Observations From the Global AMDAR Programme Presentation to WMO TECO-2006 4-6 December 2006 by
WMO TECO-WIS - Korea 2006 INTERNET SERVICES, VPN and SECURITY
description
Transcript of WMO TECO-WIS - Korea 2006 INTERNET SERVICES, VPN and SECURITY
November 2006
TECO-WIS, Seoul 1
WMO TECO-WIS - Korea 2006
INTERNET SERVICES, VPN and SECURITY
Jean-François Gagnon
Director, Network and Voice OperationsInformation Technology Infrastructure Directorate
Chief Information Officer BranchEnvironment Canada .
Co-Chair, Expert Team on WIS-GTS Communication Techniques and StructuresInformation System and Services, CBS, WWW
November 2006
TECO-WIS, Seoul 2
Definition of the Internet
• Network of networks– millions of smaller domestic, academic, business, and
government networks– Uses TCP/IP protocol suite
• Carries various information and services, such as electronic mail, online chat, file transfer, documents of the World Wide Web.
• Internet and the World Wide Web are not synonymous:– the Internet is a collection of interconnected computer networks,
linked by telecommunication media– the Web is a collection of interconnected documents, linked by
hyperlinks and URLs.
November 2006
TECO-WIS, Seoul 3
Deployment of the Internet in the World
November 2006
TECO-WIS, Seoul 4
Internet Status as viewed by WMO ET-CTS
• Noted some progress in implementation of TCP/IP procedures around the various WMO administrative regions– recently for smaller sites
– major centers had already reported conversion at previous meetings
• Experience is good and reports on reliability are reassuring• Still not recommended as unique method of data acquisition for
mission critical activities– Internet does not provide guaranteed service levels
– No operator has complete Internet responsibility, since amalgamation of numerous telecommunication systems
• Security is an important concern, requires efforts and strong commitment by all
November 2006
TECO-WIS, Seoul 5
TCP/IP Protocol Suite – RFC112 and RFC 1123
APPLICATION
PRESENTATION
SESSION
TRANSPORT
NETWORK
DATA LINK
PHYSICAL
FTP, FTPS, TELNET, SMTP, SNMP, HTTP,
HTTPS
NFS(Network File
Service)XDR
(External Data Representation)
RPC(Remote
Procedure Call)
TCP, UDP
IPRouting Protocols
ICMP
ARP, RARP
Not Specified
INTERNET PROTOCOL SUITE
November 2006
TECO-WIS, Seoul 6
Use of TCP/IP on the GTS
• As recommended TCP/IP on the GTS for several years• Benefits equate direct savings in financial and human
resource costs to Members– reduced costs for communications equipment purchase and
maintenance– reduced software development work - use of industry standard
software systems
November 2006
TECO-WIS, Seoul 7
Common Protocols allow Coexistence
• Internet can be used as:– an underlying technology for some components of the GTS in special
conditions
– as a backup to the GTS
– as a complement to the GTS
Communication Component
Function
GTS Delivery of time critical communication for weather, water and climate operations
Internet Communication for less critical requirements and possibly for large volumes of data
November 2006
TECO-WIS, Seoul 8
Telecommunication Options
BROADCASTNETWORK
GTS
INTERNET
CENTER B
OTHER NON-GTS LINKS
CENTER A
INTERNET
November 2006
TECO-WIS, Seoul 9
Internet Access Types
• Dial-up– Based on public telephone system– Typically 64 Kbps or less– Usually billed on time– Short connections initiated by user’s (or centre’s) end
• Permanent– Broadband (cable, DSL) or dedicated link– Typically 1 Mbps or better– Higher cost– Faster– Connection always established– Good for data providers
November 2006
TECO-WIS, Seoul 10
Implementation for Client-only Usage
• Simple computer is sufficient to access Internet• Usually limited to small interactions initiated by user• Non-dedicated link (dial-up, DSL, cable) might be sufficient• Important to secure computer against unautorized incoming threats
– Usually the simplest rules – deny all incoming– PC based « personal use » firewall software, such as
• http://www.zonelabs.com/• http://www.personalfirewall.comodo.com/• http://www.sunbelt-software.com/kerio.cfm
– Small « personal use » firewall, such as• http://www.linksys.com• http://dlink.com
INTERNETROUTER /FIREWALL
November 2006
TECO-WIS, Seoul 11
Implementation for Servers
• Usually requires a dedicated link• May be implemented with servers
– within your organization• Completely under your responsibility
• Usually more flexible, more control
– Contracted to a hosting service provider• May be more attractive if little expertise in system and security
management
• May have less control and flexibility
• Requires very clear statement of work and deliverables, especially regarding Service Level Agreements (support issues)
November 2006
TECO-WIS, Seoul 12
Official IP Addresses
• It is essential to have a standard in the addressing scheme– Currently IPv4 most widely spread– IPv6 being deployed slowly. Not used in GTS yet.
• It is essential to have uniqueness in the allocation of addresses– Since the GTS (and of course Internet) is not built as a unique
network under the complete authority of a single organization, the allocation of addresses must therefore go through the official bodies
November 2006
TECO-WIS, Seoul 14
The Internet Security Threat
• Motivation– Obtain information or resources
• An attack can be motivated by the will to obtain information, for strategic, ideological, financial or intelligence reasons, or resources like storage, supercomputing or a link to an organization’s partner.
– Desire to cause harm• Another motivation can be to prevent an organization to fulfil its mission
properly, by blocking or modifying services or information, for revenge, terrorism, blackmail or malicious reasons.
– Playful or exploration• Another kind of motivation is curiosity, boredom, game or challenge. Many
famous governmental institutions have been hit by such motivated attacks, degrading their reputation.
– Accident• The last category is human or physical accident. It can take many forms and
touch any part of the information system (network, hardware and software), and can be prevented by an adequate disaster recovery procedures, such as implementing system redundancy and automatic failover procedures.
• Regardless of motivation, the threat is real
November 2006
TECO-WIS, Seoul 15
The Internet Security Threat – Common Threats
• Malicious codes: viruses, worms, Trojan horses • Denial of service• Malicious hacking• Spying• Compromising and abuse of system resources
November 2006
TECO-WIS, Seoul 16
Impacts of Security Breaches
• System and service impacts that disrupt or incapacitate actual systems or services– System slow down: the events cause the systems to slow down for no apparent reason.– System rendered unavailable: the events cause the systems to stop functioning altogether. – System or component of system destroyed: the events cause not only the systems and
services not to be available for a period of time, but cause the destruction of resources. – System apparently normal, but information stolen or compromised: the events that lead to
these impacts usually reside on the systems in a way not to be detected. Often, the reason is to steal or spy. The impacts can be severe, as stolen information can be of sensitive or commercial nature. Compromised information may have public safety implications or political, religious, sexual or racial contents. The organization’s reputation and future may be at stakes as well as safety of life.
– System used to compromise others: the events would compromise an organization’s systems in a way not to be detected, and may be left unused for a long time. However, these components can be used to compromise other systems. Although the impact on a given organization may seem negligible, harm to other organizations is possible. An organization could be falsely accused of being the source of trouble because of this technique.
• Administrative, legal and reputation impacts– All organizations have a “network” responsibility. They must mitigate the problems of
security and ensure they are not the cause of problems to others. Failure to do so may eventually lead to legal action. It is also obvious that bad information and poor service will certainly have administrative impacts as well as loss of reputation impacts.
November 2006
TECO-WIS, Seoul 17
Information Technology Security Best Practices
• Network architecture– Local Area Networks– Wide Area Networks– Wireless LAN– Firewall systems
• Remote access• Server access and security
– File system authorisation rules• Security policies
– The requirement for a security policy– Developing a policy
• Threat and Risk Assessments (TRA)• Policy control• Procedures
– System management– New system installation and change management– Installation of security patches– User account management– Backup / restore procedures and regular testing– Detection procedures– Response/recovery procedures
• Public server configuration
November 2006
TECO-WIS, Seoul 18
Most Basic Security Tool: Firewalls
• Types– Packet filters– Application Layer firewalls
• By default should block all unauthorized traffic– Protects systems against unwanted access
• Can be used in many places in the networks– Not just for security with the internet
November 2006
TECO-WIS, Seoul 19
Possible Placement of Firewalls
CENTER A
PUBLIC SUBNET
GTS
INTERNET
WORKSTATION 1
WORKSTATION 2
WAFS RECEIVER
DIGITAL VIDEO BROADCAST
RECEIVER
INTERNAL ROUTER / FIREWALL
MESSAGE SWITCHING SERVER
1
MESSAGE SWITCHING SERVER
2
ACCESS DEVICE ROUTER / FIREWALL
VPN INTERFACE
DMZ SUBNET
INTERNAL PROTECTED
SUBNET
OTHER SYSTEMS
ACCESS DEVICE ROUTER / FIREWALL
FIREWALL
LINK PROVIDED BY TELECOM SUPPLIER
LINK PROVIDED BY INTERNET SUPPLIER
WEB PORTAL / SERVER 1
WEB PORTAL / SERVER 2
FIREWALLS BLOCK ALL TRAFFIC IN
BOTH DIRECTIONS BY DEFAULT, ALLOWS
ONLY KNOWN TRAFFIC
November 2006
TECO-WIS, Seoul 20
VPN Concept
VPN CLIENT
VPN SERVER
INTERNET
November 2006
TECO-WIS, Seoul 21
Virtual Private Networks (VPN)
Create the equivalent of a dedicated private link using the Internet as a connection media
CENTER A
PUBLIC SUBNET
GTS
INTERNET
WORKSTATION 1
WORKSTATION 2
WAFS RECEIVER
DIGITAL VIDEO BROADCAST
RECEIVER
INTERNAL ROUTER / FIREWALL
MESSAGE SWITCHING SERVER
1
MESSAGE SWITCHING SERVER
2
ACCESS DEVICE ROUTER / FIREWALL
VPN INTERFACE
DMZ SUBNET
INTERNAL PROTECTED
SUBNET
OTHER SYSTEMS
ACCESS DEVICE ROUTER / FIREWALL
FIREWALL
LINK PROVIDED BY TELECOM SUPPLIER
LINK PROVIDED BY INTERNET SUPPLIER
WEB PORTAL / SERVER 1
WEB PORTAL / SERVER 2
TYPICAL VPN OVER INTERNET CONNECTIONAND
November 2006
TECO-WIS, Seoul 22
WIS VPN Pilot Project in Regions II and V (as of Sept 2006)
Hong Kong
India
Iran
Korea
Oman
Saudi Arabia
Vietnam
Australia
Brunei
Malaysia
New Zealand
China
Soon established VPN-link with Japan
Established VPN-linkwith Japan
Japan
Singapore
10Mbps (max)
2Mbps
4Mbps
512Kbps
2Mbps
1Mbps
100Mbps (max)
3Mbps
2Mbps
2Mbps
1MbpsInternet
100Mbps (max)
100Mbps (max)
256Mbps (min)- 440Mbps
(max)
November 2006
TECO-WIS, Seoul 23
Establishing a VPN Link
• VPN links have many parameters– Confirm the protocols to be used, such as IPsec, pre-shared
secrets – Define the pre-shared secret. This “password” must be defined
and be the same on both sides – Confirm the VPN platform to be used – Agree on IP addresses to exchange on the link – Modify filter rules on the firewall – Implement the define configuration – Test
November 2006
TECO-WIS, Seoul 24
File Transfers and FTP servers
• Uses File Transfer Protocol
• Can be used for dissemination or exchange of bulk meteorological data through Internet, GTS or other local/wide area networks
• Recommended for predefined users
• Efficient data exchange protocol
• Good for both push and pull configurations
• File Naming is important – see Man 386 Att II.15
November 2006
TECO-WIS, Seoul 25
FTP Server Implementation
November 2006
TECO-WIS, Seoul 26
Electronic Mail
• Uses the Simple Mail Transfer Protocol (SMTP)• Complementary method of data input into the GTS
– Should not be used to replace GTS data exchanges for mission critical components
– Usually can not guarantee real time data delivery– Requires sites to collect messages (some examples: Washington, New
Zealand, Tokyo, Beijing)– Requires a strong quality control at the collecting center as the collected
messages often contain several typing or format mistakes• Mostly a push mechanism• May be used for notification (for example that a file is available for
delivery while the file itself is placed on an FTP server)• Excellent general communication tool• Important entry point for virusses, worms and Trojan Horses• Must deal with SPAM problem
– Spamming is the abuse of electronic messaging systems to send unsolicited, undesired bulk messages
November 2006
TECO-WIS, Seoul 27
Email Implementation
CENTER A
PUBLIC SUBNET
GTS
INTERNET
WORKSTATION 1
WORKSTATION 2
WAFS RECEIVER
DIGITAL VIDEO BROADCAST
RECEIVER
INTERNAL ROUTER / FIREWALL
MESSAGE SWITCHING SERVER
1
MESSAGE SWITCHING SERVER
2
ACCESS DEVICE ROUTER / FIREWALL
VPN INTERFACE
DMZ SUBNET
INTERNAL PROTECTED
SUBNET
EMAILSERVER
ACCESS DEVICE ROUTER / FIREWALL
FIREWALL
LINK PROVIDED BY TELECOM SUPPLIER
LINK PROVIDED BY INTERNET SUPPLIER
WEB PORTAL / SERVER 1
WEB PORTAL / SERVER 2
TYPICAL EMAIL SERVER EXCHANGES
VIRUS & SPAM
FILTERS
TYPICAL EMAIL USER EXCHANGES
November 2006
TECO-WIS, Seoul 28
Web Servers
• Based primarily on Hyper Text Transfer Protocol (HTTP)• Used to make available various data and reports, available to users
who request the information by downloading the various « web pages » (pull mechanism)
• Offers an intuitive approach to presentation of data and links between data elements
• Allows complex scripts and data management tools to be added• Requires permanent connection to the Internet• Requires careful and significant planning and maintenance
– Weather data is updated very often
– Demand for weather data can be very high
– In large sites can become very complex
November 2006
TECO-WIS, Seoul 29
Web Server Implementation
CENTER A
PUBLIC SUBNET
GTS
INTERNET
WORKSTATION 1
WORKSTATION 2
WAFS RECEIVER
DIGITAL VIDEO BROADCAST
RECEIVER
INTERNAL ROUTER / FIREWALL
MESSAGE SWITCHING SERVER
1
MESSAGE SWITCHING SERVER
2
ACCESS DEVICE ROUTER / FIREWALL
VPN INTERFACE
DMZ SUBNET
INTERNAL PROTECTED
SUBNET
OTHER SYSTEMS
ACCESS DEVICE ROUTER / FIREWALL
FIREWALL
LINK PROVIDED BY TELECOM SUPPLIER
LINK PROVIDED BY INTERNET SUPPLIER
WEB PORTAL / SERVER 1
WEB PORTAL / SERVER 2
TYPICAL WEB SERVER ACCESS
November 2006
TECO-WIS, Seoul 31
Conclusion
• Internet is part of the « Network Structure » of the WIS• Should be used mostly for non real time, non mission
critical traffic• It complements the information exchange infrastructure
– As a separate network– As a backup network– As an underlying technology to simulate dedicated links for the
GTS where no other means are possible or economically sustainable
• Security is an essential concern and must be addressed
November 2006
TECO-WIS, Seoul 32
Important Documents
http://www.wmo.int/web/www/documents.html
• Manual 386, Attachment II.15 – Use of TCP/IP on the GTS (Revision 3, Sept 2006)
• Guide on Information Technology Security (Sept 2006)• Guide on Internet Practices (Sept 2006)• Guide on use of FTP and FTP servers at WWW centres
(Sept 2006)• Guidance on IPSec-based VPNs over the Internet (April
2004)
November 2006
TECO-WIS, Seoul 33
Questions?