Presentation is loading. Please wait.

Presentation is loading. Please wait.

Accelerator Control-System Network Diamond Light Source Mike Leech, Controls Group Computer Systems Manager.

Published byChristopher Harvey Modified over 9 years ago

Similar presentations

Presentation on theme: "Accelerator Control-System Network Diamond Light Source Mike Leech, Controls Group Computer Systems Manager."— Presentation transcript:

1 Accelerator Control-System Network Security @ Diamond Light Source Mike Leech, Controls Group Computer Systems Manager

2 “Dream Accelerator Controls Network?” ++Isolated +No routing, Layer 2 only – Easy configuration and hardware replacement +Simple “Star” network – no daisy-chaining + Cheap -No diverse routes for fibres -No automatic hardware failover

3 Primary Network: All EPICS control traffic Only primary network needed to run machine. All services contained within – DNS, NFS, NTP, IOC boot (FTP), Parameter archiving etc.

4 Devices on the Primary Network: 16 Linux Servers11 Linux CA Gateways45 Linux Workstations 298 VxWorks IOCs222 Linux BPMs4 Windows PCs 40 Linux/Windows Laptops6 Other!!! (Atomic Clock, GPIB adapter, etc) 0 PLCs!!! (All PLCs hang off private networks on IOC second interface)

5 Secondary Network: All non EPICS traffic and traffic not essential to machine operation Video cameras, scopes, terminal servers, IP phones, pump carts, residual gas analysers, printers etc. Nearly identical to primary network except, routed to allow access to dual homed servers and workstations.

6 Powerful security tools “out-of-the-box”: Iptables stateful firewall, tcpwrappers (hosts.allow), SSH encrypted login shell (copying, tunnelling and more). Open Source: Security flaws discovered and patched quickly. Secure services: VSFTP, Apache, SELinux Jail. Total control over system configuration – rebuild your own kernel. Security through obscurity: Less of a target for viruses and worms. No “Power Users” unless you configure elevated rights

7 Dual Homed Servers: SSH Bastion: Allows remote access during shutdown and emergency remote access during operation to fix faults EPICS Channel Access archiver: Allows office access to archived data. Bootserver: Allows office read-only access to software (3.14). Relational Database: Allows access to ELog, cable schedules etc

8 Diamond Control Room

9 Physical Access: Network access points are restricted to the following locations: Control and instrumentation areas (CIAs). Linac, booster and storage ring tunnels. Computer room. Control room. Comms rooms. NO labs or offices. NO wireless. All these areas are under access control.

10 Bridging (Stealth) firewall: Close down both interfaces: > ifdown eth0; ifdown eth1 > ifconfig eth0 0.0.0.0 > ifconfig eth1 0.0.0.0 Create a bridge: > brctl addbr br0 Add both interfaces: > brctl addif br0 eth0 > brctl addif br0 eth1 Turn on IP forwarding: > echo 1 > /proc/sys/net/ipv4/ip_forward Configure management interface: > ifconfig br0 172.23.0.1 netmask 255.255.255.0 up

11 Iptables firewall: > iptables -F > iptables –P FORWARD DROP > iptables –P INPUT DROP; IPTABLES –P OUTPUT DROP > iptables –A INPUT –i lo ACCEPT; iptables –A OUTPUT –o lo ACCEPT Restrict by interface: > iptables –A FORWARD –i eth1 –o eth0 –p tcp --dport 22 –j ACCEPT Restrict by IP address range: > iptables -A FORWARD --destination 172.23.0.0/16 -p udp --dport 53 -j ACCEPT Stateful: > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT eth1 eth0

12 Epics Channel Access Gateways: Enable machine parameters to be read from isolated primary network One for office networks and one for each beamline network Application layer gateways. No direct routing of IP packets Unidirectional read-only gateway for office Bidirectional read-only gateway per beamline – no default route CA monitor allows moving of ID gaps through read only gateway

13 Diamonds Public and Private Networks: Diamonds control, office, science and beamline networks are all NAT’d private networks Some proxyed protocols eg. Real player, http, https A limited number of other protocols allowed out eg. ssh Diamond controls public network has a public address range and is directly routed to diamond private networks, but behind site firewall SSH bastion and reverse web proxy on public network No DMZ - yet!.

14 Apache Reverse Web Proxy: Enables one web server to provide content from another transparently. Gives encrypted and authenticated access to certain internal web pages. Such as, Elog, archiver, Machine status. http://internal.com -> https://external.com/internal

15 LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule headers_module modules/mod_headers.so LoadFile /usr/lib/libxml2.so LoadModule proxy_html_module modules/mod_proxy_html.so DocumentRoot /var/www/html/external ServerName external.com ProxyPass /internal/ http://www.internal.com/ ProxyPassReverse / SetOutputFilter proxy-html ProxyHTMLURLMap / /internal/ ProxyHTMLURLMap /internal /internal RequestHeader unset Accept-Encoding SSLProxyEngine on AuthType Basic AuthName “External Area" require valid-user Allow from all SSLEngine on SSLCertificateFile /etc/httpd/conf/ssl.crt/external.crt SSLCertificateKeyFile /etc/httpd/conf/ssl.key/external.key

16 Acknowledgements I would like to thank the following for their help: Tim HaytonOriginal Network Design and Tender Mark HeronOriginal Network Design / Contract Manager Pete LeicesterChannel Access Gateways Peter Denison, James RowlandLINUX / EPICS Gurus Frederik Ferner, Tina FriedrichMore LINUX Gurus Paul Amos, Simon LayOriginal Cable Installation Chris Colbourne, Nico RotoloCabling Maintenance The LINUX and EPICS communities

17 Network security may seem like an impossible struggle! But don’t give up hope ;-)

Download ppt "Accelerator Control-System Network Diamond Light Source Mike Leech, Controls Group Computer Systems Manager."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Web Server Administration Chapter 10 Securing the Web Environment.

Web Server Administration Chapter 10 Securing the Web Environment.
Firewall Configuration Strategies

Firewall Configuration Strategies
Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.

Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.
Guide to Network Defense and Countermeasures Third Edition

Guide to Network Defense and Countermeasures Third Edition
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Wi-Fi Structures.

Wi-Fi Structures.
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 SLAC National Accelerator Laboratory 1 Update on Security Issues LCLS.

Terri Lahey LCLS FAC: Update on Security Issues 12 Nov 2008 SLAC National Accelerator Laboratory 1 Update on Security Issues LCLS.
Poor Man’s Firewall A firewall that can be setup and implemented with a minimum amount of time and money.

Poor Man’s Firewall A firewall that can be setup and implemented with a minimum amount of time and money.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
M2M Gateway Features Jari Lahti, CTO www.violasystems.com.

M2M Gateway Features Jari Lahti, CTO
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
R. Lange, M. Giacchini: Monitoring a Control System Using Nagios Monitoring a Control System Using Nagios Ralph Lange, BESSY – Mauro Giacchini, LNL.

R. Lange, M. Giacchini: Monitoring a Control System Using Nagios Monitoring a Control System Using Nagios Ralph Lange, BESSY – Mauro Giacchini, LNL.

Similar presentations

Ads by Google