul 21

Virtual Private Networks (VPN)

Create the equivalent of a dedicated private link using the Internet as a connection media

CENTER A

PUBLIC SUBNET

GTS

INTERNET

WORKSTATION 1

WORKSTATION 2

WAFS RECEIVER


RECEIVER



1


2


VPN INTERFACE

DMZ SUBNET

INTERNAL PROTECTED

SUBNET

OTHER SYSTEMS


FIREWALL





TYPICAL VPN OVER INTERNET CONNECTIONAND

November 2006

TECO-WIS, Seoul 22

WIS VPN Pilot Project in Regions II and V (as of Sept 2006)

Hong Kong

India

Iran

Korea

Oman

Saudi Arabia

Vietnam

Australia

Brunei

Malaysia

New Zealand

China

Soon established VPN-link with Japan

Established VPN-linkwith Japan

Japan

Singapore

10Mbps (max)

2Mbps

4Mbps

512Kbps

2Mbps

1Mbps

100Mbps (max)

3Mbps

2Mbps

2Mbps

1MbpsInternet

100Mbps (max)

100Mbps (max)

256Mbps (min)- 　　440Mbps

(max)

November 2006

TECO-WIS, Seoul 23

Establishing a VPN Link

• VPN links have many parameters– Confirm the protocols to be used, such as IPsec, pre-shared

secrets – Define the pre-shared secret. This “password” must be defined

and be the same on both sides – Confirm the VPN platform to be used – Agree on IP addresses to exchange on the link – Modify filter rules on the firewall – Implement the define configuration – Test

November 2006

TECO-WIS, Seoul 24

File Transfers and FTP servers

• Uses File Transfer Protocol

• Can be used for dissemination or exchange of bulk meteorological data through Internet, GTS or other local/wide area networks

• Recommended for predefined users

• Efficient data exchange protocol

• Good for both push and pull configurations

• File Naming is important – see Man 386 Att II.15

November 2006

TECO-WIS, Seoul 25

FTP Server Implementation

November 2006

TECO-WIS, Seoul 26

Electronic Mail

• Uses the Simple Mail Transfer Protocol (SMTP)• Complementary method of data input into the GTS

– Should not be used to replace GTS data exchanges for mission critical components

– Usually can not guarantee real time data delivery– Requires sites to collect messages (some examples: Washington, New

Zealand, Tokyo, Beijing)– Requires a strong quality control at the collecting center as the collected

messages often contain several typing or format mistakes• Mostly a push mechanism• May be used for notification (for example that a file is available for

delivery while the file itself is placed on an FTP server)• Excellent general communication tool• Important entry point for virusses, worms and Trojan Horses• Must deal with SPAM problem

– Spamming is the abuse of electronic messaging systems to send unsolicited, undesired bulk messages

November 2006

TECO-WIS, Seoul 27

Email Implementation

CENTER A

PUBLIC SUBNET

GTS

INTERNET

WORKSTATION 1

WORKSTATION 2

WAFS RECEIVER


RECEIVER



1


2


VPN INTERFACE

DMZ SUBNET

INTERNAL PROTECTED

SUBNET

EMAILSERVER


FIREWALL





TYPICAL EMAIL SERVER EXCHANGES

VIRUS & SPAM

FILTERS

TYPICAL EMAIL USER EXCHANGES

November 2006

TECO-WIS, Seoul 28

Web Servers

• Based primarily on Hyper Text Transfer Protocol (HTTP)• Used to make available various data and reports, available to users

who request the information by downloading the various « web pages » (pull mechanism)

• Offers an intuitive approach to presentation of data and links between data elements

• Allows complex scripts and data management tools to be added• Requires permanent connection to the Internet• Requires careful and significant planning and maintenance

– Weather data is updated very often

– Demand for weather data can be very high

– In large sites can become very complex

November 2006

TECO-WIS, Seoul 29

Web Server Implementation

CENTER A

PUBLIC SUBNET

GTS

INTERNET

WORKSTATION 1

WORKSTATION 2

WAFS RECEIVER


RECEIVER



1


2


VPN INTERFACE

DMZ SUBNET

INTERNAL PROTECTED

SUBNET

OTHER SYSTEMS


FIREWALL





TYPICAL WEB SERVER ACCESS

November 2006

TECO-WIS, Seoul 31

Conclusion

• Internet is part of the « Network Structure » of the WIS• Should be used mostly for non real time, non mission

critical traffic• It complements the information exchange infrastructure

– As a separate network– As a backup network– As an underlying technology to simulate dedicated links for the

GTS where no other means are possible or economically sustainable

• Security is an essential concern and must be addressed

November 2006

TECO-WIS, Seoul 32

Important Documents

http://www.wmo.int/web/www/documents.html

• Manual 386, Attachment II.15 – Use of TCP/IP on the GTS (Revision 3, Sept 2006)

• Guide on Information Technology Security (Sept 2006)• Guide on Internet Practices (Sept 2006)• Guide on use of FTP and FTP servers at WWW centres

(Sept 2006)• Guidance on IPSec-based VPNs over the Internet (April

2004)

November 2006

TECO-WIS, Seoul 33

Questions?

WMO TECO-WIS - Korea 2006 INTERNET SERVICES, VPN and SECURITY

Documents

Transcript of WMO TECO-WIS - Korea 2006 INTERNET SERVICES, VPN and SECURITY