Terri Lahey LCLS Facility Advisory Committee 20 April 2006 LCLS Network Security Terri Lahey.

Slides:

Advertisements

Similar presentations

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Advertisements

Chapter 3: Planning a Network Upgrade

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

Chapter 12 Network Security.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Network Move & Upgrade 2008/2009: September 2008 Les Cottrell SLAC for SCCS core services network group (Antonio Ceseracciu, Jared Greeno,Yee Ting Li,

Wi-Fi Structures.

Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 SLAC National Accelerator Laboratory 1 Update on Security Issues LCLS.

Topics 1.Security options and settings 2.Layer 2 vs. Layer 3 connection types 3.Advanced network and routing options 4.Local connections 5.Offline mode.

Copyright 2002 Year 2 - Chapter 4/Cisco 3 - Module 4 LAN Design By Carl Marandola.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Mobile Computing and Security Authenticated Network Access (ANA) Jon Peters Associate Director Dave Packham Manager of Network Engineering NetCom University.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

1 © J. Liebeherr, All rights reserved Virtual Private Networks.

Improving Customer Satisfaction Through Advances in Remote Management Technology Greg Michel Product Manager Quintum Technologies Inc.

Virtual Private Network prepared by Rachna Agrawal Lixia Hou.

Terri Lahey EPICS Collaboration Meeting June June 2006 LCLS Network & Support Planning Terri Lahey.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Troubleshooting Your Network Networking for Home and Small Businesses.

Internet Service Provisioning Phase - I August 29, 2003 TSPT Web:

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

COEN 252 Computer Forensics

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

COEN 252 Computer Forensics Collecting Network-based Evidence.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

1 Chapter Overview Using the New Connection Wizard to configure network and Internet connections Using the New Connection Wizard to configure outbound.

A New Production Environment for LCLS Controls System Ernest and Jingchen.

P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.

Windows 7 Firewall.

1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.

CHAPTER 3 PLANNING INTERNET CONNECTIVITY. D ETERMINING INTERNET CONNECTIVITY REQUIREMENTS Factors to be considered in internet access strategy: Sufficient.

Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.

Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.

Computer Emergency Notification System (CENS)

Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Terri Lahey Control System Cyber-Security Workshop October 14, SLAC Controls Security Overview Introduction SLAC has multiple.

CS460 Final Project Service Provider Scenario David Bergman Dong Jin Richard Bae Scott Greene Suraj Nellikar Wee Hong Yeo Virtual Customer: Mark Scifres.

Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

Objectives Blue Color VLAN’s Should reach Message Server from all locations Red Color VLAN’s Should not Reach Message Server In Each L2 Switch Blue Color.

Discovery 2 Internetworking Module 3 JEOPARDY K. Martin.

Network and Computer Security in the Fermilab Accelerator Control System Timothy E. Zingelman Control System Cyber-Security Workshop (CS)2/HEP Knoxville,

R. Krempaska, October, 2013 Wir schaffen Wissen – heute für morgen Controls Security at PSI Current Status R. Krempaska, A. Bertrand, C. Higgs, R. Kapeller,

Networking Components Quick Guide. Hubs Device that splits a network connection into multiple computers Data is transmitted to all devices attached Computers.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Planning a Network Upgrade Working at a Small-to-Medium Business or.

Network Move & Upgrade 2008/2009: October 2008 Les Cottrell SLAC for SCCS core services network group (Antonio Ceseracciu, Jared Greeno,Yee Ting Li, Gary.

FIREWALLS Created and Presented by: Dawn Blitch & Fredda Hutchinson.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Chapter 7. Identifying Assets and Activities to Be Protected

Virtual Private Networks

Critical Security Controls

CONNECTING TO THE INTERNET

Unit 27: Network Operating Systems

IS4680 Security Auditing for Compliance

Virtual Private Network

Designing IIS Security (IIS – Internet Information Service)

6. Application Software Security

Presentation transcript:

Terri Lahey LCLS Facility Advisory Committee 20 April 2006 LCLS Network Security Terri Lahey

LCLS Facility Advisory Committee 20 April 2006 Outline Engineering Teams Apply experience and new architectures Integrated Security at SLAC Servers & desktops Network security Other security practices Ethernet Architecture What’s Next?

Terri Lahey LCLS Facility Advisory Committee 20 April 2006 Engineering Teams SCCS: (network and security) Gary Buhrmaster, Antonio Ceseracciu, Charles Granieri, Fred Hooker LCLS: Doug Murray CPE: Ken Brobeck, Jim Knopf, Terri Lahey, Jingchen Zhou

Terri Lahey LCLS Facility Advisory Committee 20 April 2006 Apply Experience from PEP and Implement New Architectures Protect accelerator components and access to the control system Control number of connections Control who connects Meet Users needs Physicists, operators, engineers need access to control system and components so they can do their job Security issues exist for the networks and hosts on the network

Terri Lahey LCLS Facility Advisory Committee 20 April 2006 Integrated Security Work with SCCS security team to help us run 24x7. SCCS security: actively participates in & monitors main security forums, including CIAC, SANS & FIRST , inter-lab communication, & represents SLAC to DOE Has knowledge of new security flaws Tracks break-ins Scans our networks for security risks via daily and scheduled scans Advises us on security practices (problems found, reviews our plans and helps create new architectures) OA scans at SLAC Site Assistance Visits Participate in Computing Security Committee

Terri Lahey LCLS Facility Advisory Committee 20 April 2006 Hosts: System Administrators Take security seriously in design, implementation and maintenance of hosts Work with users and security teams at SCCS Use SCCS-supported versions of operating systems & applications where possible Patch operating systems and update Reduce maintenance load and improve security by using taylor where possible Automate maintenance of production hosts Centralized Log server & security monitoring Use existing servers where possible (e.g. elog)

Terri Lahey LCLS Facility Advisory Committee 20 April 2006 Networks SCCS Networking configures the network switches and routers & manages the physical layer. Controls Software coordinates control system and user needs, and works closely with SCCS. Production accelerator network is controlled and protected. Greater attention to security by both SCCS and Controls Run accelerator disconnected from the rest of SLAC; For use if there is a security problem at SLAC. Isolation of Wireless network: Wireless and Accelerator switches are never combined. Wireless is visitornet that resides outside SLAC firewall. Users tunnel into SLAC the same way they tunnel from internet: ssh, citrix, vpn

Terri Lahey LCLS Facility Advisory Committee 20 April 2006 Networks CISCO switches and routers Patch network firmware and upgrade versions. Plan for and upgrade hardware components to avoid end- of-life Implement Redundancy in core switches and routers, for reliability. Use hot spares for device switches, but increased use of VLANs will likely require some configuration. SLAC-wide Network monitoring systems send alarms: components go offline (e.g.. power outage or failure) ports get disabled due to too many collisions

Terri Lahey LCLS Facility Advisory Committee 20 April 2006 Other Practices Account management Authenticate to control access to hosts Authorize access to control system functions Personal accounts, with limited locked-down group accounts in the control room No clear-text passwords X access control Network Practices: ports disabled by default IP addresses allocated and tracked centrally in CANDO. DNS generated from CANDO IFZ and private networks. Both still require patching and good security. DHCP is controlled & no leases on accelerator networks

Terri Lahey LCLS Facility Advisory Committee 20 April 2006 SCCS Managed services Central management of servers that require a high level of security improves security and reduces effort: ORACLE WEB servers

Terri Lahey LCLS Facility Advisory Committee 20 April 2006 Network Architecture Production accelerator network is isolated: Protect IOCs that often require insecure services like telnet/rsh or have less secure tcp/ip stacks Control access to accelerator components so that systems do not get overloaded Use private addresses Multiple VLANs to separate traffic Ports disabled by default 1gigabit to the end devices. Currently 1gigabit uplinks to MCC DMZ is only access to private network (login servers, web servers, PV gateways). MCC and SLC-aware IOC uses PEP proxy server have tested with PEP running 9 SAIOCs for injector more testing to confirm that PEP & LCLS will not impact each other. path to SCCS data silos & other required sevices

Terri Lahey LCLS Facility Advisory Committee 20 April 2006

Terri Lahey LCLS Facility Advisory Committee 20 April 2006 What’s next Additional tests of SLCaware IOC and improve monitoring of traffic to avoid interference between PEP & LCLS programs Review and implement VLANs needed Filtering Router or Firewall? Complete design and design review of production hosts and networks & documents Full schedule for hosts & network Integration of plans with other networks (timing, MPS, feedback, etc.)