Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network and Computer Security in the Fermilab Accelerator Control System Timothy E. Zingelman Control System Cyber-Security Workshop (CS)2/HEP Knoxville,

Published byDenis Mills Modified over 8 years ago

Similar presentations

Presentation on theme: "Network and Computer Security in the Fermilab Accelerator Control System Timothy E. Zingelman Control System Cyber-Security Workshop (CS)2/HEP Knoxville,"— Presentation transcript:

1 Network and Computer Security in the Fermilab Accelerator Control System Timothy E. Zingelman Control System Cyber-Security Workshop (CS)2/HEP Knoxville, TN October 2007

2 2 Agenda I.Overview and Network Layout II.Balancing Risks vs. Usability III.Network Layer Protection IV.OS/Application Layer Protection V.Access Options VI.Future Directions

3 3 I.Overview  Controls the hardware of the accelerator  A large experimental physics apparatus which is being constantly adjusted and improved  Intrinsically engineered to keep software errors from causing equipment damage  No environmental or life safety systems

4 4 I.Overview  An inventory of all systems (over 3,500 in the control system alone) on the network is maintained, including: OS and hardware, location, sysadmin, primary user  Automated notification reports any changes to registered IP and MAC addresses on the network

5 5 I.Overview  Accelerator configuration is stored 4 times a day, and on demand. This allows return of the accelerator to a known state: » After testing new machine configurations » After replacing or adding new equipment » After scheduled downtime and power outages  Tape backups are done daily and tapes are moved to another area on a regular schedule

6 6

7 7 I.Network Layout Overview  Control system nodes are isolated behind the redundant firewalls  Firewalls pass selected traffic only (default deny) inbound and outbound  VPN and Bastion hosts in DMZ allow authenticated traffic through the firewall  Emergency disconnect at division routers

8 8 I.Overview and Network Layout II.Balancing Risks vs. Usability III.Network Layer Protection IV.OS/Application Layer Protection V.Access Options VI.Future Directions

9 9 II.Balancing Risks vs. Usability  Reducing disruption to operations by cyber threats is important, however, reducing disruption to operations by cyber protections is also very important!  More accelerator downtime due to effects of cyber protection than from cyber attacks

10 10 II.Cyber Risks  No ‘secret’ information  Equipment designed to be safe at any control setting  Lab is a ‘high profile’, ‘government’ target  So, risks are disruption of operations and embarrassment, not leaks of sensitive data nor fear of equipment damage

11 11 II.Usability  Accelerator systems are constantly being improved, adjusted and maintained by a large group of Physicists, Engineers, Computer Professionals and others  Accelerator systems are often monitored and problems diagnosed by experts from locations other than the Main Control Room

12 12 I.Overview and Network Layout II.Balancing Risks vs. Usability III.Network Layer Protection IV.OS/Application Layer Protection V.Access Options VI.Future Directions

13 13 III.Network Layer Protection  Accelerator Division border disconnect » Emergency disconnect from the world  Border router Access Control Lists » Protect entire Division and PIX firewalls  Redundant Cisco PIX firewalls (outbound) » Traffic allowed to many on-site resources » No email access, No windows remote desktop

14 14 III.Network Layer Protection  Redundant Cisco PIX Firewalls ( inbound ) » Full default deny Offsite access to 5 specific nodes/services Onsite access to kerberized services (MIT and W2K) and a few tightly maintained application services Accelerator Division hardwired desktop systems access to several more specific protocols  Controls Router Access Control Lists » Isolate controls Vlans from each other

15 15 I.Overview and Network Layout II.Balancing Risks vs. Usability III.Network Layer Protection IV.OS/Application Layer Protection V.Access Options VI.Future Directions

16 16 IV.OS/Application Layer Protection  Linux systems use Site autoYUM service for OS and Applications and Site MIT Kerberos  Windows systems use Division patching services and Site W2K Domain, plus Control System Anti-Virus service  FreeBSD and Solaris systems use ‘portaudit’ and vendor email notification – these systems have ‘professional’ administrators

17 17 I.Overview and Network Layout II.Balancing Risks vs. Usability III.Network Layer Protection IV.OS/Application Layer Protection V.Access Options VI.Future Directions

18 18 V.Access Options  VPN » Software client, controls ‘key’ & login required » Authenticated & time limited network access » Remote system becomes a ‘Controls’ node » Full inbound and outbound firewall restrictions apply (no ‘split tunnel’) all traffic is ‘inside’ » Still requires further login to get command line access or to start a control system console

19 19 V.Access Options  Bastion Hosts » Two redundant nodes with minimal services » MIT Kerberized login (or Cryptocard token) » Time limited logins » SSH port forwarding allowed for X11 and other protocols » NFS mounts of inside disk to allow kerberized FTP access (FTP is otherwise blocked at FW)

20 20 V.Access Options  Windows Remote Desktop » Terminal server on Division network for email and offsite web access from inside systems » Terminal server on Controls network for access to web and other services inside (scopes, etc) from Onsite network systems » TS nodes disallow file xfer and drag-n-drop » All other inbound/outbound WRD is blocked

21 21 I.Overview and Network Layout II.Balancing Risks vs. Usability III.Network Layer Protection IV.OS/Application Layer Protection V.Access Options VI.Future Directions

22 22 VI.Future Directions  Site LDAP service to centralize authentication for non-kerberized services  SSL and KX509 Client Certificates for some web pages (logbooks, etc.)  Better integration of Apple OS X systems » Include in MIT Kerberos » Include in anti-virus and auto patching

23

Download ppt "Network and Computer Security in the Fermilab Accelerator Control System Timothy E. Zingelman Control System Cyber-Security Workshop (CS)2/HEP Knoxville,"

Similar presentations

Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Mike Bayne 15 September 2011

Mike Bayne 15 September 2011
What to expect.  Linux  Windows Server (2008 or 2012)

What to expect.  Linux  Windows Server (2008 or 2012)
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Network Security Overview Tales from the trenches.

Network Security Overview Tales from the trenches.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
Terri Lahey LCLS Facility Advisory Committee 20 April 2006 LCLS Network Security Terri Lahey.

Terri Lahey LCLS Facility Advisory Committee 20 April 2006 LCLS Network Security Terri Lahey.
Jefferson Lab Remote Access Andy Kowalski December 1, 2010.

Jefferson Lab Remote Access Andy Kowalski December 1, 2010.
Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.

TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.

Barracuda Networks Confidential1 Barracuda Backup Service Integrated Local & Offsite Data Backup.
Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.

Network Security1 – Chapter 3 – Device Security (B) Security of major devices: How to protect the device against attacks aimed at compromising the device.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
Terri Lahey EPICS Collaboration Meeting June 2006 15 June 2006 LCLS Network & Support Planning Terri Lahey.

Terri Lahey EPICS Collaboration Meeting June June 2006 LCLS Network & Support Planning Terri Lahey.
Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Similar presentations

Ads by Google