LCLS Network & Support Planning. Terri Lahey



Similar documents
High Speed Data Transfer from the APS. Kenneth Sidorowicz September 27, 2006

IP Telephony Management

8 Steps for Network Security Protection

8 Steps For Network Security Protection

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

RuggedCom Solutions for

Data Network Security Policy

Configuring a customer owned router to function as a switch with Ultra TV

How To Connect To Bloomerg.Com With A Network Card From A Powerline To A Powerpoint Terminal On A Microsoft Powerbook (Powerline) On A Blackberry Or Ipnet (Powerbook) On An Ipnet Box On

Recommended IP Telephony Architecture

Network Virtualization Network Admission Control Deployment Guide

Network Access Security. Lesson 10

Cisco Network Switches Juniper Firewall Clusters

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Gigabit SSL VPN Security Router

Top-Down Network Design

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

Active Directory - User, group, and computer account management in active directory on a domain controller. - User and group access and permissions.

Edgewater Routers User Guide

Information Technology Security Procedures

Aerohive Networks Inc. Free Bonjour Gateway FAQ

NEWT Managed PBX A Secure VoIP Architecture Providing Carrier Grade Service

Scalable Secure Remote Access Solutions

APPENDIX 3 LOT 3: WIRELESS NETWORK

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Edgewater Routers User Guide

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Ranch Networks for Hosted Data Centers

Remote Unix Lab Environment (RULE)

Unisys Internet Remote Support

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

How to Configure an Initial Installation of the VMware ESXi Hypervisor

Common Core Network Readiness Guidelines Is your network ready? Detailed questions, processes, and actions to consider.

Cisco. A Beginner's Guide Fifth Edition ANTHONY T. VELTE TOBY J. VELTE. City Milan New Delhi Singapore Sydney Toronto. Mc Graw Hill Education

Using Cisco UC320W with Windows Small Business Server

Firewalls. ITS335: IT Security. Sirindhorn International Institute of Technology Thammasat University ITS335. Firewalls. Characteristics.

Firewalls. Contents. ITS335: IT Security. Firewall Characteristics. Types of Firewalls. Firewall Locations. Summary

ACME Enterprises IT Infrastructure Assessment

VPN Only Connection Information and Sign up

msuite5 & mdesign Installation Prerequisites

WAN Failover Scenarios Using Digi Wireless WAN Routers

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Technical Brief: Virtualization

About Network Data Collector

Security Frameworks. An Enterprise Approach to Security. Robert Belka Frazier, CISSP

SoftLayer Fundamentals. Security / Firewalls. August, 2014

Basic IPv6 WAN and LAN Configuration

ITEC 495 Capstone Project Ideas

Connecting to the Internet. LAN Hardware Requirements. Computer Requirements. LAN Configuration Requirements

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Gigabit Content Security Router

NETE-4635 Computer Network Analysis and Design. Designing a Network Topology. NETE Computer Network Analysis and Design Slide 1

Lab Diagramming Intranet Traffic Flows

VMware ESX Server 3 Configuration Guide

Remote PC Guide Series - Volume 1

NSLS-II Control System Network Architecture

Multi-Homing Dual WAN Firewall Router

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Table of Contents Table of Contents...2 Introduction...3 Mission of IT...3 Primary Service Delivery Objectives...3 Availability of Systems...

Ten top problems network techs encounter

Accelerator Control-System Network Diamond Light Source. Mike Leech, Controls Group Computer Systems Manager

Security Design.

Controlling Ashly Products From a Remote PC Location

How To Understand The Architecture Of An Ulteo Virtual Desktop Server Farm

High Availability Branch Office VPN

DEPLOYMENT GUIDE. This document gives a brief overview of deployment preparation, installation and configuration of a Vectra X-series platform.

Routing Security Server failure detection and recovery Protocol support Redundancy

State of Texas. TEX-AN Next Generation. NNI Plan

Wireless G Broadband quick install

- Introduction to PIX/ASA Firewalls -

A Systems Approach to HVAC Contractor Security

VIA COLLAGE Deployment Guide

LANDesk White Paper. LANDesk Management Suite for Lenovo Secure Managed Client

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

Welcome to SoftLayer. Welcome. How to Get Started. Portal Overview. Support Guidelines. Technical Resources. First 48 Hours

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Lab Organizing CCENT Objectives by OSI Layer

MIT s Current SIP Infrastructure. Mark Silis MIT Information Services and Technology February 2, 2006

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Using a VPN with Niagara Systems. v0.3 6, July 2013

Ethernet Wide Area Networking, Routers or Switches and Making the Right Choice

T46 - Integrated Architecture Tools for Securing Your Control System

CNS Implementing NetScaler 11.0 For App and Desktop Solutions

Networking Topology For Your System

CompTIA Exam N CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ]

A Guide to New Features in Propalms OneGate 4.0

SANS Top 20 Critical Controls for Effective Cyber Defense

PLATO Learning Environment System and Configuration Requirements. for workstations. April 14, 2008

REDCENTRIC MANAGED FIREWALL SERVICE DEFINITION

Hosting Solutions Made Simple. Managed Services - Overview and Pricing

Active Directory Domain Services on the AWS Cloud: Quick Start Reference Deployment Mike Pfeiffer

Migrating Control System Servers to Virtual Machines

SURF Feed Connection Guide

Request for Resume (RFR) CATS II Master Contract. Section 1 General Information R00B

VPN Lesson 2: VPN Implementation. Summary

A typical router setup between WebSAMS and ITEd network is shown below for reference. DSU. Router

Transcription:

LCLS Network & Support Planning

Outline Goal: build production hosts, workstations, & networks Engineering Teams Apply experience and new architectures Integrated Security at SLAC Servers & desktops Network Plans Ethernet Architecture What s Next?

Engineering Teams Scientific Computing & Computing Services (SCCS) network and security: Gary Buhrmaster et. al., Antonio Ceseracciu, Charles Granieri, Fred Hooker LCLS: Mark Crane, Mike DiSalvo, Doug Murray Controls & Power Engineering (CPE): Ken Brobeck, Jim Knopf,, Jingchen Zhou

Apply Experience from PEP and Implement New Architectures Protect accelerator components and access to the control system Control number of connections Control who connects Meet Users needs Physicists, operators, engineers need access to control system and components so they can do their job Implement Security for the networks and hosts on the network

Commission LCLS Injector from MCC control room Physicists, Engineers & Operators will use: EPICS Matlab existing HLAs (SLC)

Use SCCS services where possible Security: Work with SCCS security team to help us run 24x7 SCCS security coordinates SLAC-wide security identify model and DOE/Office of Science requirements Interfaces with DOE/Office of Science Scan networks in a scheduled manner (production very controlled) Participate in Computing Security Committee Network Design and Physical Layer SLAC standards to achieve more reliable networks Central Management with strong liaison to Controls Current Equipment/Design Knowledge SCCS manages Oracle, web servers. Servers reside at MCC Use AFS for CVS repository, development, & main web server (mirror to MCC). Use SCCS central tools when possible: console log management, authentication

Production Servers & Workstations Manage production servers to run standalone Use SCCS-supported versions of operating systems, packages & applications where possible Patch operating systems and update to new versions Automate maintenance of production hosts Reduce maintenance load and improve security by using taylor where possible Centralized Log server & security monitoring Use existing accelerator production servers where possible (e.g. NFS,elog, ARTEMIS bug tracking, ORACLE, DNS, IP Services)

Networks SCCS Networking configures the network switches and routers & manages the physical layer. Controls Software coordinates control system and user needs, and works closely with SCCS. Production accelerator network is controlled and protected. Greater attention to security by both SCCS and Controls Run accelerator disconnected from the rest of SLAC; For use if there is a security problem at SLAC. Isolation of Wireless network: Wireless and Accelerator switches are never combined. Wireless is visitornet that resides outside SLAC firewall. Users tunnel into SLAC the same way they tunnel from internet: ssh, citrix, vpn

Networks (cont d) CISCO switches and routers Patch network firmware and upgrade versions. Plan for and upgrade hardware components to avoid endof-life Implement Redundancy in core switches and routers, for reliability. Use hot spares for device switches, but increased use of VLANs will likely require some configuration. SLAC-wide Network monitoring systems send alarms: components go offline (e.g.. power outage or failure) ports get disabled due to too many collisions Enhance network monitoring

Technology Choices Cisco switches - gigabit: Device switches: 3750 (single and stacks) Core: pair of 6509 (720Gbps bidirectional backplane) supporting uplinks and servers MCC control room workstations, printers: 4506 Wireless: 3750 (10/100) public switch Linux & RTEMS RHEL3 or RHEL4 DELL SUN Ray Thin Clients & some Linux workstations DIGI Terminal Servers

Network Architecture Production accelerator network is isolated: Protect IOCs that often require insecure services like telnet/rsh or have less secure tcp/ip stacks Control access to accelerator components so that systems do not get overloaded Use private addresses Multiple VLANs to separate traffic Ports disabled by default 1gigabit to the end devices. Currently 1gigabit uplinks to MCC DMZ is only access to private network (login servers, web servers, PV gateways). MCC and SLC-aware IOC uses PEP proxy server have tested with PEP running 9 SLC-aware IOCs for injector more testing to confirm that PEP & LCLS will not impact each other. path to SCCS data silos & other required sevices

Current Work Building Production Infrastructure for Injector Commissioning Jan 2007 Installing network infrastructure in S20 & MCC Additional tests of SLC-aware IOC and improving monitoring of traffic to avoid interference between PEP & LCLS programs Review and implement network VLANs Testing RHEL4 and working on production hosts Ordered SUN Ray & will test during this PEP run Integration with all LCLS subsystems

Conclusion Would like to hear your experiences: RHEL4, EPICS traffic, any isolated networks, archive data storage/management What worked well & what did not?

Thank you

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information