Information Society S.A. Greek Ministry of the Interior

INFORMATION SOCIETY S.A. GREEK MINISTRY OF THE INTERIOR

Christos A. Moschonas SYZEFXIS Network Technical Manager

AIFS/ ATHENS 6-5-2008 ProjectProject == MultiserviceMultiservice networknetwork

Greek Public Sector National Telecommunication Network, providing Greek Agencies with services :

•• Voice •• Data •• Video •• Value Added Services HowHow manymany actorsactors ??

By the end of the year more than

OneOne ofof thethe biggestbiggest NationalNational NetworksNetworks inin EuropeEurope HowHow manymany …… familiesfamilies ??

•• Ministry of the Interior Ministries – Municipalities – Regions – Prefectures - Civil Service Centers - Courts •• Ministry of Health Hospitals – Health Service Centers

•• Ministry of Defense Pentagon & Conscription Offices

•• Ministry of Finance Taxation offices – Customs & Port Authorities NetworkNetwork MapMap SYZEFXISSYZEFXIS == BroadbandBroadband

SYZEFXIS nodes have access symmetrical speeds from 2 up to 34 Mbps.

Easy upgrade at 155 & 622 Mbps

Guaranteed Quality of Service (QoS) for voice and video service. SYZEFXISSYZEFXIS == BroadbandBroadband (II)(II)

‰ 700 Mbps aggregate secure Internet feed

‰ 2.5 - 10 Gbps core links PublicPublic SectorSector TelephonyTelephony

VoIP everywhere

IP telephony mainly in Attica

Zero cost for intra-telephony all over Greece between actors Reduced Cost for outgoing telephony (mobile, national) VideoVideo serviceservice

•• TeleconferenceTeleconference •• MulticonferenceMulticonference SecureSecure InternetInternet AccessAccess ss--TESTATESTA AccessAccess SecureSecure intraintra--connectionsconnections betweenbetween publicpublic sectorsector criticalcritical applicationsapplications

•• Secure access to data bases and applications

•• exchange of data between agencies

•• E-government capabilities (E-gov - G2G, G2C, G2B) TimeTime scheduleschedule (years)(years)

implementation

1 3 operation 2005 2006 - 2008 SecuritySecurity LevelsLevels

A. Separate IP-MPLS VPNs for each family or service Each VPN is distinct from the others (a hospital cannot even ping a ministy) B. Perimetric Security inside each VPN Every actor in a VPN, cannot be (but may be) accessed by another actor in the same VPN (port & IP Addressing Control – access lists) C. Internet Security Use of firewall – proxy – antivirus – antispamming – content filtering – IDS techniques D. Tunneling - Crypto capabilities IPSec between access routers, per request 44 VirtualVirtual PrivatePrivate NetworksNetworks

VPN-1 VPN-2 Public Health Administration

VPN-3 VPN-4 Finance Conscription 44 VirtualVirtual PrivatePrivate NetworksNetworks (II)(II)

•• Open Communication between each actor and the remaining actors in the same VPN (open but … with perimetric security) •• Controlled – Constrained Communication between actors of different VPNs (just for exchange of data between critical systems in different VPNs) •• Controlled Internet Access using 4 different Content filtering senarios •• Controlled – Constrained Communication between SYZEFXIS actors and SYZEFXIS peerings (s-TESTA, GRnet). 44 VirtualVirtual PrivatePrivate NetworksNetworks (III)(III)

VPN ISP

Voice Connection

PIX Data Connection

PE -ISP

Δίκτυο Διανομής PE Θεσσ/κη

CE

PE Σίνδος VPN A

CE CE VPN B VPN A IntraIntra--VPNVPN PerimetricPerimetric SecuritySecurity

Everything between each pair of actors in the same VPN is closed, unless it’s been asked to open

•• We avoid virus explosion •• We avoid misuse issues between actors and DoS attacks •• Each actor has independence InternetInternet feedfeed SecuritySecurity InfrastructureInfrastructure !! ““InternetInternet”” …….... IsIs itit SecureSecure forfor SYZEFXISSYZEFXIS ??

Only certain ports can be opened towards the inner part of the network and always per request :

•• 8080 Web •• 444343 SSL •• 2525 SMTP •• 110110 POP InternetInternet SecuritySecurity

Internet

Cisco 7204VXR

Catalyst 2950-12

Catalyst Catalyst PIX-525 2950-24 2950-24 DMZs DMZs

Catalyst 2950-12

Δίκτυο Νησίδας InternetInternet SecuritySecurity (II)(II)

• Private IP addresses inin everyevery partpart ofof thethe NetworkNetwork • You want WEB … you need Proxy • Reverse proxy use forfor publicpublic sectorsector portalsportals • Antivirus - bothboth forfor browsingbrowsing andand mailmail accessaccess • Content Filtering – 44 thematicthematic profilesprofiles • Intrusion detection systems • Antispamming techniques for e-mail ReverseReverse ProxyProxy ee--mailmail SecuritySecurity

MailMail relayrelay SYZEFXISSYZEFXIS remoteremote accessaccess securitysecurity

Internet |v|p|n|

Firewall Mobile

VPN Operator Concentrator

IPSec Tunnel Notebook with GPRS PublicPublic KeyKey InfrastructureInfrastructure (PKI)(PKI)

forfor GreekGreek PublicPublic SectorSector ––

50.00050.000 digitaldigital CertificatesCertificates inin smartsmart cardscards 25002500 SSLSSL certificatescertificates forfor publicpublic sectorsector portalsportals SYZEFXISSYZEFXIS andand ss--TESTATESTA NetworkNetwork

•• DoubleDouble IPSECIPSEC tunneltunnel withwith ss--TESTATESTA HeadquartersHeadquarters && datadata centercenter..

•• IncreasedIncreased SecuritySecurity forfor accessingaccessing criticalcritical CommunityCommunity Applications,Applications, regardingregarding taxes,taxes, drugs,drugs, crime,crime, transport,transport, socialsocial security,security, antifraud,antifraud, etc.etc. SYZEFXISSYZEFXIS andand ss--TESTATESTA NetworkNetwork (II)(II)

SYZEFXISSYZEFXIS waswas selectedselected asas oneone ofof thethe firstfirst threethree pilotpilot nationalnational networksnetworks inin EuropeEurope forfor ss--TESTATESTA migrationmigration (with(with FinlandFinland && Spain)Spain)

ProjectProject implementatorimplementator Information Society S.A.

ProjectProject OwnerOwner Greek Ministry of the Interior

www. syzefxis.gov.gr ThankThank youyou !!!!!!