R. Krempaska, October, 2013 Wir schaffen Wissen – heute für morgen Controls Security at PSI Current Status R. Krempaska, A. Bertrand, C. Higgs, R. Kapeller,

Slides:



Advertisements
Similar presentations
This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.
Advertisements

Ljubomir Ivaniš CPU d.o.o.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Content Overview Update Process Additional Tools.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Terri Lahey LCLS Facility Advisory Committee 20 April 2006 LCLS Network Security Terri Lahey.
Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 SLAC National Accelerator Laboratory 1 Update on Security Issues LCLS.
Brian Martlew 25 th Sept 2006 MICE Control & Monitoring Plan Brian Martlew.
Deployment Options Frank Bergmann
Networking with Windows Vista.. Vista’s New Tools and Features The Network and Sharing Center Network Discovery Network Map Network Diagnostics.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
Microsoft Load Balancing and Clustering. Outline Introduction Load balancing Clustering.
Chapter 11: Dial-Up Connectivity in Remote Access Designs
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
Terri Lahey EPICS Collaboration Meeting June June 2006 LCLS Network & Support Planning Terri Lahey.
Computerized Networking of HIV Providers Networking Fundamentals Presented by: Tom Lang – LCG Technologies Corp. May 8, 2003.
Overview Print and Document Services Print Management console Printer properties Troubleshooting.
SOE and Application Delivery Gwenael Moreau, Abbotsleigh.
Tier 3g Infrastructure Doug Benjamin Duke University.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
IGEL UMS Product Marketing Manager October 2011 Florian Spatz Universal Management Suite.
Control and Monitoring System / EPICS Pete Owens Daresbury Laboratory.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
October, Scientific Linux INFN/Trieste B.Gobbo – Compass R.Gomezel - T.Macorini - L.Strizzolo INFN - Trieste.
Presented by: Sanketh Beerabbi University of Central Florida COP Cloud Computing.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
FNAL System Patching Design Jack Schmidt, Al Lilianstrom, Andy Romero, Troy Dawson, Connie Sieh (Fermi National Accelerator Laboratory) Introduction FNAL.
SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.
The Open Source Virtual Lab: a Case Study Authors: E. Damiani, F. Frati, D. Rebeccani, M. Anisetti, V. Bellandi and U. Raimondi University of Milan Department.
Dirk Zimoch, Pikett Training Channel Access Gateway.
Paul Scherrer Institut 5232 Villigen PSI HEPIX_AMST / / BJ95 PAUL SCHERRER INSTITUT THE PAUL SCHERRER INSTITUTE Swiss Light Source (SLS) Particle accelerator.
Peter Chochula ALICE DCS Workshop, October 6,2005 DCS Computing policies and rules.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Module 11: Implementing ISA Server 2004 Enterprise Edition.
Scott Drucker, Systems Engineer Migrating to Microsoft Vista with WinINSTALL.
Dirk Zimoch, EPICS Collaboration Meeting October 2008 PSI Large Research Facilities Status SLS, Proton Facility, PROSCAN, PSI-XFEL.
Wir schaffen Wissen – heute für morgen Gateway (Redux) PSI - GFA Controls IT Alain Bertrand Renata Krempaska, Hubert Lutz, Matteo Provenzano, Dirk Zimoch.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Jonathan Loving Fermi Lab Computing Division
ITGS Networks. ITGS Networks and components –Server computers normally have a higher specification than regular desktop computers because they must deal.
G. Cancio, L. Cons, Ph. Defert - n°1 October 2002 Software Packages Management System for the EU DataGrid G. Cancio Melia, L. Cons, Ph. Defert. CERN/IT.
Terri Lahey Control System Cyber-Security Workshop October 14, SLAC Controls Security Overview Introduction SLAC has multiple.
Microsoft Management Seminar Series SMS 2003 Change Management.
Virtual Private Grid (VPG) : A Command Shell for Utilizing Remote Machines Efficiently Kenji Kaneda, Kenjiro Taura, Akinori Yonezawa Department of Computer.
HEP Computing Status Sheffield University Matt Robinson Paul Hodgson Andrew Beresford.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Site Architecture Resource Center Deployment Considerations MIMOS EGEE Tutorial.
Agency Introduction to DDM Dell Desktop Manager (DDM) Implementation.
Linux Operations and Administration
Network and Computer Security in the Fermilab Accelerator Control System Timothy E. Zingelman Control System Cyber-Security Workshop (CS)2/HEP Knoxville,
THE DIGITAL REVOLUTION. Wir schaffen Wissen – heute für morgen 15. Apr. 2013PSI, Paul Scherrer Institut The fully digital PSI accelerator control room.
Wir schaffen Wissen – heute für morgen Babak Kalantari, PSI MRF workshop, Prague, Eli Beamlines Paul Scherrer Institut Synchronous DAQ using.
LHC Section Meeting 1.eLogbook 2.LHC Controls Security Panel.
Scientific Linux Inventory Project (SLIP) Troy Dawson Connie Sieh.
Dirk Zimoch, EPICS Collaboration Meeting October SLS Beamline Networks and Data Storage.
Security Around MySQL Presented by: Danil Zburivsky/Singer Wang.
Module Overview Installing and Configuring a Network Policy Server
Consulting Services JobScheduler Architecture Decision Template
GFA Controls IT Alain Bertrand
Computing infrastructure for accelerator controls and security-related aspects BE/CO Day – 22.June.2010 The first part of this talk gives an overview of.
Accelerator Network Safety at PSI
GFA Controls IT Alain Bertrand
Oracle Solaris Zones Study Purpose Only
Mirjam van Daalen, (Stephan Egli, Derek Feichtinger) :: Paul Scherrer Institut Status Report PSI PaNDaaS2 meeting Grenoble 6 – 7 July 2016.
Mirjam van Daalen, (Stephan Egli, Derek Feichtinger) :: Paul Scherrer Institut Status Report PSI PaNDaaS2 meeting Grenoble 12 – 13 December 2016.
Designing IIS Security (IIS – Internet Information Service)
Module 1: Overview of Systems Management Server 2003
Presentation transcript:

R. Krempaska, October, 2013 Wir schaffen Wissen – heute für morgen Controls Security at PSI Current Status R. Krempaska, A. Bertrand, C. Higgs, R. Kapeller, H.Lutz GFA Controls IT October, 2013

R. Krempaska, October, 2013 Outline Overview of PSI Large Research Facilities Control System Network Security Private Machine Networks Network Architecture and Hardware Local and Remote Access Control System Infrastructure Challenges

R. Krempaska, October, 2013 PSI and Large Research Facilities PROSCAN HIPA SLS SITF SwissFEL

R. Krempaska, October, 2013 Proton accelerators High Intensity Proton Accelerator (HIPA) and PROSCAN

R. Krempaska, October, 2013 Swiss Light Source (SLS) and SwissFEL Injector Test Facility (SITF) Electron accelerators

R. Krempaska, October, 2013 SwissFEL Layout

R. Krempaska, October, 2013 SwissFEL Construction

R. Krempaska, October, 2013 SwissFEL “Baustelle”

R. Krempaska, October, 2013 Controls Responsibilities Controls is responsible for the control system HIPA Accelerator + ~10 Beamlines PROSCAN Accelerator + 4 Beamlines SLS + ~20 Beamlines SITF (SwissFEL Injector Test Facility) + TRFCB (C-Band RF Structure Test Facility)

R. Krempaska, October, 2013 Control System Network Security Controls Network and Rules Control system for accelerators is separated in private machine networks. Control system for SLS beamlines is in separated sub-nets, behind a firewall. Users from one beamline cannot influence the control system of another beamline. Remote access from the PSI office network to machine and beamline networks is possible through a dedicated ssh gateway. Login to ssh gateway is restricted for a well defined list of users and allowed only during facilities shutdown and machine shifts. The „on- call“ service Controls members can get the access on request from the control room. The shift leader operator in the Control room can close the remote network access at any time.

R. Krempaska, October, 2013 Control System Network Security cont. Network Architecture and Hardware Controls network is based on PSI standard network topology, hardware with monitoring, documentation and overview. Active components are implemented by Network group. Passive components (patch panels) are implemented under supervision of Network group and Controls. All the devices are documented and kept up-to-date in the Controls Hardware Inventory database. Network infrastructure components are installed in locked racks.

R. Krempaska, October, 2013 Switches Documentation

R. Krempaska, October, 2013 Switches Monitoring - NeDi NeDi Network Discovery an open source tool for network management and monitoring used by the PSI Network group integrated in the Hardware Inventory Database tool, so that Controls can get monitoring information about switches in the Controls networks

R. Krempaska, October, 2013 Local and Remote Access Local access Connected devices must be registered in the PSI central DNS. No direct wireless access to the private machine networks Remote access to a private machine network Access only from the PSI net through the gateways No direct access from one machine network to another No access to users home directories

R. Krempaska, October, 2013 Control system protocol (EPICS channel access) cross the network via a channel access gateway. Allows access control and filtering. It saves resources (network bandwidth, memory consumption) on IOCs because it reduces the number of direct client connections and shares data and connections between the clients. Channel Access Gateway

R. Krempaska, October, 2013 Control System Infrastructure Computers (operator consoles, camera servers, etc.) are purchased as a PSI standard hardware and installed by the Controls IT group. Installation and confifuration is done by using a centralized installation and configuration mechanism. OS supported: Linux and Windows Controls servers (NFS and VmWare clusters, computing nodes, etc.) are located in server rooms accessible only by system administrators. All the related information about computers is registered in the Controls Hardware Inventory DB.

R. Krempaska, October, 2013 Control System Infrastructure Installation and Configuration Linux PCs Scientific Linux (SL) distribution is used at PSI PSI Central Computing Division is in charge for SL core and rpm packages We use Redhat kickstart mechanism to deploy the base SL and puppet to configure computers according the Controls requirements Windows PCs OS installation according the PSI Central computing division standard mechanism Extra software is installed by the Controls IT

R. Krempaska, October, 2013 Challenges Protecting physical network ports, identify the authorized hardware connected to the private machine network Windows systems: restricted OS installation, updates, limitation of mounted disk drives, control system installation and distribution IOCs configuration, installation and deployment Controls system security versus necessary users flexibility (data transfer, user’s software, etc.) New and non standard hardware and software Systems stability, versus maintenance, updates, users change requests Scientists…

R. Krempaska, October, 2013 Acknowledgments PSI Central Computing Security group PSI Central Computing Network group References S. Lüders et al., “CNIC Security Policy for Controls”, 2011; content/uploads/2010/06/KS_Puppet_VM_ _printout.pdf

R. Krempaska, October, 2013 Control System Network Security Private Machine Networks

R. Krempaska, October, 2013 EPICS is used to control PSI accelerator facilities. It runs on IOCs (EPICS servers). We have several types of IOCs running under different OS. Controls members configure and install: ~400 IOCs in SLS and the SLS beamlines ~27 IOCs in PROSCAN ~100 IOCs for SwissFEL test facilities (SIFT and TRFCB) ~50 IOCs in HIPA The installation is done by a standard tool (swit). Information about IOCs installation and boot process is stored in the Oracle database. Control System Configuration and Deployment

R. Krempaska, October, 2013 Two types of login accounts have been provided for both Linux and Windows computers: personal accounts - provide access to any system on the accelerator network (not attach network drives) group accounts (operator accounts) - only active on core systems necessary for operations Linux: facility operator accounts used on Controls consoles mainly located in the Control room. It must not be used for software development or installation. Windows: global measuring accounts used for long-term logins for service computers, oscilloscopes, etc.. Login Accounts

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.