Dr. Haris Stellakis discusses the security of the SYZEFXIS national network for public administration in Greece. He outlines the history and role of the SYZEFXIS network in connecting over 4,000 public agencies since 2006. Stellakis then describes the multi-stage security architecture of SYZEFXIS, including perimeter security, centrally managed security devices, and policies regarding internal and external traffic. Finally, he previews plans to enhance security for the new SYZEFXIS II network through state-of-the-art VPN technologies, independent security auditing, and close collaboration between stakeholders.
1. The Security of National Network
of Public Administration
«SYZEFXIS»
Dr. Haris Stellakis
Program Portfolio Manager, Chief Security
Officer of “SYZEFXIS” Network
Information Society SA
March 4, 2015
2. 2000 –2001–2002–2003–2004–2005–2006 2007– 2008 – 2009 – 2010 – 2011 – 2012 – 2013 2020
3rd
Community Support
Framework
4th
Community Support
Framework
5th
Community Support
Framework
Establishment of
Information
Society SA
2
A Life-long Partner
900M€ 1,300M€
Acquisition of
DIGITAL AID SA
Acquisition of
Observatory of Digital Greece SA
Dr. Haris Stellakis – 03/2015
3. The Role of Information Society SA
3
Public
Administration
CitizensBusinesses
Implements Facilitates
State AidsObserves
Informatics
•~ 180 M€
Public Reform
•~ 70 Μ€
Telecommunications
•Syzefxis
•MAN
•Rural Broadband
Dr. Haris Stellakis – 03/2015
4. SYZEFXIS ΙΙ
(600 Μ€)
RURAL
(160 Μ€)
Supplemental Actions for
SYZEFXIS II
(10 Μ€)
SYZEFXIS Ι
(45 Μ€)
ΜΑΝ
(5 Μ€)
Planning Tender Auctions Implementation Operations
Effort by Vendors
Effort by I.S. SA
Telecom Projects
Dr. Haris Stellakis – 03/2015
5. SYZEFXIS: The State’s Telecom
backbone
5
Interoperability and Apps G2B / G2C
Ministries – General Secretaries
Municipalities
Citizen Service Centers
Financial Agencies
Health Agencies
Citizen Protection Agencies (Police, etc)
Armed Forces
EU Agencies
Justice Courts
Independent Agencies
Dr. Haris Stellakis – 03/2015
6. SYZEFXIS: 2006-2013
6
Agency
Type Access Speed Agencies
ADSL 24/1 Μbps 1428
3G 2/1 Mbps 50
SMALL 2/2 Mbps 2488
MEDIUM 4-8/4-8 Mbps 434
LARGE 34/34 Mbps 85
TOTAL 4485
Free broadband access (2 – 34 Mbps)
Free onnet telephony services as well
as offnet at competitive prices
Free webhosting or routing to
external ISPs
Same for email services
Connection to EU Netowork “S-Testa”
Free teleconferencing services to
specific deployments
Dr. Haris Stellakis – 03/2015
7. SYZEFXIS Ι: 2013-14
7
PoP OTE
MAN Switch
Router
ΣΥΖΕΥΞΙΣ Ι
Router
ΣΥΖΕΥΞΙΣ Ι
MAN Switch
Router
ΣΥΖΕΥΞΙΣ Ι
SHDSL modem
πρόσβασης
Κόμβος Πρόσβασης
ΜΑΝ
ΜΑΝ
PBX
PBX
PBX
Kύριος κόμβος
ΜΑΝ (ΚΚ)
Κόμβος ΜΑΝ
πλησιέστερος στον ΟΤΕ
FE
FE
FE
PRA
PRA
PRA
GE
GE
GE
2Mbps
X.21
X.21
Router
ΣΥΖΕΥΞΙΣ Ι
PBX
PRA
Κόμβος Πρόσβασης
ΜΑΝ
FEGE ή FE
MAN Switch
FE
FE
FE
Metropolitan Area Fiber Optic Networks
Dr. Haris Stellakis – 03/2015
8. SYZEFXIS ΙΙ: 2015-2018
8
S
0
5000
10000
15000
20000
25000
30000
35000
2005 2006 2008 2009 2010 2014
1.800 3.000 3.250 4.450 6.000
34.000
SIZE SPEED (Μbps)
1 ADSL 24/1
2 SMALL 10/10
3 MEDIUM 100/100
4 LARGE 1000/1000
Secure broadband connection to 34.000 public
points and provision of telecom / multimedia
services
50% reduction to annual OPEX
Wireless access services 55.000 Government Agents
through the subsidization of smartphones
Secure services to Public Sector
Dr. Haris Stellakis – 03/2015
9. SYZEFXIS ΙΙ: 5 Subprojects
9
SIX / DC
Wireless
Islet
Νησίδες
1-9
Telecom
Islets 1-8
Security /
Telephony /
Teleconferenci
ng / Cabling
ISP /
SLA
Dr. Haris Stellakis – 03/2015
10. 10
Security in SYZEFXIS Ι (1/4)
Multi-stage Security Architecture:
Provision of different VPNs per Agency and/or App
Perimeter Security against the Internet
• Private ΙΡ addressing
• Connection through proxy
Centrally managed Security devices
• Firewalls &Intrusion Detection Systems
• Antivirus & antispam mechanisms
• Multiple profile Web content filtering services
Perimeter Security per Islet
• Intra-VPN communication for specific apps /
services, through the use of access lists
• Control of Intra-VPN traffic
Dr. Haris Stellakis – 03/2015
11. 11
Security in SYZEFXIS Ι (2/4)
Security Policy:
Within SYZEFXIS
• Intra-VPN traffic
• Inter-VPN traffic
Outside of SYZEFXIS
• Internet
• Educational Network “EDET”
• EU Network s-Testa
The perimeter security lifting is subjected to
approval by Information Society SA
Software control mechanisms
User’s information
Perimeter
Security lifting
Ticket submission
Evaluation by IS
SA
Reporting to
Vendor
Ticket
implementation
(upon approval)
Reporting to
Applicant Agency
Dr. Haris Stellakis – 03/2015
12. 12
Security in SYZEFXIS Ι (3/4)
The role of Information Society SA:
To monitor the project vendors
To support the public Agencies
To implement and improve the security policy
To leverage the collected knowledge towards the
design of next G SYZEFXIS
0
10
20
30
40
50
60
Αιτήματα Φορέων
0 20 40 60 80 100 120 140 160 180
Περιφέρειες - Δήμοι
Νοσοκομεία
ΕΛΑΣ - Πυροσβεστική - Λιμενικό
Οικονομικές Υπηρεσίες
Υπουργεία - Γεν Γραμματείες
Υπηρεσίες Κοιν Αλλυλεγγύης - Ασφ. Ταμεία
Πολεοδομίες
ΕΥΔ Προγραμμάτων ΕΕ
Μουσεία
Λοιπές Δ.Υ.
Κατηγορίες Φορέων
39%
26%
20%
6%
3% 3%
2%
1%
Κατηγορίες Αιτημάτων
Άνοιγμα επιπλέον onnet
θυρών
Απόδοση πραγματικής δ/σης
ΙΡ
Άνοιγμα επιπλέον ofnet
θυρών
Πρόσβαση σε site
Ρυθμίσεις CPE
Παράκαμψη proxy
Επικοινωνία με άλλα δίκτυα
Ενημέρωση DNS
Dr. Haris Stellakis – 03/2015
13. 13
Security in SYZEFXIS Ι (4/4)
State Elections through SYZEFXIS:
Levaraging of telephone infrastructure
Municipalities Prefectures Ministry of Interiors
Leveraging of internet infrastructure
Creation of a VPN between MoI, SingularLogic and
Zappeio Megaro for the communication of results
Full functionality was tested on a wide scale drill (5/2014)
2014 and 2015 Elections were
completed succesfully
Dr. Haris Stellakis – 03/2015
14. 14
Security in SYZEFXIS ΙΙ (1/5)
Security/
Telephony /
Teleconferenci
ng / Cabling
Independent
Security Auditor
(1,3 Μ€)
Infrastructure
Services
A combination of Actions
Dr. Haris Stellakis – 03/2015
15. 15
Security in SYZEFXIS ΙΙ (2/5)
Security Infrastructure and Services:
Procurement of suitable security equipment
Development of a security management
information system
Operation services based on SLAs (Routing, QoS)
Security Services
• IP Firewall, IPS, VPN, Email & Web Antivirus-
Antispam, Web Content Filtering
User training
Dr. Haris Stellakis – 03/2015
16. 16
Security in SYZEFXIS ΙΙ (3/5)
State-of-the-art Architecture:
Leveraging IPSEC VPN technologies
Ability to support multiple vendors in
contract framework
Ability to support gradual deployment
Ability to upgrade security level for
some sensitive Agencies, through the
use of special-purpose encrypting
devices
Κ.Υ.Α.
(Ανάδοχος 1)
Κ.Υ.Α.
(Ανάδοχος 2)
Κ.Υ.Α.
(Ανάδοχος Ν)
Κ.Σ.Α.
Περιφερειακές Συσκευές
Ασφάλειας
(Αναδόχου 1)
Περιφερειακές Συσκευές
Ασφάλειας
(Αναδόχου 2)
Περιφερειακές Συσκευές
Ασφάλειας
(Αναδόχου Ν)
Creation of VPNs
Φορείς
εκτός ΣΥΖΕΥΞΙΣ ΙΙ
Dr. Haris Stellakis – 03/2015
17. 17
Security in SYZEFXIS ΙΙ (4/5)
Independent Security
Auditor:
Development of an ISO 27001
based ISMS
Network security auditing
Development of a specialized
Information System for Security
Control and Management
Consulting services / security
“think tank”
Dr. Haris Stellakis – 03/2015
18. 18
Security in SYZEFXIS ΙΙ (5/5)
At the operational level:
Creation of an independent Department for
Telecommunication projects
• Discrete group for SYZEFXIS
Creation of a task force among all stakeholders
• Infomarmation Society SA
• Project vendors
• Public Agencies
• Ministry of Public Reform
• Other Agencies(ie, Greek FCC, etc)
ΚτΠ ΑΕ
ΥΕΔΑ
Δημόσιοι
Φορείς
Ανάδοχοι
Έργων
Ελεγκτής
Ασφάλειας
Λοιποί
Φορείς
Dr. Haris Stellakis – 03/2015
19. 19
Epilogue
Information Society, in collaboration with:
Ministry of Public Reform,
The EU Managing Authorities, and
The project vendors
Facilitate:
The terms and specs,
The framework and procedures,
The tools and mechanisms, and
The resources
That assure the security of SYZEFXIS network and
therefore the flawless operation of Greek Public
Sector.
Dr. Haris Stellakis – 03/2015