Network and Computer Security in the Fermilab Accelerator Control System Timothy E. Zingelman Control System Cyber-Security Workshop (CS)2/HEP Knoxville,

Slides:



Advertisements
Similar presentations
Guide to Network Defense and Countermeasures Second Edition
Advertisements

Mike Bayne 15 September 2011
What to expect.  Linux  Windows Server (2008 or 2012)
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Network Security Overview Tales from the trenches.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Terri Lahey LCLS Facility Advisory Committee 20 April 2006 LCLS Network Security Terri Lahey.
Jefferson Lab Remote Access Andy Kowalski December 1, 2010.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
1 Enabling Secure Internet Access with ISA Server.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Terri Lahey EPICS Collaboration Meeting June June 2006 LCLS Network & Support Planning Terri Lahey.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec
Cisco PIX 515E Firewall. Overview What a PIX Firewall can do Adaptive Security Algorithm Address Translation Cut-Through Proxy Access Control Network.
Course 201 – Administration, Content Inspection and SSL VPN
1 Managed Security. 2 Managed Security provides a comprehensive suite of security services to manage and protect your network assets –Managed Firewall.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Chapter 20: Getting from the Office to the Road: VPNs BAI617.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Module 14: Configuring Server Security Compliance
Windows 7 Firewall.
IT Security for the LHCb experiment 3rd Control System Cyber-Security Workshop (CS)2/HEP ICALEPCS – Grenoble Enrico Bonaccorsi, (CERN)
NESDIS/ORA March 2004 IT Security Incident Recovery Plan and Status April 12, 2004 Joe Brust, ORA Technical Support Team Lead.
Security at NCAR David Mitchell February 20th, 2007.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
The ProactiveWatch Monitoring Service. Are These Problems For You? Your business gets disrupted when your IT environment has issues Your employee and.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Terri Lahey Control System Cyber-Security Workshop October 14, SLAC Controls Security Overview Introduction SLAC has multiple.
Module 5: Designing Security for Internal Networks.
Intro to Firewalls. A firewall is hardware, software, or a combination of both that is used to prevent unauthorized programs or Internet users from accessing.
Lesson 11: Configuring and Maintaining Network Security
CCNA4 v3 Module 6 v3 CCNA 4 Module 6 JEOPARDY K. Martin.
Discovery 2 Internetworking Module 8 JEOPARDY K. Martin.
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
CERN - European Organization for Nuclear Research Beyond ACB – VPN’s FOCUS June 13 th, 2002 Frédéric Hemmer & Denise Heagerty- IT Division.
Security fundamentals Topic 10 Securing the network perimeter.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
Module 10: Windows Firewall and Caching Fundamentals.
R. Krempaska, October, 2013 Wir schaffen Wissen – heute für morgen Controls Security at PSI Current Status R. Krempaska, A. Bertrand, C. Higgs, R. Kapeller,
JLAB Password Security Ian Bird Jefferson Lab HEPiX-SLAC 6 Oct 1999.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
WARCS (Wide Area Remote Control for SPring-8)‏ A. Yamashita and Y.Furukawa SPring-8, Japan Control System Cyber-Security Workshop (CS)2/HEP Oct
SECURE LAB: CREATING A CISCO 3550 VLSM NETWORK
Security fundamentals
Palo Alto Networks Certified Network Security Engineer
Working at a Small-to-Medium Business or ISP – Chapter 8
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Welcome! Thank you for joining us. We’ll get started in a few minutes.
Introduction to Networking
To Join the Teleconference
Welcome To : Group 1 VC Presentation
Firewalls Purpose of a Firewall Characteristic of a firewall
– Chapter 3 – Device Security (B)
CEBAF Control System Access
Firewalls Chapter 8.
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Network and Computer Security in the Fermilab Accelerator Control System Timothy E. Zingelman Control System Cyber-Security Workshop (CS)2/HEP Knoxville, TN October 2007

2 Agenda I.Overview and Network Layout II.Balancing Risks vs. Usability III.Network Layer Protection IV.OS/Application Layer Protection V.Access Options VI.Future Directions

3 I.Overview  Controls the hardware of the accelerator  A large experimental physics apparatus which is being constantly adjusted and improved  Intrinsically engineered to keep software errors from causing equipment damage  No environmental or life safety systems

4 I.Overview  An inventory of all systems (over 3,500 in the control system alone) on the network is maintained, including: OS and hardware, location, sysadmin, primary user  Automated notification reports any changes to registered IP and MAC addresses on the network

5 I.Overview  Accelerator configuration is stored 4 times a day, and on demand. This allows return of the accelerator to a known state: » After testing new machine configurations » After replacing or adding new equipment » After scheduled downtime and power outages  Tape backups are done daily and tapes are moved to another area on a regular schedule

6

7 I.Network Layout Overview  Control system nodes are isolated behind the redundant firewalls  Firewalls pass selected traffic only (default deny) inbound and outbound  VPN and Bastion hosts in DMZ allow authenticated traffic through the firewall  Emergency disconnect at division routers

8 I.Overview and Network Layout II.Balancing Risks vs. Usability III.Network Layer Protection IV.OS/Application Layer Protection V.Access Options VI.Future Directions

9 II.Balancing Risks vs. Usability  Reducing disruption to operations by cyber threats is important, however, reducing disruption to operations by cyber protections is also very important!  More accelerator downtime due to effects of cyber protection than from cyber attacks

10 II.Cyber Risks  No ‘secret’ information  Equipment designed to be safe at any control setting  Lab is a ‘high profile’, ‘government’ target  So, risks are disruption of operations and embarrassment, not leaks of sensitive data nor fear of equipment damage

11 II.Usability  Accelerator systems are constantly being improved, adjusted and maintained by a large group of Physicists, Engineers, Computer Professionals and others  Accelerator systems are often monitored and problems diagnosed by experts from locations other than the Main Control Room

12 I.Overview and Network Layout II.Balancing Risks vs. Usability III.Network Layer Protection IV.OS/Application Layer Protection V.Access Options VI.Future Directions

13 III.Network Layer Protection  Accelerator Division border disconnect » Emergency disconnect from the world  Border router Access Control Lists » Protect entire Division and PIX firewalls  Redundant Cisco PIX firewalls (outbound) » Traffic allowed to many on-site resources » No access, No windows remote desktop

14 III.Network Layer Protection  Redundant Cisco PIX Firewalls ( inbound ) » Full default deny Offsite access to 5 specific nodes/services Onsite access to kerberized services (MIT and W2K) and a few tightly maintained application services Accelerator Division hardwired desktop systems access to several more specific protocols  Controls Router Access Control Lists » Isolate controls Vlans from each other

15 I.Overview and Network Layout II.Balancing Risks vs. Usability III.Network Layer Protection IV.OS/Application Layer Protection V.Access Options VI.Future Directions

16 IV.OS/Application Layer Protection  Linux systems use Site autoYUM service for OS and Applications and Site MIT Kerberos  Windows systems use Division patching services and Site W2K Domain, plus Control System Anti-Virus service  FreeBSD and Solaris systems use ‘portaudit’ and vendor notification – these systems have ‘professional’ administrators

17 I.Overview and Network Layout II.Balancing Risks vs. Usability III.Network Layer Protection IV.OS/Application Layer Protection V.Access Options VI.Future Directions

18 V.Access Options  VPN » Software client, controls ‘key’ & login required » Authenticated & time limited network access » Remote system becomes a ‘Controls’ node » Full inbound and outbound firewall restrictions apply (no ‘split tunnel’) all traffic is ‘inside’ » Still requires further login to get command line access or to start a control system console

19 V.Access Options  Bastion Hosts » Two redundant nodes with minimal services » MIT Kerberized login (or Cryptocard token) » Time limited logins » SSH port forwarding allowed for X11 and other protocols » NFS mounts of inside disk to allow kerberized FTP access (FTP is otherwise blocked at FW)

20 V.Access Options  Windows Remote Desktop » Terminal server on Division network for and offsite web access from inside systems » Terminal server on Controls network for access to web and other services inside (scopes, etc) from Onsite network systems » TS nodes disallow file xfer and drag-n-drop » All other inbound/outbound WRD is blocked

21 I.Overview and Network Layout II.Balancing Risks vs. Usability III.Network Layer Protection IV.OS/Application Layer Protection V.Access Options VI.Future Directions

22 VI.Future Directions  Site LDAP service to centralize authentication for non-kerberized services  SSL and KX509 Client Certificates for some web pages (logbooks, etc.)  Better integration of Apple OS X systems » Include in MIT Kerberos » Include in anti-virus and auto patching

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.