1 / 20

Computing infrastructure for accelerator controls and security-related aspects

BE/CO Day – 22.June. 2010. Computing infrastructure for accelerator controls and security-related aspects.

bridie
Download Presentation

Computing infrastructure for accelerator controls and security-related aspects

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BE/CO Day – 22.June.2010 Computing infrastructure for accelerator controls and security-related aspects The first part of this talk gives an overview of the computing infrastructure dedicated to the accelerator controls: consoles, files and application servers, and explains how it is supervised and how high availability is achieved.
The second part explains the security-related aspects, such as the management of user passwords and groups, the separation of general purpose and technical (accelerator) networks, and the role-based access control system protecting accelerator devices.

  2. Outline • Operator Console in the CCC • File and Application servers in the CCR • Users management • General and Technical Network Security • Role Based Access Control BE/CO Day - Pierre Charrue

  3. Outline • Operator Console in the CCC • File and Application servers in the CCR • Users management • General and Technical Network Security • Role Based Access Control BE/CO Day - Pierre Charrue

  4. The CCC and CCR BE/CO Day - Pierre Charrue

  5. General Purpose Fixed Display Operator Consoles InsideCCC BE/CO Day - Pierre Charrue

  6. A typical Operator Console Acoustic panel used as back door Screens with tunable distance and tilt PCs hidden buteasily accessible Table height 72cm, American Oak look Task lighting BE/CO Day - Pierre Charrue

  7. CCR principles • High Availability infrastructure • The servers (and the services offered) should never stop • The CCR has a double power distribution coming from 2 different sources, with 15’ (resp. 60’) UPS • Each server has • Redundant power supply • Redundant system disks and user disks (RAID-1) • Hot swappable power supply, RAID disks and fans units • Automatic ECC RAM checks and isolation of faulty memory blocks • The CCR is very closely monitored • Tº by the Operators in the CCC • System monitoring with SMS and mails to the experts • Extremely good results : • The CCR servers hardly stop when there is a general CERN power outage! BE/CO Day - Pierre Charrue

  8. Inside the CCR BE/CO Day - Pierre Charrue

  9. Inside the CCR BE/CO Day - Pierre Charrue

  10. Outline • Operator Console in the CCC • File and Application servers in the CCR • Users management • General and Technical Network Security • Role Based Access Control BE/CO Day - Pierre Charrue

  11. User Management • CERN has a global user management and creates an account for every people working at CERN. • BE/CO manages the users that are allowed to access the Controls Infrastructure • NFS filespace, passwd and groups system files • Today this is based on a manual process • We are in the process of implementing and deploying a more secure and automatic management of our potential users • Including SSH authorisations, limiting global accounts to specific areas, automatic removal of accounts not valid anymore, … BE/CO Day - Pierre Charrue

  12. Outline • Operator Console in the CCC • File and Application servers in the CCR • Users management • General and Technical Network Security • Role Based Access Control BE/CO Day - Pierre Charrue

  13. Trusted Application Gateways Office development PC CERN FirewallConnection to Internet CERN Public Gateways(LXPLUS, CERNTS) INTERNET Home or remote PC 3 typical Use Cases Operator in the CCC Access from the office inside CERN Specialist access from home BE/CO Day - Pierre Charrue

  14. Network Security • CERN security policy for Controls (CNIC initiative) defined and implemented the following : • 9 January 2006 : closure of the GPN <-> TN connection • No communication allowed to cross the bridge except • from TRUSTED hosts on the GPN • to EXPOSED hosts on the TN • Connection to the TN requires formal authorization • MAC address authentication BE/CO Day - Pierre Charrue

  15. Outline • Operator Console in the CCC • File and Application servers in the CCR • Users management • General and Technical Network Security • Role Based Access Control BE/CO Day - Pierre Charrue

  16. What is RBAC • RBAC stands for Role Based Access Control • RBAC is an infrastructure to prevent: • A well meaning person from doing the wrong thing at the wrong time. • An ignorant person from doing anything,at anytime. • It is a suite of software components that provides • AUTHENTICATION (A1) on the client level • AUTHORIZATION (A2) on the server level • Depending on WHICH action is made, on WHO is making the call, and from WHERE the call is issued, the access will be granted or denied • This allows for filtering, for control and for traceability of the access to the equipment BE/CO Day - Pierre Charrue

  17. Basic Concepts • Roles: user are assigned to roles • Rules: access permission • A1 = Authentication : Verifies who you are with the NICE user name and password • A2 = Authorization: Roles have permission to make specified access BE/CO Day - Pierre Charrue

  18. RBAC Overview A1: • User requests to be authenticated. • RBAC authenticates user via NICE user name and password • RBA returns token to Application A2: • Application sends token to CMW when connecting. • CMW server (on front-end) verifies token signature once, and uses the credentials for every subsequent request • CMW checks access map for role, location, application, mode Application RBAC • RBAC Token: • Application name • User name • IP address/location • Time of authentication • Time of expiry • Roles[ ] • Digital signature (RBA private key) CMW client CMW server Access MAP FESA BE/CO Day - Pierre Charrue

  19. RBAC deployed on LHC in 2008 LHC Applications have now this little green/orange button to login to RBAC BE/CO Day - Pierre Charrue

  20. Summary • The BE/CO/IN section is responsible for many different areas within the Controls infrastructure • In a controls infrastructure…. • High availability file and application servers • Network Controls security • User management • Role Based access control • …. are essential • Do not hesitate to contact us for further discussions BE/CO Day - Pierre Charrue

More Related