Computing infrastructure for accelerator controls and security-related aspects

Computing infrastructure for accelerator controls and security-related aspects

BE/CO Day – 22.June.2010

The first part of this talk gives an overview of the computing infrastructure dedicated to the accelerator controls: consoles, files and application servers, and explains how it is supervised and how high availability is achieved.The second part explains the security-related aspects, such as the management of user passwords and groups, the separation of general purpose and technical (accelerator) networks, and the role-based access control system protecting accelerator devices.

BE/CO Day - Pierre Charrue 2

Outline

Operator Console in the CCC File and Application servers in the CCR

Users management

General and Technical Network Security

Role Based Access Control

22 June 2010


Outline


Users management



22 June 2010


The CCC and CCR

22 June 2010

22 June 2010 BE/CO Day - Pierre Charrue 5

Inside CCC

General Purpose Fixed Display

Operator Consoles

22 June 2010 BE/CO Day - Pierre Charrue 6

A typical Operator ConsoleScreens with tunable distance and tilt

Acoustic panel used as back door

Task lightingTable height 72cm, American Oak look

PCs hidden buteasily accessible


CCR principles

High Availability infrastructure The servers (and the services offered) should never stop

The CCR has a double power distribution coming from 2 different sources, with 15’ (resp. 60’) UPS

Each server has Redundant power supply Redundant system disks and user disks (RAID-1) Hot swappable power supply, RAID disks and fans units Automatic ECC RAM checks and isolation of faulty memory blocks

The CCR is very closely monitored Tº by the Operators in the CCC System monitoring with SMS and mails to the experts

Extremely good results : The CCR servers hardly stop when there is a general CERN power outage!

22 June 2010


Inside the CCR

22 June 2010


Outline


Users management



22 June 2010


User Management

CERN has a global user management and creates an account for every people working at CERN.

BE/CO manages the users that are allowed to access the Controls Infrastructure NFS filespace, passwd and groups system files Today this is based on a manual process

We are in the process of implementing and deploying a more secure and automatic management of our potential users Including SSH authorisations, limiting global accounts to specific

areas, automatic removal of accounts not valid anymore, …

22 June 2010


Outline


Users management



22 June 2010

Operator in the CCC

Specialist access from home

Access from the office inside CERN

Office development PC

Trusted Application Gateways

Home or remote PC

CERN FirewallConnection to

Internet

INTERNET

CERN Public Gateways(LXPLUS, CERNTS)

3 typical Use Cases

22 June 2010

BE/CO Day - Pierre Charrue 1422 June 2010

GeneralPurposeNetwork

TechnicalNetwork

TrustedHosts List

ExposedHosts List

Network Security

CERN security policy for Controls (CNIC initiative) defined and implemented the following :

9 January 2006 : closure of the GPN <-> TN connection No communication allowed to cross the bridge

except▪ from TRUSTED hosts on the GPN▪ to EXPOSED hosts on the TN

Connection to the TN requires formal authorization

MAC address authentication


Outline


Users management



22 June 2010

BE/CO Day - Pierre Charrue22 June 2010 16

What is RBAC

RBAC stands for Role Based Access Control RBAC is an infrastructure to prevent:

A well meaning person from doing the wrong thing at the wrong time.

An ignorant person from doing anything, at anytime. It is a suite of software components that provides

AUTHENTICATION (A1) on the client level AUTHORIZATION (A2) on the server level

Depending on WHICH action is made, on WHO is making the call, and from WHERE the call is issued, the access will be granted or denied

This allows for filtering, for control and for traceability of the access to the equipment


Basic Concepts

Roles: user are assigned to roles Rules: access permission A1 = Authentication : Verifies who you are

with the NICE user name and password A2 = Authorization: Roles have permission to

make specified access

22 June 2010


RBAC Overview

A1: User requests to be authenticated. RBAC authenticates user via NICE

user name and password RBA returns token to Application

A2: Application sends token to CMW

when connecting. CMW server (on front-end) verifies

token signature once, and uses the credentials for every subsequent request

CMW checks access map for role, location, application, mode

22 June 2010

Application RBAC

RBAC Token:

•Application name

•User name

•IP address/location

•Time of authentication

•Time of expiry

•Roles[ ]

•Digital signature (RBA private key)

CMW client

FESA

CMW server

Access MAP


RBAC deployed on LHC in 2008

LHC Applications have now this little green/orange button to login to RBAC

22 June 2010


Summary

The BE/CO/IN section is responsible for many different areas within the Controls infrastructure

In a controls infrastructure….▪ High availability file and application servers▪ Network Controls security▪ User management▪ Role Based access control

…. are essential Do not hesitate to contact us for further

discussions22 June 2010

Computing infrastructure for accelerator controls and security-related aspects

Documents

Transcript of Computing infrastructure for accelerator controls and security-related aspects