Channel Access Security 2006 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 2 Channel Access Security  The IOC Application.

Slides:

Advertisements

Similar presentations

Make This work with EPICS! 2006

Advertisements

CLS Process Variable Database By: Diony Medrano. CLS PV Database - Topics Background Design Constraints Design and Implementation Benefits and Future.

1 1999/Ph 514: Working With an IOC EPICS Working with an IOC Marty Kraimer APS.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

EPICS Base R and beyond Andrew Johnson Computer Scientist, AES Controls Group.

EPICS Channel Access Overview 2006

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

Channel Access Protocol Andrew Johnson Computer Scientist, AES Controls Group.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

14.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

The Soft-IOC Based Alarm Handler – an Operations View Pam Gurd October 31, 2007.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Using the Windows Event Viewer and Task Scheduler Chapter 5.

Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.

John Degenhart Joseph Allen.  What is FTP?  Communication over Control connection  Communication over Data Connection  File Type  Data Structure.

A U.S. Department of Energy Office of Science Laboratory Operated by The University of Chicago Argonne National Laboratory Office of Science U.S. Department.

1 Enabling Secure Internet Access with ISA Server.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

Lucretia - Floodland Flight Simulator for ATF2 Glen White SLAC ATF2 Project Meeting Dec 2007.

Test Review. What is the main advantage to using shadow copies?

CS252: Systems Programming Ninghui Li Final Exam Review.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.

Configuring a network os

Channel Archiver Stats & Problems Kay Kasemir, Greg Lawson, Jeff Patton Presented by Xiaosong Geng (ORNL/SNS) March 2008.

Channel Archiver Introduction 2006

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 5: Managing File Access.

Copyright 2000 eMation SECURITY - Controlling Data Access with

11 MANAGING AND DISTRIBUTING SOFTWARE BY USING GROUP POLICY Chapter 5.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 6: Name Resolution.

Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.

DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone.

Jefferson Lab Remote Access Review: Free-Electron Laser Wesley Moore FEL Computer Scientist 01 December 2010.

Cisco ASA 5505 Joseph Cicero Northeast Wisconsin Technical College.

1 Application Security: Electronic Commerce and Chapter 9 Copyright 2003 Prentice-Hall.

Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS Feb Material copied from the IOC Application Developer's.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

General Time Update David Thompson Epics Collaboration Meeting June 14, 2006.

SNS Alarm System Status Curtis Dunn Control System Suite/Eclipse Frameworks Workshop EPICS Collaboration Meeting June 12-16, 2006.

Page 1 NTFS and Share Permissions Lecture 6 Hassan Shuja 10/26/2004.

IIS and.Net security -Vasudha Bhat. What is IIS? Why do we need IIS? Internet Information Services (IIS) is a Web server, its primary job is to accept.

Linux Services Configuration

Configuring AAA requires four basic steps: 1.Enable AAA (new-model). 2.Configure security server network parameters. 3.Define one or more method lists.

Administering Microsoft Windows Server 2003 Chapter 2.

Channel Access Client Coding 2006

ROCS Web Based Reporting Tool Using SNS Relational Database By Katia Danilova, Ernest L. Williams Jr. Control Systems group, ASD, SNS.

Configuration Modes and TFTP Honolulu Community College Cisco Academy Training Center Semester 2 Version 2.1.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Three Managing Recipients.

Protocols Monil Adhikari. Agenda Introduction Port Numbers Non Secure Protocols FTP HTTP Telnet POP3, SMTP Secure Protocols HTTPS.

Applications Kay Kasemir ORNL/SNS Using Information and pictures from Matthias Clausen, Jan Hatje, and Helge Rickens (DESY) October 2007.

This was written with the assumption that workbooks would be added. Even if these are not introduced until later, the same basic ideas apply Hopefully.

Monitoring Dynamic IOC Installations Using the alive Record Dohn Arms Beamline Controls & Data Acquisition Group Advanced Photon Source.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

Chapter 6.  Upon completion of this chapter, you should be able to:  Configure switches  Configure VLANs  Verify configuration settings  Troubleshoot.

Web and Proxy Server.

Unit 7 Learning Objectives

Introduction to Operating Systems

HARDENING CLIENT COMPUTERS

IS3440 Linux Security Unit 6 Using Layered Security for Access Control

Introduction to Operating Systems

Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH

Configuring Internet-related services

FTP AND COMMAND PROCESSING IN FTP

Cloud Migration Training

Presentation transcript:

Channel Access Security 2006

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 2 Channel Access Security  The IOC Application Developer's Guide has a full chapter about AS, about 20 pages for the R release.  The CA server decides what type of access is permitted. For the IOC, this is implemented as follows:  Each record is assigned to an Access Security Group by setting its ASG field  "DEFAULT", "VAC_ENGINEER", …  Each ASG is defined via Rules. Read and write permissions depend on the  Name of the user who runs the CA client  Name of the computer on which the CA client runs  Type of record field (two, fixed categories)  Optionally a CALC-record type computation

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 3 Pros and Cons  CA Security is very flexible  Prohibit "write" access to a list of PVs, unless accessed by  Specific user  At specific computer  Under specific circumstances (machine mode, …)  Limitations  Designed for high performance in "friendly" environment.  Won't affect access via IOC shell.  User and computer names are sent by client, without authentication, in clear text.  Meant to aid operations, avoid mistakes, not to prevent malicious attacks.

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 4 Default Setup  Doing nothing is equivalent to this:  Create file "as.cfg": ASG(DEFAULT) { RULE(1, READ) RULE(1, WRITE) }  Add this line to your st.cmd: asSetFilename("path_to_the_file/as.cfg")  Result:  Every record uses the "DEFAULT" ASG.  … which allows full read/write.  The 'asprules' and 'asdbdump' commands now show something (on vxWorks, use 'asDump')  Caveat:  If the AS config file does not exist or contains an error, all access is prohibited!  Use 'ascheck' on the host before loading a file into the IOC.

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 5 Read-Only Example  Group that allows read, but no write: ASG(READONLY) { RULE(1, READ) }  To have an effect, set the ASG field of at least one record to READONLY.  One can change ASG fields at runtime.  Via Channel Access, unless AS prohibits it…  'caput' will show that the old and new values stay the same  EDM will change cursor when over read-only field.

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 6 Restricted Example  Limit write access to  members of a user access group UAG,  while on a computer in the host access group HAG: UAG(x_users) { ubuntu } HAG(x_hosts) { ubuntu } ASG(X_TEAM) { RULE(1, READ) RULE(1, WRITE) { UAG(x_users) HAG(x_hosts) } }  Caveats:  The CA client library sends the user and host names to the server. Especially the host name can be tricky:  It's not the client's IP address!  It's the result of the 'hostname' command,  … which might differ from the DNS name  The 'casr' command on the IOC can sometimes help to show who and from where is connecting via CA, and the 'asdbdump' command shows who they pretend to be.

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 7 Mode-Based Example  Limit write access to times where some variable meets some criteria  ASG(MODE) { INPA(tx:setpoint) RULE(1, READ) RULE(1, WRITE) { CALC(A < 50) } }  This is based on the same code as the 'CALC' record  One can assign inputs 'A' to 'L'.  The computation should result in 0 or 1, the latter allowing access.

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 8 RULE(, )  is 0 or 1.  The dbd file assigns each field to an access security level. Fields that are typically changed during operation are on level 0.  Example: For the AI record, VAL is level 0, the rest is level 1.  Rules for level 1 also grant access to level 0.  Example: Everybody can write 'VAL' (level 0), but restrict other fields: ASG(WRITE_SOME) { RULE(1, READ) RULE(0, WRITE) RULE(1, WRITE) { UAG(x_users) HAG(x_hosts) } }  is NONE, READ, or WRITE  Plus an optional TRAPWRITE, which will cause invocation of a 'trap write listener', i.e. custom C code that might be added to the IOC. This can be used to log write access by user and host, it doesn't otherwise affect access security.

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 9 And that's all I have to say about that!

O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 10 Acknowledgements  Material and ideas have been copied from the IOC Application Developer's Guide  Marty Kraimer, Janet Anderson, Andrew Johnson (APS) and others