Information Society S.A. Greek Ministry of the Interior
INFORMATION SOCIETY S.A. GREEK MINISTRY OF THE INTERIOR
Christos A. Moschonas SYZEFXIS Network Technical Manager
AIFS/ ATHENS 6-5-2008 ProjectProject == MultiserviceMultiservice networknetwork
Greek Public Sector National Telecommunication Network, providing Greek Agencies with services :
•• Voice •• Data •• Video •• Value Added Services HowHow manymany actorsactors ??
By the end of the year more than
OneOne ofof thethe biggestbiggest NationalNational NetworksNetworks inin EuropeEurope HowHow manymany …… familiesfamilies ??
•• Ministry of the Interior Ministries – Municipalities – Regions – Prefectures - Civil Service Centers - Courts •• Ministry of Health Hospitals – Health Service Centers
•• Ministry of Defense Pentagon & Conscription Offices
•• Ministry of Finance Taxation offices – Customs & Port Authorities NetworkNetwork MapMap SYZEFXISSYZEFXIS == BroadbandBroadband
SYZEFXIS nodes have access symmetrical speeds from 2 up to 34 Mbps.
Easy upgrade at 155 & 622 Mbps
Guaranteed Quality of Service (QoS) for voice and video service. SYZEFXISSYZEFXIS == BroadbandBroadband (II)(II)
700 Mbps aggregate secure Internet feed
2.5 - 10 Gbps core links PublicPublic SectorSector TelephonyTelephony
VoIP everywhere
IP telephony mainly in Attica
Zero cost for intra-telephony all over Greece between actors Reduced Cost for outgoing telephony (mobile, national) VideoVideo serviceservice
•• TeleconferenceTeleconference •• MulticonferenceMulticonference SecureSecure InternetInternet AccessAccess ss--TESTATESTA AccessAccess SecureSecure intraintra--connectionsconnections betweenbetween publicpublic sectorsector criticalcritical applicationsapplications
•• Secure access to data bases and applications
•• exchange of data between agencies
•• E-government capabilities (E-gov - G2G, G2C, G2B) TimeTime scheduleschedule (years)(years)
implementation
1 3 operation 2005 2006 - 2008 SecuritySecurity LevelsLevels
A. Separate IP-MPLS VPNs for each family or service Each VPN is distinct from the others (a hospital cannot even ping a ministy) B. Perimetric Security inside each VPN Every actor in a VPN, cannot be (but may be) accessed by another actor in the same VPN (port & IP Addressing Control – access lists) C. Internet Security Use of firewall – proxy – antivirus – antispamming – content filtering – IDS techniques D. Tunneling - Crypto capabilities IPSec between access routers, per request 44 VirtualVirtual PrivatePrivate NetworksNetworks
VPN-1 VPN-2 Public Health Administration
VPN-3 VPN-4 Finance Conscription 44 VirtualVirtual PrivatePrivate NetworksNetworks (II)(II)
•• Open Communication between each actor and the remaining actors in the same VPN (open but … with perimetric security) •• Controlled – Constrained Communication between actors of different VPNs (just for exchange of data between critical systems in different VPNs) •• Controlled Internet Access using 4 different Content filtering senarios •• Controlled – Constrained Communication between SYZEFXIS actors and SYZEFXIS peerings (s-TESTA, GRnet). 44 VirtualVirtual PrivatePrivate NetworksNetworks (III)(III)
VPN ISP
Voice Connection
PIX Data Connection
PE -ISP
Δίκτυο Διανομής PE Θεσσ/κη
CE
PE Σίνδος VPN A
CE CE VPN B VPN A IntraIntra--VPNVPN PerimetricPerimetric SecuritySecurity
Everything between each pair of actors in the same VPN is closed, unless it’s been asked to open
•• We avoid virus explosion •• We avoid misuse issues between actors and DoS attacks •• Each actor has independence InternetInternet feedfeed SecuritySecurity InfrastructureInfrastructure !! ““InternetInternet”” …….... IsIs itit SecureSecure forfor SYZEFXISSYZEFXIS ??
Only certain ports can be opened towards the inner part of the network and always per request :
•• 8080 Web •• 444343 SSL •• 2525 SMTP •• 110110 POP InternetInternet SecuritySecurity
Internet
Cisco 7204VXR
Catalyst 2950-12
Catalyst Catalyst PIX-525 2950-24 2950-24 DMZs DMZs
Catalyst 2950-12
Δίκτυο Νησίδας InternetInternet SecuritySecurity (II)(II)
• Private IP addresses inin everyevery partpart ofof thethe NetworkNetwork • You want WEB … you need Proxy • Reverse proxy use forfor publicpublic sectorsector portalsportals • Antivirus - bothboth forfor browsingbrowsing andand mailmail accessaccess • Content Filtering – 44 thematicthematic profilesprofiles • Intrusion detection systems • Antispamming techniques for e-mail ReverseReverse ProxyProxy ee--mailmail SecuritySecurity
MailMail relayrelay SYZEFXISSYZEFXIS remoteremote accessaccess securitysecurity
Internet |v|p|n|
Firewall Mobile
VPN Operator Concentrator
IPSec Tunnel Notebook with GPRS PublicPublic KeyKey InfrastructureInfrastructure (PKI)(PKI)
forfor GreekGreek PublicPublic SectorSector ––
50.00050.000 digitaldigital CertificatesCertificates inin smartsmart cardscards 25002500 SSLSSL certificatescertificates forfor publicpublic sectorsector portalsportals SYZEFXISSYZEFXIS andand ss--TESTATESTA NetworkNetwork
•• DoubleDouble IPSECIPSEC tunneltunnel withwith ss--TESTATESTA HeadquartersHeadquarters && datadata centercenter..
•• IncreasedIncreased SecuritySecurity forfor accessingaccessing criticalcritical CommunityCommunity Applications,Applications, regardingregarding taxes,taxes, drugs,drugs, crime,crime, transport,transport, socialsocial security,security, antifraud,antifraud, etc.etc. SYZEFXISSYZEFXIS andand ss--TESTATESTA NetworkNetwork (II)(II)
SYZEFXISSYZEFXIS waswas selectedselected asas oneone ofof thethe firstfirst threethree pilotpilot nationalnational networksnetworks inin EuropeEurope forfor ss--TESTATESTA migrationmigration (with(with FinlandFinland && Spain)Spain)
ProjectProject implementatorimplementator Information Society S.A.
ProjectProject OwnerOwner Greek Ministry of the Interior
www. syzefxis.gov.gr ThankThank youyou !!!!!!