Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS Feb. 2013 Material copied from the IOC Application Developer's.

Slides:



Advertisements
Similar presentations
Static Routing Exercise. What will the exercise involve?  Unix network interface configuration  Cisco network interface configuration  Static routes.
Advertisements

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
When you combine NTFS permissions and share permissions the most restrictive effective permission applies. For example, if you share a folder and assign.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.
70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
Access Lists Lists of conditions that control access.
Computer Network (MASQ/NAT/PROXY)
Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.
Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS Jan Control System Studio Training - Alarm System Use.
Using the Windows Event Viewer and Task Scheduler Chapter 5.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS April 2013 Control System Studio Training - Alarm System Use.
Event Viewer Was of getting to event viewer Go to –Start –Control Panel, –Administrative Tools –Event Viewer Go to –Start.
Remote Accessing Your Home Computer Using VNC and a Dynamic DNS Name.
Lucretia - Floodland Flight Simulator for ATF2 Glen White SLAC ATF2 Project Meeting Dec 2007.
4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.
Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS April 2013 Control System Studio Training - Workspaces, Shared.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.
CISCO ROUTER.  The Cisco router IOS  Enhanced editing  Administrative functions  Hostnames  Banners  Passwords  Interface descriptions  Verifying.
Configuring a network os
ORNL is managed by UT-Battelle for the US Department of Energy EPICS State Notation Language (SNL), “Sequencer” Kay Kasemir, SNS/ORNL Many slides from.
Scan System Kay Kasemir, Xihui Chen Jan Managed by UT-Battelle for the U.S. Department of Energy Automated Experiment Control “Scan” should be.
Scan System: Experiment Automation Kay Kasemir, Xihui Chen RAL EPICS Meeting, May 2013.
Name Resolution Domain Name System.
LANDesk Management Gateway
IT:NETWORK:MICROSOFT SERVER 2 DHCP AND WINDOWS DEPLOYMENT SERVICES.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 5: Managing File Access.
Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS Jan Control System Studio Training - Web OPI.
Network Operating Systems versus Operating Systems Computer Networks.
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
Dirk Zimoch, Pikett Training Channel Access Gateway.
Linux Services Muhammad Amer. 2 xinetd Programs  In computer networking, xinetd, the eXtended InterNET Daemon, is an open-source super-server daemon.
Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS Feb EPICS ’Stream’ Device Support.
Jefferson Lab Remote Access Review: Free-Electron Laser Wesley Moore FEL Computer Scientist 01 December 2010.
Cisco ASA 5505 Joseph Cicero Northeast Wisconsin Technical College.
Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS Oct EPICS Meeting, PAL, Korea Control System Studio Training.
The CSS Scan System Kay-Uwe Kasemir SNS/ORNL Dec
Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS Jan Control System Studio Training - Archive System Setup.
ORNL is managed by UT-Battelle for the US Department of Energy EPICS Automation Kay Kasemir, SNS/ORNL June 2014.
Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS Oct EPICS Meeting, PAL, Korea Control System Studio Training.
Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS Jan Control System Studio, CSS Overview.
Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS With slides from Xihui Chen May 2014 Control System Studio Training.
Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS 2011, October at CEA Saclay, France Control System Studio.
Managed by UT-Battelle for the Department of Energy EPICS Sequencer Kay Kasemir, SNS/ORNL Many slides from Andrew Johnson, APS/ANL Feb
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Linux Services Configuration
Configuring AAA requires four basic steps: 1.Enable AAA (new-model). 2.Configure security server network parameters. 3.Define one or more method lists.
Switching Topic 2 VLANs.
Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS 2012, January 9-12 at NSRRC, Taiwan Control System Studio Training.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 9: Dynamic Host Configuration Protocol (DHCP)
Sessions and cookies (part 2) MIS 3501, Fall 2015 Brad N Greenwood, PhD Department of MIS Fox School of Business Temple University 11/19/2015.
Channel Access Security 2006 O AK R IDGE N ATIONAL L ABORATORY U. S. D EPARTMENT OF E NERGY 2 Channel Access Security  The IOC Application.
Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS May 2014 Control System Studio Training - Hierarchical Preferences.
Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS 2012, April at SLAC Control System Studio Training - Alarm System.
Chapter 5. An IP address is simply a series of binary bits (ones and zeros). How many binary bits are used? 32.
Monitoring Dynamic IOC Installations Using the alive Record Dohn Arms Beamline Controls & Data Acquisition Group Advanced Photon Source.
This material is based upon work supported by the U.S. Department of Energy Office of Science under Cooperative Agreement DE-SC , the State of Michigan.
Chapter 6.  Upon completion of this chapter, you should be able to:  Configure switches  Configure VLANs  Verify configuration settings  Troubleshoot.
1 E-Site - FTP Services Setup / install guide. 2 About FTP services can run on any desired port(s) Runs as a windows service Works for all sites installed.
Setting up Client Tunnel Endpoints Lucent Security Products Configuration Example Series.
BY: SALMAN 1.
BY: SALMAN.
NTP, Syslog & Secure Shell
4 Network Layer Part I Computer Networks Tutun Juhana
Introduction To Networking
Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH
Radoslaw Jedynak, PhD Poland, Technical University of Radom
Unit 32 Every class minute counts! 2 assignments 3 tasks/assignment
Presentation transcript:

Managed by UT-Battelle for the Department of Energy Kay Kasemir ORNL/SNS Feb Material copied from the IOC Application Developer's Guide Marty Kraimer, Janet Anderson, Andrew Johnson (APS) and others Channel Access Security

2Managed by UT-Battelle for the Department of Energy “Security”? Not like this –Fend off malicious hackers, evildoers, long- haired troublemakers? More like this –Prevent casual users from making mistakes! –Help operators follow procedures!

3Managed by UT-Battelle for the Department of Energy Idea Control reading and/or writing via Channel Access –Almost never used to limit reading Criteria:  Who? –Control system engineer may always access everything –Beam Line Staff may always access most things –Beam Line Users cannot write certain things  From Where? –Full access from Beam Line Control Room –No write access from anywhere else  When –Read-only while experiment is running, while automation is enabled, … –Writable when experiment idle, manual control enabled, …

4Managed by UT-Battelle for the Department of Energy Limitations … Via Channel Access –Nothing is encrypted –IOC console (dbpf, …) not affected Who ? –$USER From Where? –Host name, easy to fake

5Managed by UT-Battelle for the Department of Energy Records…  Assigned to Access Security Group – field(ASG, "LIMITED") –Default is “DEFAULT”  Fields have Acc. Sec. Level –Most in ASL1 –Some are ASL0 –Nobody can remember. See *.dbd

6Managed by UT-Battelle for the Department of Energy Configuration  Doing nothing is equivalent to this: –Create file ”simple.acf": ASG(DEFAULT) { RULE(1, READ) RULE(1, WRITE) } –Add this line to your st.cmd: asSetFilename("path_to_the_file/simple.acf")  Result: By default, records use the "DEFAULT" ASG. … which allows full read/write. The 'asprules' and 'asdbdump' commands now show something  Caveat: –If the AS config file does not exist or contains an error, all access is prohibited! –Use 'ascheck' on the host before loading a file into the IOC.

7Managed by UT-Battelle for the Department of Energy Read-Only Example  Group that allows read, but no write: ASG(READONLY) { RULE(1, READ) # Nothing in here about WRITE… }  To have an effect, set the ASG field of at least one record to READONLY. –You can change ASG fields at runtime. –… via Channel Access, unless AS prohibits it…  'caput' will show that the old and new values stay the same  CSS BOY will change cursor when over read- only field.

8Managed by UT-Battelle for the Department of Energy List Specific Users and Hosts  Limit write access to –members of a user access group UAG, –while on a computer in the host access group HAG: UAG(x_users) { ubuntu } HAG(x_hosts) { ubuntu } ASG(X_TEAM) { RULE(1, READ) RULE(1, WRITE) { UAG(x_users) HAG(x_hosts) } }  Caveats: –The CA client library sends the user and host names to the server. Especially the host name can be tricky: –It's not the client's IP address! –It's the result of the 'hostname' command, –… which might differ from the DNS name –The 'casr' command on the IOC can sometimes help to show who and from where is connecting via CA, and the 'asdbdump' command shows who they pretend to be.

9Managed by UT-Battelle for the Department of Energy Mode-Based  Limit write access to times where some variable meets some criteria –ASG(MODE) { INPA(tx:setpoint) RULE(1, READ) RULE(1, WRITE) { CALC(A < 50) } }  This is based on the same code as the 'CALC' record –One can assign inputs 'A' to 'L'. –The computation should result in 0 or 1, the latter allowing access.

10Managed by UT-Battelle for the Department of Energy 10 RULE(, )  is 0 or 1. –The dbd file assigns each field to an access security level. Fields that are typically changed during operation are on level 0.  Example: For the AI record, VAL is level 0, the rest is level 1. –Rules for level 1 also grant access to level 0. –Example: Everybody can write 'VAL' (level 0), but restrict other fields: ASG(WRITE_SOME) { RULE(1, READ) RULE(0, WRITE) RULE(1, WRITE) { UAG(x_users) HAG(x_hosts) } }  is NONE, READ, or WRITE –Plus an optional TRAPWRITE, which will cause invocation of a 'trap write listener', i.e. custom C code that might be added to the IOC. This can be used to log write access by user and host, it doesn't otherwise affect access security.

11Managed by UT-Battelle for the Department of Energy Example from CG-1D Access rules tions/scanApp/Db/scan.acf Record adjustments tions/motorApp/Db/motorutil.db

12Managed by UT-Battelle for the Department of Energy Better “Security”  Place IOCs in private network –No ‘telnet’ to their console –No Channel Access from malicious clients –Outside access (ssh, NXClient, …) controlled the usual way  Add Channel Access Gateway to other networks –Gateway also has access security –Make it read-only

13Managed by UT-Battelle for the Department of Energy 13 And that's all I have to say about that!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.