Presentation is loading. Please wait.

Presentation is loading. Please wait.

WARCS (Wide Area Remote Control for SPring-8)‏ A. Yamashita and Y.Furukawa SPring-8, Japan Control System Cyber-Security Workshop (CS)2/HEP Oct.14 2007.

Published byDenis Bishop Modified over 8 years ago

Similar presentations

Presentation on theme: "WARCS (Wide Area Remote Control for SPring-8)‏ A. Yamashita and Y.Furukawa SPring-8, Japan Control System Cyber-Security Workshop (CS)2/HEP Oct.14 2007."— Presentation transcript:

1 WARCS (Wide Area Remote Control for SPring-8)‏ A. Yamashita and Y.Furukawa SPring-8, Japan Control System Cyber-Security Workshop (CS)2/HEP Oct.14 2007 Knoxville,TN USA

2 Contents What is WARCS? Requirements SPring-8 operation policy Implementation Operation Conclusion

3 What is WARCS? Access tool for SPring-8 control system from the Internet. It is used at the trouble time CALL the expert(s) by phone The expert can access SPring-8 control network from internet using WARCS. Mobile client, not fixed PC. Originally developed at SPring-8 NO ssh (Secure Shell), NO VPN (virtual private network)‏ Combination of open sources.

4 Expert (out of site) ‏ Shift leader Scinario Trouble! Phone call Give permission Close WARCS View status by web Decide to access Open WARCS Trouble shooting

5 SPring-8 operation policy Every activity on the accelerators must be under control of the shift leader.

6 Requirements 1 Connect under permission of the shift leader. No free access from the outside. Shift leader monitors connection status. Shift leader can disconnect at any time. Two type of clients telnet for terminal access. Remote screen (VNC)‏ Multi-platform Client: Windows, Mac, Linux Server: HP-UX, Linux

7 Requirements 2 Easy operation. Installation. Install client software to individual note PC. Operation. Just type password. Secure Encrypted communication. One time password. Multi-user Multiple-connection at one time.

8 Server Server/Client Software Tools Zebedee Encryption Authentication VNC Screen sharing. Python glueing Apache Communication SQLite Data store iptable Embedded firewall for Linux

9 Zebedee IP tunneling tool Zlib compression Blowfish encryption Diffie-Hellman key agreement ( authentication )‏ Open arbitrary ip-port Client ip-port For multiple connection Host ip-port Specify target application

10 Zebedee Multiple zebedee process can run simultaneously One zebedee server for one user connection. Individual control to zebedee process.

11 Why not ssh nor VPN SSH/VPN Tools for free access Difficult to be controlled from outside. Security problem If a note PC with private key is stolen? Account base Administration effort – new or obsolete account Common account is risky. VPN (SSL-VPN)‏ Appliance Hard to customize

12 VNC (Virtual Network Computer)‏ Screen sharing program With multiple users (not only 1-1, 1 to many)‏ Free Multi platform Not only Win, Mac, UNIX but also PDA Open standard Many implementation Ultr@VNC for Win Shrink large screen to fit small screen 20” screen into 11” note PC's screen Image compression level can be selected. Select by connection condition.

13 Other tools Apache (http server)‏ Know user’s address by REMOTE_ADDR environment variable. Users behind NAT don’t know their global ip- addresses. SQLite File and library based database. No client-server No configuration Share information between processes.

14 Other tools Iptables Linux firewall in its kernel. Tunnel can be added/removed without restarting

15 Network scheme Control LAN DMZ Relay server Internet FIREWALL

16 How WARCS works?

17 Internet tunnel Vnc reflector Open firewall for zebedee protocol Connection established. Control At the beginning DMZInternet HTTP Relay Server SQLite HTTP

18 Internet tunnel Zebedee Vnc reflector Open firewall for zebedee protocol Connection established. Control Issue one time password and record DMZInternet HTTP Relay Server 80 SQLite HTTP One time password

19 LOGIN NAME LOGIN HOST NAME Select application type VNC/telnet

20

21 ONE TIME PASSWORD

22

23 Internet tunnel Zebedee Vnc reflector Open firewall for zebedee protocol Connection established. Control Launch another HTTP and open tunnel in iptables firewall for http DMZInternet HTTP Relay Server HTTP SQLite HTTP

24 Internet tunnel Zebedee Vnc reflector Open firewall for zebedee protocol Connection established. Control Client launches client tool and enter one time password DMZInternet HTTP Relay Server HTTP SQLite HTTP Client tool

25 Internet tunnel Zebedee Vnc reflector Open firewall for zebedee protocol Connection established. Control Exchange ip-address and port no, application type DMZInternet HTTP Relay Server HTTP SQLite HTTP Port no Application type Ip-address Client tool

26 Internet tunnel Zebedee Vnc reflector Open firewall for zebedee protocol Connection established. Control Open tunnel and launch zebedee. DMZInternet HTTP Relay Server HTTP SQLite zebedee HTTP Application +Zebedee

27 Internet tunnel Zebedee Vnc reflector Open firewall for zebedee protocol Connection established. Control Establish connection with authentication DMZInternet HTTP Relay Server HTTP SQLite zebedee HTTP Key exchange zebedee

28 Internet Vnc reflector Open firewall for zebedee protocol Connection established. Control VNC (Virtual network computer) is also available. DMZInternet HTTP Relay Server HTTP SQLite zebedee HTTP VNC zebedee

29

30 Internet tunnel Zebedee Vnc reflector Open firewall for zebedee protocol Connection established. Control Shift leader monitors and controls status by Web DMZInternet HTTP Relay Server HTTP SQLite zebedee HTTP

31

32 Internet Vnc reflector Open firewall for zebedee protocol Connection established. Control Shift leader ends WARCS (kill zebedee)‏ DMZInternet HTTP Relay Server HTTP SQLite zebedee HTTP

33 Kill connection

34

35 DMZ (DeMilitalized Zone)‏ Control LAN Internet Http server SQLite tunnel Http server Zebedee Vnc reflector Launch Check one time password Open firewall for zebedee protocol Connection established. DMZ (DeMilitalized Zone)‏Control LAN Internet Http server SQLite tunnel Http server Zebedee Vnc reflector Launch Check one time password Open firewall for zebedee protocol Connection established. DMZ (DeMilitalized Zone)‏Control LAN Internet Http server SQLite tunnel Http server Zebedee Vnc reflector Launch Check one time password Open firewall for zebedee protocol Connection established. DMZ (DeMilitalized Zone)‏Control LAN Internet Http server SQLite tunnel Http server Zebedee Vnc reflector Launch Check one time password Open firewall for zebedee protocol Connection established. Control Shift leader ends WARCS kills http DMZInternet HTTP Relay Server HTTP SQLite HTTP

36 Internet tunnel Zebedee Vnc reflector Open firewall for zebedee protocol Connection established. Control Shift leader ends WARCS DMZInternet HTTP Relay Server SQLite HTTP

37 Internet tunnel Vnc reflector Open firewall for zebedee protocol Connection established. Control Shift leader ends WARCS (closes tunnel)‏ DMZInternet HTTP Relay Server SQLite HTTP

38 Internet tunnel Zebedee Vnc reflector Open firewall for zebedee protocol Connection established. Control Shift leader ends WARCS DMZInternet HTTP Relay Server SQLite HTTP

39

40 Operation Since 2004, WARCS has been used. Experts go abroad must have WARCS installed notebook PC and cellular phone. They must be trained before they go. Windows, Mac or Linux. Another server for training is available. In the worst case, client software can be installed easily. Access an instruction web page.

41 Problem VNC became hard to use. Large screen monitors (24”x2) are going to be installed for the control room. Does not fit notebook PC's screen. VNC can export partial screen?

42 Conclusion WARCS provides Secure, controlled and stable connection to SPring-8 control LAN since 2004. It fits to SPring-8 operation policy Easy operation Shift leader WEB -based Clients Just enter one-time password. No special hardware is required Open-source base No commercial licence

Download ppt "WARCS (Wide Area Remote Control for SPring-8)‏ A. Yamashita and Y.Furukawa SPring-8, Japan Control System Cyber-Security Workshop (CS)2/HEP Oct.14 2007."

Similar presentations

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Configuring Virtual Private Networks for Remote Clients and Networks.

1 Configuring Virtual Private Networks for Remote Clients and Networks.
OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or 415.514-3333 UCSF Campus VPN.

OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or UCSF Campus VPN.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………

Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………
INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.

INTRANET SECURITY Catherine Alexis CMPT 585 Computer and Data Security Dr Stefan Robila.
SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.

SESSION 9 THE INTERNET AND THE NEW INFORMATION NEW INFORMATIONTECHNOLOGYINFRASTRUCTURE.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
Remote Networking Architectures

Remote Networking Architectures
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.

Network Address Translation, Remote Access and Virtual Private Networks BSAD 146 Dave Novak Sources: Network+ Guide to Networks, Dean 2013.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »

Similar presentations

Ads by Google