1 / 21

Geoff Molloy

Learn about network topologies, IP addresses, data delivery, firewall and DNS issues, server positioning, VPN and security, internet issues, and internet backup options for efficient and secure data transfer.

janaperez
Download Presentation

Geoff Molloy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Geoff Molloy Communications and Computing Branch Bureau of Meteorology Australia

  2. Agenda • Network Topologies • IP addresses • Data Delivery • Firewall Issues • DNS Issues • Server Positioning • VPN and Security • Internet issues • Internet Backup

  3. Network Topology

  4. IP Addresses • For Internet use the IP addresses must be supplied by your ISP • IP addresses used for GTS links cannot be used for the Internet • If you have your own address allocation you must get your ISP to route your addresses • It is best to use the same IP addresses for your hosts on both your GTS and Internet links.

  5. Data Delivery • All ftp, and socket connections can work over the internet • Email and other transport protocols possible

  6. Firewall • There are many firewalls available. • The less you allow through the more secure you network. • Should identify source and destination IP address • Identify destination tcp port number

  7. Firewall Configuration interface Serial 1 ip address 134.178.30.241 255.255.255.240 ip access-group 100 in ! access-list 100 permit tcp host 161.142.139.230 host 134.178.6.5 eq 30072 access-list 100 permit tcp host 161.142.139.230 host 134.178.6.5 eq 30073 access-list 100 permit tcp host 161.142.139.230 host 134.178.6.5 eq 30074 ! access-list 100 permit tcp host 202.1.171.2 host 134.178.6.5 range ftp-data ftp access-list 100 permit tcp host 202.1.171.3 host 134.178.6.5 range ftp-data ftp

  8. DNS Issues • IP addresses only can be used for both socket and FTP connections • DNS entries are needed to make e-mail work • DNS MX records for you e-mail server are required. • DNS entries are needed for your Web Servers.

  9. Server Positioning • Public FTP and Web servers for the Internet should be positioned on a firewall segment. • FTP and socket servers used for GTS traffic over the internet need accesses through your firewall. • access-list 100 permit tcp host 202.245.36.1 host 134.178.6.5 range ftp-data ftp • access-list 100 permit tcp host 202.141.140.211 host 134.178.6.5 eq 30071

  10. VPN and IPSEC • WMO recommend IPSEC to secure ftp and socket connections between centres • Recommendation by Rémy Giraud • Transparent for end applications so no reconfiguration of servers necessary • VPN server must be in-line with the source and destination

  11. VPN Implementation • Tunnel mode • AH ( Authentication Header) should not be used • ESP (Encapsulating Security Payload) is used for both authentication and encryption • Authentication should be done with HMAC-MD5-96 • Encryption should be done with DES • Pre-Shared secrets

  12. Information required • Pre-shared key (password) • IP address of VPN router at the other end. • Agree on what traffic will be encrypted – the access lists at both ends must match. Typically this would be the IP addresses of the host computers or NAT addresses.

  13. Typical Configuration crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key IPSECKEY address 193.253.191.14 ! crypto ipsec transform-set CMT esp-des esp-md5-hmac ! crypto map CMYMAP 1 ipsec-isakmp set peer 193.253.191.14 set security-association lifetime seconds 600 set transform-set CMT match address 100 ! access-list 100 permit ip 131.1.0.0 0.0.255.255 130.1.0.0 0.0.255.255 ! interface serial0 crypto map CMYMAP

  14. Integrated VPN server

  15. Separate VPN box

  16. Internet Issues • The Internet can be unreliable • Need to check all ISPs in the path to get overall reliability • Most Internet Links pay by volume, so internet transfer costs are open ended • Do not have to set up bi lateral agreement.

  17. Internet Backup • Both ends must have an internet link. • Message switch must be connectable to the Internet • Accesses through internet for message switch server. • Destination and source IP addresses must be routable through Internet

  18. Data exchange by e-mail • For several small NMCs, the Internet is the only affordable telecommunication means for transmitting meteorological information, despite possible shortcomings (availability, reliability, delays). Several GTS centres have developed and are operating procedures for collecting observational bulletins via e-mail on the Internet. … developed recommended practices covering the format of the message and arrangements limiting the security risks. • Some RTHs use E-mail, including request-reply mechanisms, for providing data and products to NMCs.

  19. Email structure • The GTS message must be sent in the body of the text. • Each e-mail may contain only one GTS message, starting with the abbreviated header line. • TTAAii CCCC YYGGgg [BBB] • message text • Each line of the GTS message should not exceed 69 characters. • Binary data may be transferred in e-mail attachments. The structure of an attachment shall be identical to that of a file transferred by ftp. The length of an attachment shall not exceed 2 MBytes or as specified in a bilateral agreement. The body of the e-mail shall remain empty if attachments are used. Only one attachment per e-mail is permitted. • Attachments shall be coded in Base64 (MIME standard) • The “subject line” depends on the content of the e-mail. For e-mails that contain a GTS message in their body, the “subject line” shall contain the abbreviated header line of the message. For e-mails that contain a binary data attachment, the “subject line” shall follow the WMO file naming conventions.

  20. Email Security • E-mail is inherently insecure. To minimise security issues the receiving centre should only process GTS related e-mails from a pre-defined list of e-mail addresses. Validate the e-mail header “From:” field. To avoid problems with e-mails containing manipulated “From”-fields, centres may bilaterally agree in security strings appearing as first body line (the one and only bodyline for e-mails with attachment). • It is recommended to use specific mail accounts for GTS data transfer with bilaterally agreed names and not to receive GTS data in personal mailboxes. • A problem with some Mail Exchangers is that by default they operate as an “open-relay”. An open-relay occurs, for example, if you are on site A.COM, and you accept mail from B.NET destined for C.ORG. This means that spammers can use your mail system to distribute their e-mails. Centres should ensure that they do not operate as an open-relay. For centres using “sendmail” as the Mail Exchanger it is recommended that they use version 8.9 or later which by default denies unauthorised relaying.

  21. END

More Related