Asguard Security System

University of Washington Department of Transportation

Business Systems Asguard Networks Security System

6/12/2014

Asguard Networks Security System

Department of Transportation Services i University of Washington

Table of Contents

Overview ................................................................................................................................. 2

UTC Server ............................................................................................................................. 4

UWTS/Asguard Networks SimpleConnect™ System ............................................................ 5

Gatehouse 1 ............................................................................................................................. 6

Gatehouse 2 ............................................................................................................................. 8

Gatehouse 3 ........................................................................................................................... 10

Triangle Garage (Gatehouse 4) ............................................................................................. 12

Gatehouse 5 ........................................................................................................................... 14

Gatehouse 6 ........................................................................................................................... 16

TrainMe (Gatehouse 9) ......................................................................................................... 18

Logging on the SCMP .......................................................................................................... 20

Logging on the SCMP .......................................................................................................... 20

Navigating the SCMP ........................................................................................................... 21

Navigating the SCMP ........................................................................................................... 21

UTC Server Room Components ........................................................................................... 22

Appendix 1-Firewall Access Rules ....................................................................................... 23

Appendix- ISA temperatures ................................................................................................ 24


Department of Transportation Services University of Washington Page 2


Overview The University of Washington Transportation Services’ (UWTS) Gatehouses and Triangle Garage use Asguard Networks SimpleConnect™ to protect customer data. SimpleConnect™ is a centrally managed security system that creates a private network for the secure transmission of customer information. The system consists of the following devices.

x The SimpleConnect™ Management Platform (SCMP) x Industrial Security Appliances (ISAs)

The SCMP resides on a server in the University Transportation Center where it controls and interacts with ISA devices deployed at point-of-sale locations within campus Gatehouses and the Triangle Parking Garage.

Asguard SCMP

Asguard ISA 100

Asguard ISA 200



Base Case Scenario

A SimpleConnect™ deployment requires a SimpleConnect™ Management Platform (SCMP) and two or more Industrial Security Appliances (ISAs). The SCMP web user interface is used to configure and manage the Private Networks that are created by the ISAs. SimpleConnect™ operates on the principle of “Network Whitelisting”, which means only the communications specified are allowed. Each ISA has a unique cryptographic identity and the collection of ISA identities is what establishes a Private Network. Once ISAs know which peer ISAs they are allowed to communicate with, the ISAs establish point-to-point VPN tunnels to one another. The Network Devices behind each ISA communicate with one another as if they are connected to each other on a local switch, yet their communications are secured over the untrusted Shared Network. Additionally, the ISAs enforce the user–defined communications security policies as defined in SCMP, to further constrain Network Device connectivity to an absolute minimum. SimpleConnect™ strengthens the security posture of each Network Device by providing localized perimeter security.

UWTS Case

University of Washington Transportation Services oversees campus parking. The points in UW parking system that involve credit card data transmission include gatehouses and the Triangle Garage parking facility; these transmission points use the Asquard SimpleConnect™ deployment to ensure data security. The following pages provide details of the UW’s Asguard deployment.



UTC Server

Asgu

ard

Net

wor

ks S

ecur

ity S

yste

m

Dep

artm

ent o

f Tra

nspo

rtatio

n Se

rvic

es

U

nive

rsity

of W

ashi

ngto

n Pa

ge 5

UWTS

/Asg

uard

Net

wor

ks S

impl

eCon

nect

™ S

yste

m



Gatehouse 1



Gatehouse 1-continued

Gatehouse 1 Closet Configuration

1 100A3 Interconnection Unit (LIU) 2 Juniper Router 3 Telephony punch-down block 4 Switch for connecting multiple PCs to ISA 5 ISA power source (POE) 6 ISA 100e



Gatehouse 2





1 Juniper Router

2 Switch for connecting multiple PCs to ISA 3 ISA 200e 4 ISA power source (POE)



Gatehouse 3





1 Juniper Router 2 100A3 Interconnection Unit (LIU) 3 Telephony punch-down block 4 ISA 200e 5 ISA power source (POE)



Triangle Garage (Gatehouse 4)



Triangle Garage (Gatehouse 4)-continued

Gatehouse 4 Configuration (located below attendant counter)

1 ISA 200e 2 Switch for connecting multiple PCs to ISA 3 ISA power source (POE)



Gatehouse 5





1 Telephony punch-down block 2 100A3 Interconnection Unit (LIU) 3 Juniper Router 4 ISA power source 6 ISA 200e



Gatehouse 6





1 Juniper Switch 2 100A3 Interconnection Unit (LIU) 3 Telephony punch-down block 3A Telephony punch-down block 4 ISA 200e 5 ISA power source (POE)



TrainMe (Gatehouse 9)



TrainMe (Gatehouse 9)-continued

TrainMe (Gatehouse 9) Configuration



Logging on the SCMP

Logging on the SCMP

Business Systems manages the Asguard Networks system through a user interface provided by the SimpleConnect™ Management Platform (SCMP). The SCMP is shipped with a static IP address configured on its Shared Network port. To open the SCMP web application a user receives administrative login credentials from Business Services. Using a PC, a web browser, credentials, and a password, a user can type in the IP address and log into UWTS SimpleConnect network. Note: The following browsers are best for using SimpleConnect:

Firefox 19, Chrome 15, IE 9 or later.

1. Enter Username and Password at the Sign in page.

2. From the Dashboard use the tabs to perform various actions.



Navigating the SCMP

Navigating the SCMP

Users navigate within the SCMP primarily by accessing the Dashboard tabs. The SCMP interface allows the user to perform the following.

1. SCMP Private Network Creation

x Create People (users) x Create Private Networks x Add People to Private Networks

2. ISA Initial Setup x Connect ISAs to local devices x Connect ISAs to shared network x Supply power to ISAs

3. SCMP Private Network Configuration

x Add auto-discovered ISAs to a Private Network x Assign devices to each ISA x Select communications policies for the devices and between ISAs

4. SCMP Additional Administrative Functions

x Wireless settings x Firmware updates x Database backup and restore x Support bundle creation x Customer Certificates x Email Settings x Syslog Configuration x ISA Blink

5. ISA Additional Functions

x Factory reset x Diagnostic mode x Support bundle creation x Manual SCMP Configuration x Replacing an ISA x Dealing with a lost or stolen ISA

Note: Detailed software documentation for using the SCMP is available

from Business Systems or you may contact Asguard Networks at Email: [email protected]

Phone: (425) 213-4691

mailto:[email protected]



UTC Server Room Components



Appendix 1-Firewall Access Rules

Incoming Public Access Rules x VPN connections come through public internet interface. Access list is assigned to VPN

user once user authenticates to the firewall x No rules defined, so access from public internet will only be allowed when

communication is initiated from behind the firewall, with the exception of VPN connections.

VPN User Rules x Port 5635 for Remote administration software allowed to Gatehouses, Triangle Cashiers,

and internal servers x Port 3389 (RDP), and Windows File Sharing allowed to the Bastion Host (10.25.84.150) x ICMP (ping) allowed everywhere.

Incoming UW Network Access Rules x Gatehouses to Gatehouse/CC Server

- TCP ports 1800-1801, UDP Ports 1800-1801 x Triangle Cashiers to Triangle Server

- TCP Ports 1800-1801 - Windows File/Print Sharing Ports 137-139, 445

x Gatehouses to SQL Server - TCP port 1433 - UDP port 1434

x Wheels 140.142.16.107 to Internal Servers x Larry’s PC

- Windows File/Print Sharing Ports 137-139, 445 - Port 5635 for Remote administration

x McGann Report Printer - Windows File/Print Sharing Ports 137-139, 445

x ICMP (ping) allowed everywhere



Appendix- ISA temperatures

If you want to monitor the ISA temperatures, you can get a current reading of the ISA CPU temperature via the SCMP, as long as the ISA is on-line.

In the SCMP, navigate to the ISA details, and go to the Diagnostics tab. Select "Request a diagnostic report". Once the report is uploaded by the ISA, you can open it in Wordpad and near the top is a section titled "CPU Temperature".

The ISAs also log temperature (along with some other vital stats) persistently every 5 minutes. This information is part of a Support Bundle that can be analyzed by Asguard. We will be analyzing the ISA-100e units from GH3 and GH5.

Finally, it sounds like things are going fine so far today, but if you need anything, anytime, please email [email protected] for the fastest response.

mailto:[email protected]

Documents

Asguard Security System