Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computing infrastructure for accelerator controls and security-related aspects BE/CO Day – 22.June.2010 The first part of this talk gives an overview of.

Published byNigel McGee Modified over 6 years ago

Similar presentations

Presentation on theme: "Computing infrastructure for accelerator controls and security-related aspects BE/CO Day – 22.June.2010 The first part of this talk gives an overview of."— Presentation transcript:

1 Computing infrastructure for accelerator controls and security-related aspects
BE/CO Day – 22.June.2010 The first part of this talk gives an overview of the computing infrastructure dedicated to the accelerator controls: consoles, files and application servers, and explains how it is supervised and how high availability is achieved.
The second part explains the security-related aspects, such as the management of user passwords and groups, the separation of general purpose and technical (accelerator) networks, and the role-based access control system protecting accelerator devices.

2 Outline Operator Console in the CCC
File and Application servers in the CCR Users management General and Technical Network Security Role Based Access Control 22 June 2010 BE/CO Day - Pierre Charrue

3 Outline Operator Console in the CCC
File and Application servers in the CCR Users management General and Technical Network Security Role Based Access Control 22 June 2010 BE/CO Day - Pierre Charrue

4 The CCC and CCR 22 June 2010 BE/CO Day - Pierre Charrue

5 Inside CCC General Purpose Fixed Display Operator Consoles
22 June 2010 BE/CO Day - Pierre Charrue

6 A typical Operator Console
Acoustic panel used as back door Screens with tunable distance and tilt PCs hidden but easily accessible Task lighting Table height 72cm, American Oak look 22 June 2010 BE/CO Day - Pierre Charrue

7 CCR principles High Availability infrastructure
The servers (and the services offered) should never stop The CCR has a double power distribution coming from 2 different sources, with 15’ (resp. 60’) UPS Each server has Redundant power supply Redundant system disks and user disks (RAID-1) Hot swappable power supply, RAID disks and fans units Automatic ECC RAM checks and isolation of faulty memory blocks The CCR is very closely monitored Tº by the Operators in the CCC System monitoring with SMS and mails to the experts Extremely good results : The CCR servers hardly stop when there is a general CERN power outage! 22 June 2010 BE/CO Day - Pierre Charrue

8 Inside the CCR 22 June 2010 BE/CO Day - Pierre Charrue

9 Inside the CCR 22 June 2010 BE/CO Day - Pierre Charrue

10 Outline Operator Console in the CCC
File and Application servers in the CCR Users management General and Technical Network Security Role Based Access Control 22 June 2010 BE/CO Day - Pierre Charrue

11 User Management CERN has a global user management and creates an account for every people working at CERN. BE/CO manages the users that are allowed to access the Controls Infrastructure NFS filespace, passwd and groups system files Today this is based on a manual process We are in the process of implementing and deploying a more secure and automatic management of our potential users Including SSH authorisations, limiting global accounts to specific areas, automatic removal of accounts not valid anymore, … 22 June 2010 BE/CO Day - Pierre Charrue

12 Outline Operator Console in the CCC
File and Application servers in the CCR Users management General and Technical Network Security Role Based Access Control 22 June 2010 BE/CO Day - Pierre Charrue

13 Access from the office inside CERN Specialist access from home
Office development PC Trusted Application Gateways Home or remote PC CERN Firewall Connection to Internet INTERNET CERN Public Gateways (LXPLUS, CERNTS) 3 typical Use Cases Operator in the CCC Access from the office inside CERN Specialist access from home 22 June 2010 BE/CO Day - Pierre Charrue

14 Network Security CERN security policy for Controls (CNIC initiative) defined and implemented the following : 9 January 2006 : closure of the GPN <-> TN connection No communication allowed to cross the bridge except from TRUSTED hosts on the GPN to EXPOSED hosts on the TN Connection to the TN requires formal authorization MAC address authentication 22 June 2010 BE/CO Day - Pierre Charrue

15 Outline Operator Console in the CCC
File and Application servers in the CCR Users management General and Technical Network Security Role Based Access Control 22 June 2010 BE/CO Day - Pierre Charrue

16 What is RBAC RBAC stands for Role Based Access Control
RBAC is an infrastructure to prevent: A well meaning person from doing the wrong thing at the wrong time. An ignorant person from doing anything, at anytime. It is a suite of software components that provides AUTHENTICATION (A1) on the client level AUTHORIZATION (A2) on the server level Depending on WHICH action is made, on WHO is making the call, and from WHERE the call is issued, the access will be granted or denied This allows for filtering, for control and for traceability of the access to the equipment 22 June 2010 BE/CO Day - Pierre Charrue

17 Basic Concepts Roles: user are assigned to roles
Rules: access permission A1 = Authentication : Verifies who you are with the NICE user name and password A2 = Authorization: Roles have permission to make specified access 22 June 2010 BE/CO Day - Pierre Charrue

18 RBAC Overview A1: A2: User requests to be authenticated.
RBAC authenticates user via NICE user name and password RBA returns token to Application A2: Application sends token to CMW when connecting. CMW server (on front-end) verifies token signature once, and uses the credentials for every subsequent request CMW checks access map for role, location, application, mode Application RBAC RBAC Token: Application name User name IP address/location Time of authentication Time of expiry Roles[ ] Digital signature (RBA private key) CMW client CMW server Access MAP FESA 22 June 2010 BE/CO Day - Pierre Charrue

19 RBAC deployed on LHC in 2008 LHC Applications have now this little green/orange button to login to RBAC 22 June 2010 BE/CO Day - Pierre Charrue

20 Summary The BE/CO/IN section is responsible for many different areas within the Controls infrastructure In a controls infrastructure…. High availability file and application servers Network Controls security User management Role Based access control …. are essential Do not hesitate to contact us for further discussions 22 June 2010 BE/CO Day - Pierre Charrue

Download ppt "Computing infrastructure for accelerator controls and security-related aspects BE/CO Day – 22.June.2010 The first part of this talk gives an overview of."

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.

Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.
Windows Server MIS 424 Professor Sandvig. Overview Role of servers Performance Requirements Server Hardware Software Windows Server IIS.

Windows Server MIS 424 Professor Sandvig. Overview Role of servers Performance Requirements Server Hardware Software Windows Server IIS.
Pierre Charrue – BE/CO.  Preamble  The LHC Controls Infrastructure  External Dependencies  Redundancies  Control Room Power Loss  Conclusion 6 March.

Pierre Charrue – BE/CO.  Preamble  The LHC Controls Infrastructure  External Dependencies  Redundancies  Control Room Power Loss  Conclusion 6 March.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.

W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.
1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.

Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Session 1 Introduction  What is RADE  Technology  Palette  Tools  Template  Combined Example  How to get RADE  Questions? RADE Applications EN-ICE-MTA.

Session 1 Introduction  What is RADE  Technology  Palette  Tools  Template  Combined Example  How to get RADE  Questions? RADE Applications EN-ICE-MTA.
Wojciech Sliwinski BE/CO for the RBAC team 25/04/2013.

Wojciech Sliwinski BE/CO for the RBAC team 25/04/2013.
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
DIAMON Project Project Definition and Specifications Based on input from the AB/CO Section leaders.

DIAMON Project Project Definition and Specifications Based on input from the AB/CO Section leaders.
V. Kain – eLTC – 7March08 1 V.Kain, S. Gysin, G. Kruk, M. Lamont, J. Netzel, A. Rey, W. Sliwinski, M. Sobczak, J. Wenninger LSA & Safety - RBAC, MCS Roled.

V. Kain – eLTC – 7March08 1 V.Kain, S. Gysin, G. Kruk, M. Lamont, J. Netzel, A. Rey, W. Sliwinski, M. Sobczak, J. Wenninger LSA & Safety - RBAC, MCS Roled.

Similar presentations

Ads by Google