rwanda govnet xuan pan nkusi issa claude hakizimana joakim slettengren innocent nkurunziza xuan pan...

Rwanda GovNetRwanda GovNet

Xuan PanNkusi Issa

Claude HakizimanaJoakim Slettengren

Innocent Nkurunziza

Xuan PanNkusi Issa

Claude HakizimanaJoakim Slettengren

Innocent Nkurunziza

Team 2 - [email protected] 2 - csd2006-

[email protected]

Rwanda GovNetRwanda GovNet 22

AgendaAgenda

Project backgroundGoalsImplementation phaseVideoConclusionsFuture recommendationsQuestions



Project backgroundProject backgroundA new fiber optic network was installed for government departments in Kigali, Rwanda

Faced network instability due to viruses, DoS etc.

Difficult to detect or prevent the user causing problems

Difficult to monitor who was using the network resources

Lack of network policies

A new fiber optic network was installed for government departments in Kigali, Rwanda

Faced network instability due to viruses, DoS etc.

Difficult to detect or prevent the user causing problems

Difficult to monitor who was using the network resources

Lack of network policies


GovNet pilot projectrequirements

GovNet pilot projectrequirements

Pilot project for selected nodes of the network

Establish basic network security

Bandwidth monitoring, network management

Create network policiesEasy to use and cheap, open source

Pilot project for selected nodes of the network

Establish basic network security

Bandwidth monitoring, network management

Create network policiesEasy to use and cheap, open source


PrincipalPrincipal

First principal, RITA, Rwanda Information and Technology Authority

The GovNet team got a new principal in March, Ministry of Infrastructure

Changes of the goalsFocus mainly on Ministry of Infrastructure and its PSOs (RITA)

First principal, RITA, Rwanda Information and Technology Authority

The GovNet team got a new principal in March, Ministry of Infrastructure

Changes of the goalsFocus mainly on Ministry of Infrastructure and its PSOs (RITA)

QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.


Goals 1/2Goals 1/2

Replace Linux routers with network equipment

Increase connectivity between government departments

Develop an AUPPresent a network security solution

Present a network management solution

Replace Linux routers with network equipment

Increase connectivity between government departments

Develop an AUPPresent a network security solution

Present a network management solution


Goals 2/2Goals 2/2

Demonstrate VoIP in at least two sites

Conduct a training session to ensure the sustainability of the solutions

Demonstrate VoIP in at least two sites

Conduct a training session to ensure the sustainability of the solutions


Equipment procurementEquipment procurement

Uncertain funding delayed the equipment procurement

Quotations were collected

New funding agency new procurement rules

New tender opening date, June 1st 2006

Uncertain funding delayed the equipment procurement

Quotations were collected

New funding agency new procurement rules

New tender opening date, June 1st 2006


Temporary solutionTemporary solution

Desktop computersBorrowed network equipment from other not yet implemented ICT projects

Desktop computersBorrowed network equipment from other not yet implemented ICT projects


GovNet topologyGovNet topology

Separate VLAN in the fiber backbone

Using one centralized gateway

Removed NATs at the nodes

Separate VLAN in the fiber backbone

Using one centralized gateway

Removed NATs at the nodes

T e r r a c o m

I n t e r n e t

G o v N e t G a t e w a y

R I T A

M I N I N F R A

N e w i n s t i t u t i o n

L e g e n d

F i b r e c a b l e

V S A T L i n k


Security Solution for GovNet

Security Solution for GovNet

1. Cost-efficient

2. Centralized

3. Scalable

1. Cost-efficient

2. Centralized

3. Scalable

and decentralized


MethodologyMethodology

Risk analysis

Acceptable User Policy

System Weakness analysis-Nessus

Intru

sio

n

Dete

ctio

n

Sys

tem

802.1x+Radius EAP-TLS

Attack

Impact

Create

Exploited

Result in

Reduce

Decrease

Discover

Protect

DeterrentControl

DetectiveControl

PreventativeControl

Trigger

CorrectiveControl

Vulnerability

Threat

???


AUP and Update serviceAUP and Update service

• Microsoft Windows Server Update Services (WSUS)• Microsoft Windows Server Update Services (WSUS)

• Acceptable User Policy• Acceptable User Policy

• Best Practices• Best Practices


NessusNessus

• Each ministry has one scanner • Each ministry has one scanner

• To use free plug-ins • To use free plug-ins

• To use selected plug-ins when scanning

• To use selected plug-ins when scanning


Certification AuthorityAnd

Authentication Server

Authentication Challenge

one decentralization

Authentication Challenge

one decentralization

…

…

Ministry A10.10.10.1

…

Ministry B10.10.10.2

ISP

x x

TerracomCertification AuthorityAnd


Client side certificate

Certificate of CA

Server side certificate

Certification AuthorityAnd



Authentication Challenge two

Alcatel Switch issue

Authentication Challenge two

Alcatel Switch issue

Procurement ContractSupplier

Configuration Guide

Trail version

Update

Pre-study Phase

Implementation Phase

Currently

Future


Intrusion Detection System

Intrusion Detection System

…

Ministry A10.0.5.2

Sensor

SQL

…

Ministry B10.0.5.2

Sensor

SQL

…SQL SQL

SQL

Snort CenterACID ISP

Sensor

SQL


Intrusion Protection System -- Modules

Intrusion Protection System -- Modules

1. Configuration File

2. Debug mode or Daemon

3. Ignore list

4. System information detection module

5. Database communication module

6. Action module

7. Log module


Intrusion Protection System --Function DiagramIntrusion Protection System --Function Diagram


Training sessionTraining sessionBasic of network security such as

security planning, policies and mechanisms

1. Network monitoring with Nagios2. Network vulnerability scan with Nessus

1. AAA2. Intrusion detection system with Snort3. Intrusion protection program

Network management

and bandwidth

monitoring with NTOP


Network management 1/3 Network management 1/3

Installed and configured Nagios host and service monitor

Installed and configured Nagios host and service monitor

Sends e-mail notifications

Will be extended with SMS notifications

Sends e-mail notifications

Will be extended with SMS notifications


Network management 2/3Network management 2/3

Installed MRTGMonitors the external bandwidth

Monitors throughput at each node

Will monitor the equipment of the ISP

Installed MRTGMonitors the external bandwidth

Monitors throughput at each node

Will monitor the equipment of the ISP


Network management 3/3Network management 3/3

Installed NTOPMonitors user bandwidth usage

Can find viral activity

Can find file sharing users

Installed NTOPMonitors user bandwidth usage

Can find viral activity

Can find file sharing users


VoIP demonstrationVoIP demonstration

Installed the SIP server SER

Used software clientsTested between users at Mininfra and RITA

Can be extended with hardware phones

Installed the SIP server SER

Used software clientsTested between users at Mininfra and RITA

Can be extended with hardware phones


ConclusionsConclusions

Despite the delayed equipment, the GovNet team were able to partly fulfill all goals

The equipment will most probably arrive Rwanda in mid June

The three Rwandan team members will then install the solutions and return the borrowed equipment

Despite the delayed equipment, the GovNet team were able to partly fulfill all goals

The equipment will most probably arrive Rwanda in mid June

The three Rwandan team members will then install the solutions and return the borrowed equipment


Future RecommendationsFuture Recommendations

Ways of optimizing ICT investments, better planning

Better documentationCentralized web cachingMore spare equipmentGovNet intranet

Ways of optimizing ICT investments, better planning

Better documentationCentralized web cachingMore spare equipmentGovNet intranet


Project backgroundGoalsImplementation phaseVideoConclusionsFuture recommendationsQuestions?

Project backgroundGoalsImplementation phaseVideoConclusionsFuture recommendationsQuestions?


Thanks for listeningThanks for listeningRwanda GovNet [email protected]

Rwanda GovNet [email protected]

rwanda govnet xuan pan nkusi issa claude hakizimana joakim slettengren innocent nkurunziza xuan pan...

Documents

network monitoring

network vulnerability

rwanda information

rwanda govnetaup

new principal

ministry b10

security planning

selected plugins