Upload
thyandrecardoso
View
297
Download
2
Tags:
Embed Size (px)
Citation preview
Network Infrastructure for Academic IC CAD Environments
EUROCON 2011 - E-Learning II
Network Infrastructure for Academic ICCAD Environments
Pedro Coke, Cândido Duarte, André Cardoso, Vítor Grade Tavares, Pedro Guedes de Oliveira
April 29, 2011
Microelectronics Students’ GroupDEEC - Departamento de Engenharia Electrotécnica e de Computadores
FEUP - Faculdade de Engenharia, Universidade do PortoRua Dr. Roberto Frias, s/n, 4200-465 Porto, Portugal
Sala I325, Telephone: 225574199 - Ext 3230web: usgroup.eu e-mail: [email protected]
April 29, 2011 1/14
Network Infrastructure for Academic IC CAD Environments
Introduction
At the Microelectronics Students’ Group,students are able to take part in thedevelopment of IC projects
The group provides a well-suited working environment forIC CAD design
Over time, however, more complex projects demanded amore reliable and secure computer network infrastructure.
April 29, 2011 2/14
Network Infrastructure for Academic IC CAD Environments
Introduction
This need was approached through an extracurricularactivityThe project gathered students in Computer Sciences and Electronics andComputers Engineering, interested in developing knowledge on networksecurity, allowing them to:
· Pursue their own topics of interest· Autonomously explore solutions to fulfil requirements· Consolidate knowledge through hands-on experience
April 29, 2011 3/14
Network Infrastructure for Academic IC CAD Environments
ProjectKick-off
The students started by reviewing the current solution inorder to identify existing problems
· Maintaining software copies on many machines
· More users than machines available
· Sensitive information transmitted on public network
April 29, 2011 4/14
Network Infrastructure for Academic IC CAD Environments
ProjectRequirements
Following this analysis, the project requirements weredefined
· Centralized user authentication· Filesystem distribution throughout the network
· User storage· IC-CAD software
· Secure infrastructure on insecure network
April 29, 2011 5/14
Network Infrastructure for Academic IC CAD Environments
Core ServicesAuthentication
The Kerberos protocol allows secureauthentication over a non-secure network
It relies on symmetric key cryptography to provideauthentication for users and services.
· MIT Kerberos V· All core network services rely on Kerberos for authentication
April 29, 2011 6/14
Network Infrastructure for Academic IC CAD Environments
Core ServicesDirectory Service
LDAP is an application protocol forquerying and modifying directory serviceson the network
Used by host machines to query for users and groups.
· OpenLDAP server· Stores user and group information· Secured using Kerberos V
April 29, 2011 7/14
Network Infrastructure for Academic IC CAD Environments
Core ServicesStorage
AFS is a networked filesystem thatprovides a location-transparent file namespace
· OpenAFS server· Stores IC-CAD software and users’ homes· Uses Kerberos authentication· Access control lists (ACL) allow flexible permissions· Flexible volume management system with load-balancing
April 29, 2011 8/14
Network Infrastructure for Academic IC CAD Environments
Single Sign-On
SSO mechanisms allow users to seamlessly authenticateon all core services
Upon first authentication request, Kerberos issues aTicket-Granting-Ticket, which can be used for authentication to otherservices without re-entering credentials.
PAM and NSS are used to integrate Kerberos, LDAP and OpenAFS atlogin time.
April 29, 2011 9/14
Network Infrastructure for Academic IC CAD Environments
OS Deployment
Automated installation mechanisms allowfor non-interactive OS deployment.
The used operating system is CentOS, and Anaconda kickstart files allowfor fully automatic installation.
· Host boots from network· Configuration files are copied over the network via SSH· Custom profile system to differentiate between hosts· Local package mirror to speed up install· Host is fully usable at first boot
April 29, 2011 10/14
Network Infrastructure for Academic IC CAD Environments
Network Topology
All hosts are connected via a GigabitEthernet switch to avoid performancelosses
A single computer runs all network services, and isconnected via a 2Gb connection through NIC bondingto further reduce bottlenecks.
Redundancy through several servers was considered,but due the lab’s already limited resources only oneserver was deployed.
April 29, 2011 11/14
Network Infrastructure for Academic IC CAD Environments
Conclusion
The implemented infrastructure was deployed in theMicroelectronics Students’ Group laboratory network
Running in production environment for several months without significantissues, providing a well suited environment for IC design.
A simple security assessment was done using the Nessusvulnerability scanner, which revealed no faults.
April 29, 2011 12/14
Network Infrastructure for Academic IC CAD Environments
Conclusion
All the defined project requirements were fulfilled
The team was able to meet the goal of designing and implementing anetwork service infrastructure from scratch.
It allowed students to develop knowledge on areas not always thoroughlyexplored during courses, with complete autonomy.
April 29, 2011 13/14
Network Infrastructure for Academic IC CAD Environments
Thank you.
DEEC - Departamento de Engenharia Electrotécnica e de ComputadoresFEUP - Faculdade de Engenharia, Universidade do PortoRua Dr. Roberto Frias, s/n, 4200-465 Porto, PortugalSala I325, Telephone: 225574199 - Ext: 3230web: usgroup.eu e-mail: [email protected]
April 29, 2011 14/14