Experimental Physics and Industrial Control System
Dear John,
At SLAC we have our production EPICS stuff on a seperate network, with access
through "gateway" machines, which can see both the IOCs and talk to OPIs in the
control room.
>From a security standpoint this works fine. We have no (few) user accounts on
the gateways and things are invoked via RSH scripts. In principle, noone is
interactively logged in to the gateways. (Of course we do for various reasons).
There are several negative points to consider:
1) You need mechanisms to allow operators, for example, to indirectly update
things or add things to production directories. I'm thinking of StripTool
configurations or updated displays and such.
2) You need different EPICS setups for DEV and PROD. In our case we source
different files depending on what we need to do.
3) Some users will adamantly refuse to see the need for this and scream
constantly about needing to do one extra step to move data somewhere where
they can run, say, MATLAB, to do some analysis. We even have disks cross mounted
so data transfer is very easy and they howl.
But we have had no (knock on wood) bad people breaking in.
We'll be holding the collaboration meeting here at SLAC in early summer (exact
dates soon), so come see and ask questions of the implementers.
/Ron Chestnut
- Navigate by Date:
- Prev:
Protecting EPICS IOCs on ethernet John A. Priller
- Next:
Re: Protecting EPICS IOCs on ethernet Andy Foster
- Index:
1994
1995
1996
1997
1998
<1999>
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
- Navigate by Thread:
- Prev:
Re: Protecting EPICS IOCs on ethernet Alan K Biocca
- Next:
Re: Protecting EPICS IOCs on ethernet Bill McDowell
- Index:
1994
1995
1996
1997
1998
<1999>
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024