Presentation is loading. Please wait.

Presentation is loading. Please wait.

Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 SLAC National Accelerator Laboratory 1 Update on Security Issues LCLS.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 SLAC National Accelerator Laboratory 1 Update on Security Issues LCLS."— Presentation transcript:

1 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 1 Update on Security Issues LCLS Ebeam Security Update Covering work of Network, Systems, and EPICS teams, and contributions from SCCS teams Gunther will cover Photon Cyber Security Integrated with SLAC Security Plan Delivered Systems Network Architecture Computer Security What’s Next

2 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 2 Cyber Security Protection Program (CSPP) Integrated with SLAC Cyber Security Plan MCC enclave was extended for LCLS Ebeam Control System SCCS security team interfaces with DOE MCC is represented on security committee Interact with SCCS teams to build and maintain production control system DOE site visits and responded to ST&E review SCCS daily and quarterly security scans CSPP Annual Review of MCC enclave (early 2009) Implemented original design of LCLS networks Plan to upgrade enclave while supporting legacy control system for Minimum Maintenance State of Linac (CID-S19) & PEP

3 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 3 Delivered Systems Production systems to support ebeam injector through edump MPS/PPS/HVAC in photon section Network upgrade at MCC for gigabit traffic to support digitized video LINUX RHEL4 Servers and OPI Main Control Center (MCC) Control Room – new layout with 5 dual-head Linux OPI, multiple dual-head Sun Ray OPI, multiple overhead displays, and locations for laptop on public subnets or wireless. Foyer: space for Sun Ray & laptop work areas Debugging in the field with sunray and wireless

4 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 4

5 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 5 Network Architecture (1) Production nodes reside on production networks isolated from SLAC Networks Accelerator subnets: Channel Access, Instruments, Utilities, Video, Sunray Terminal Private network for some subsystems: BPM, LLRF, Torroid, ADS Unrouted traffic Monitor traffic and manage switch via accelerator network LCLSDMZ is the edge of LCLS networks only access to LCLS from the rest of SLAC All nodes are SLAC-only Wireless is on a separate network; tunnel into SLAC

6 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 6 Network Architecture (2) Traffic routing: LCLS integration with previous MCC & SLAC networks Filtering Firewall to control traffic Read only access from DMZ nodes SCCS services provided from nodes on DMZ saIOC router is tightly controlled with acls for a 64- node IP range Use SCCS team for security and network management Security and networking advised on DMZ architecture Networking manages switches and brings them online Use central network monitoring package and alerts

7 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 7 LCLS Ebeam Computer Security (1) LCLS LINUX servers & workstations 32-bit RHEL4 (64-bit DELL 1950/2950) standalone configuration, system disk mirroring, console service, UPS management, failover procedure, automated system resource monitoring, watchdog for production applications, etc to ensure the systems are reliable and robust Yum patching Synchronize MCC patch repository with SCCS repository Monitor when patches are needed Schedule downtime to patch on ROD days Can fallback to old system production applications uses production NFS Authenticate with local accounts and use SSH v2 keys

8 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 8 LCLS Ebeam Computer Security (2) Operator Interfaces (OPI) Standalone linux workstations in control room: dual 24” monitor Linux-based sunray Sunray 2fs clients in control room for Overhead displays and dual- monitor workstations Sunray 2fs clients (cow) and laptops for debugging in the field Provide readonly access from offices via PVGateway with CA Security Login to production servers for read/write access Wireless is outside SLAC; tunnel with ICA/Citrix/SSH/VPN/RDP EPICS IOCs IOCs and RTEMS use MCC NFS CA Security is applied in multiple systems VMS control system Minimizing usage while we migrate last functions

9 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 9 Other Status Omnilocks on computer room Moved network core into locked computer room slcIOC bridge Injector through BSY devices use this bridge Injector and BC2/L3 commissioning Upcoming run through BSY Undulator beamline & edump are EPICS only MCC Oracle is patched by SCCS Oracle experts Electronic logbooks – operations and physics

10 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 10 What’s next Data Transfer between ebeam and photon sections Security Review filtering firewall to give readonly access to control system Review MCC Enclave’s CSPP and implement improvements Computing Infrastructure Short term access to SCCS Oracle until we move to MCC Oracle Review all SCCS dependencies and migrate where needed Support S20-BSY Linac Upgrade with existing network/computing architecture Migrating away from physics elog to DOE compliant elog

Download ppt "Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 SLAC National Accelerator Laboratory 1 Update on Security Issues LCLS."

Similar presentations

The Access Grid Ivan R. Judson 5/25/2004.

The Access Grid Ivan R. Judson 5/25/2004.
Chapter 3: Planning a Network Upgrade

Chapter 3: Planning a Network Upgrade
Deploying GMP Applications Scott Fry, Director of Professional Services.

Deploying GMP Applications Scott Fry, Director of Professional Services.
High Availability Group 08: Võ Đức Vĩnh50703006 Nguyễn Quang Vũ50703033.

High Availability Group 08: Võ Đức Vĩnh Nguyễn Quang Vũ
Accelerator control at iThemba LABS. Some background No formal reliability procedures Cost considerations SSC operational 24/7 Shutdown total of 2 months/year.

Accelerator control at iThemba LABS. Some background No formal reliability procedures Cost considerations SSC operational 24/7 Shutdown total of 2 months/year.
1 © Copyright 2010 EMC Corporation. All rights reserved. EMC RecoverPoint/Cluster Enabler for Microsoft Failover Cluster.

1 © Copyright 2010 EMC Corporation. All rights reserved. EMC RecoverPoint/Cluster Enabler for Microsoft Failover Cluster.
Ernest Williams FAC November 2008 Control Systems Software Section 1 Controls System Installation Status Ernest Williams for Controls Department.

Ernest Williams FAC November 2008 Control Systems Software Section 1 Controls System Installation Status Ernest Williams for Controls Department.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Ernest L. Williams Jr. Controls Commissioning October 2007 Controls Commissioning Facility Advisory Committee.

Ernest L. Williams Jr. Controls Commissioning October 2007 Controls Commissioning Facility Advisory Committee.
Wi-Fi Structures.

Wi-Fi Structures.
Terri Lahey LCLS Facility Advisory Committee 20 April 2006 LCLS Network Security Terri Lahey.

Terri Lahey LCLS Facility Advisory Committee 20 April 2006 LCLS Network Security Terri Lahey.
Stephanie Allison Integration with the SLC Control Oct 27, 2005 1 Introduction Demo SLC-Aware IOC Plans for Next 12 Months.

Stephanie Allison Integration with the SLC Control Oct 27, Introduction Demo SLC-Aware IOC Plans for Next 12 Months.
Hamid Shoaee LCLS FAC Controls June 17, 2008 1 LCLS Control System Personnel Linac & BC2 Controls progress LTU, Dump Controls.

Hamid Shoaee LCLS FAC Controls June 17, LCLS Control System Personnel Linac & BC2 Controls progress LTU, Dump Controls.
Dayle Kotturi SLC April 29, 2004 Outline Motivation Key Components Status Update SLC / EPICS Timing Software Tasks Hardware.

Dayle Kotturi SLC April 29, 2004 Outline Motivation Key Components Status Update SLC / EPICS Timing Software Tasks Hardware.
Hamid Shoaee LCLS FAC Review – October 2007 1 Control System Overview Hamid Shoaee Controls System Manager Injector control system commissioning & Support.

Hamid Shoaee LCLS FAC Review – October Control System Overview Hamid Shoaee Controls System Manager Injector control system commissioning & Support.
1© Copyright 2011 EMC Corporation. All rights reserved. EMC RECOVERPOINT/ CLUSTER ENABLER FOR MICROSOFT FAILOVER CLUSTER.

1© Copyright 2011 EMC Corporation. All rights reserved. EMC RECOVERPOINT/ CLUSTER ENABLER FOR MICROSOFT FAILOVER CLUSTER.
A Guide to major network components

A Guide to major network components
Hamid Shoaee Accelerator Readiness Dec. 2, ‘08 SLAC National Accelerator Laboratory Controls Department LCLS Maintenance.

Hamid Shoaee Accelerator Readiness Dec. 2, ‘08 SLAC National Accelerator Laboratory Controls Department LCLS Maintenance.
Passage Three Introduction to Microsoft SQL Server 2000.

Passage Three Introduction to Microsoft SQL Server 2000.
Terri Lahey EPICS Collaboration Meeting June 2006 15 June 2006 LCLS Network & Support Planning Terri Lahey.

Terri Lahey EPICS Collaboration Meeting June June 2006 LCLS Network & Support Planning Terri Lahey.

Similar presentations

Ads by Google