Presentation is loading. Please wait.

Presentation is loading. Please wait.

Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 SLAC National Accelerator Laboratory 1 Update on Security Issues LCLS.

Similar presentations


Presentation on theme: "Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 SLAC National Accelerator Laboratory 1 Update on Security Issues LCLS."— Presentation transcript:

1 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 1 Update on Security Issues LCLS Ebeam Security Update Covering work of Network, Systems, and EPICS teams, and contributions from SCCS teams Gunther will cover Photon Cyber Security Integrated with SLAC Security Plan Delivered Systems Network Architecture Computer Security What’s Next

2 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 2 Cyber Security Protection Program (CSPP) Integrated with SLAC Cyber Security Plan MCC enclave was extended for LCLS Ebeam Control System SCCS security team interfaces with DOE MCC is represented on security committee Interact with SCCS teams to build and maintain production control system DOE site visits and responded to ST&E review SCCS daily and quarterly security scans CSPP Annual Review of MCC enclave (early 2009) Implemented original design of LCLS networks Plan to upgrade enclave while supporting legacy control system for Minimum Maintenance State of Linac (CID-S19) & PEP

3 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 3 Delivered Systems Production systems to support ebeam injector through edump MPS/PPS/HVAC in photon section Network upgrade at MCC for gigabit traffic to support digitized video LINUX RHEL4 Servers and OPI Main Control Center (MCC) Control Room – new layout with 5 dual-head Linux OPI, multiple dual-head Sun Ray OPI, multiple overhead displays, and locations for laptop on public subnets or wireless. Foyer: space for Sun Ray & laptop work areas Debugging in the field with sunray and wireless

4 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 4

5 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 5 Network Architecture (1) Production nodes reside on production networks isolated from SLAC Networks Accelerator subnets: Channel Access, Instruments, Utilities, Video, Sunray Terminal Private network for some subsystems: BPM, LLRF, Torroid, ADS Unrouted traffic Monitor traffic and manage switch via accelerator network LCLSDMZ is the edge of LCLS networks only access to LCLS from the rest of SLAC All nodes are SLAC-only Wireless is on a separate network; tunnel into SLAC

6 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 6 Network Architecture (2) Traffic routing: LCLS integration with previous MCC & SLAC networks Filtering Firewall to control traffic Read only access from DMZ nodes SCCS services provided from nodes on DMZ saIOC router is tightly controlled with acls for a 64- node IP range Use SCCS team for security and network management Security and networking advised on DMZ architecture Networking manages switches and brings them online Use central network monitoring package and alerts

7 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 7 LCLS Ebeam Computer Security (1) LCLS LINUX servers & workstations 32-bit RHEL4 (64-bit DELL 1950/2950) standalone configuration, system disk mirroring, console service, UPS management, failover procedure, automated system resource monitoring, watchdog for production applications, etc to ensure the systems are reliable and robust Yum patching Synchronize MCC patch repository with SCCS repository Monitor when patches are needed Schedule downtime to patch on ROD days Can fallback to old system production applications uses production NFS Authenticate with local accounts and use SSH v2 keys

8 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 8 LCLS Ebeam Computer Security (2) Operator Interfaces (OPI) Standalone linux workstations in control room: dual 24” monitor Linux-based sunray Sunray 2fs clients in control room for Overhead displays and dual- monitor workstations Sunray 2fs clients (cow) and laptops for debugging in the field Provide readonly access from offices via PVGateway with CA Security Login to production servers for read/write access Wireless is outside SLAC; tunnel with ICA/Citrix/SSH/VPN/RDP EPICS IOCs IOCs and RTEMS use MCC NFS CA Security is applied in multiple systems VMS control system Minimizing usage while we migrate last functions

9 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 9 Other Status Omnilocks on computer room Moved network core into locked computer room slcIOC bridge Injector through BSY devices use this bridge Injector and BC2/L3 commissioning Upcoming run through BSY Undulator beamline & edump are EPICS only MCC Oracle is patched by SCCS Oracle experts Electronic logbooks – operations and physics

10 Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 lahey@slac.stanford.edu SLAC National Accelerator Laboratory 10 What’s next Data Transfer between ebeam and photon sections Security Review filtering firewall to give readonly access to control system Review MCC Enclave’s CSPP and implement improvements Computing Infrastructure Short term access to SCCS Oracle until we move to MCC Oracle Review all SCCS dependencies and migrate where needed Support S20-BSY Linac Upgrade with existing network/computing architecture Migrating away from physics elog to DOE compliant elog


Download ppt "Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 SLAC National Accelerator Laboratory 1 Update on Security Issues LCLS."

Similar presentations


Ads by Google