Network Infrastructure for Academic IC CAD Environments

Network Infrastructure for Academic IC CAD Environments

EUROCON 2011 - E-Learning II

Network Infrastructure for Academic ICCAD Environments

Pedro Coke, Cândido Duarte, André Cardoso, Vítor Grade Tavares, Pedro Guedes de Oliveira

April 29, 2011

Microelectronics Students’ GroupDEEC - Departamento de Engenharia Electrotécnica e de Computadores

FEUP - Faculdade de Engenharia, Universidade do PortoRua Dr. Roberto Frias, s/n, 4200-465 Porto, Portugal

Sala I325, Telephone: 225574199 - Ext 3230web: usgroup.eu e-mail: [email protected]

April 29, 2011 1/14


Introduction

At the Microelectronics Students’ Group,students are able to take part in thedevelopment of IC projects

The group provides a well-suited working environment forIC CAD design

Over time, however, more complex projects demanded amore reliable and secure computer network infrastructure.

April 29, 2011 2/14


Introduction

This need was approached through an extracurricularactivityThe project gathered students in Computer Sciences and Electronics andComputers Engineering, interested in developing knowledge on networksecurity, allowing them to:

· Pursue their own topics of interest· Autonomously explore solutions to fulfil requirements· Consolidate knowledge through hands-on experience

April 29, 2011 3/14


ProjectKick-off

The students started by reviewing the current solution inorder to identify existing problems

· Maintaining software copies on many machines

· More users than machines available

· Sensitive information transmitted on public network

April 29, 2011 4/14


ProjectRequirements

Following this analysis, the project requirements weredefined

· Centralized user authentication· Filesystem distribution throughout the network

· User storage· IC-CAD software

· Secure infrastructure on insecure network

April 29, 2011 5/14


Core ServicesAuthentication

The Kerberos protocol allows secureauthentication over a non-secure network

It relies on symmetric key cryptography to provideauthentication for users and services.

· MIT Kerberos V· All core network services rely on Kerberos for authentication

April 29, 2011 6/14


Core ServicesDirectory Service

LDAP is an application protocol forquerying and modifying directory serviceson the network

Used by host machines to query for users and groups.

· OpenLDAP server· Stores user and group information· Secured using Kerberos V

April 29, 2011 7/14


Core ServicesStorage

AFS is a networked filesystem thatprovides a location-transparent file namespace

· OpenAFS server· Stores IC-CAD software and users’ homes· Uses Kerberos authentication· Access control lists (ACL) allow flexible permissions· Flexible volume management system with load-balancing

April 29, 2011 8/14


Single Sign-On

SSO mechanisms allow users to seamlessly authenticateon all core services

Upon first authentication request, Kerberos issues aTicket-Granting-Ticket, which can be used for authentication to otherservices without re-entering credentials.

PAM and NSS are used to integrate Kerberos, LDAP and OpenAFS atlogin time.

April 29, 2011 9/14


OS Deployment

Automated installation mechanisms allowfor non-interactive OS deployment.

The used operating system is CentOS, and Anaconda kickstart files allowfor fully automatic installation.

· Host boots from network· Configuration files are copied over the network via SSH· Custom profile system to differentiate between hosts· Local package mirror to speed up install· Host is fully usable at first boot

April 29, 2011 10/14


Network Topology

All hosts are connected via a GigabitEthernet switch to avoid performancelosses

A single computer runs all network services, and isconnected via a 2Gb connection through NIC bondingto further reduce bottlenecks.

Redundancy through several servers was considered,but due the lab’s already limited resources only oneserver was deployed.

April 29, 2011 11/14


Conclusion

The implemented infrastructure was deployed in theMicroelectronics Students’ Group laboratory network

Running in production environment for several months without significantissues, providing a well suited environment for IC design.

A simple security assessment was done using the Nessusvulnerability scanner, which revealed no faults.

April 29, 2011 12/14


Conclusion

All the defined project requirements were fulfilled

The team was able to meet the goal of designing and implementing anetwork service infrastructure from scratch.

It allowed students to develop knowledge on areas not always thoroughlyexplored during courses, with complete autonomy.

April 29, 2011 13/14


Thank you.

DEEC - Departamento de Engenharia Electrotécnica e de ComputadoresFEUP - Faculdade de Engenharia, Universidade do PortoRua Dr. Roberto Frias, s/n, 4200-465 Porto, PortugalSala I325, Telephone: 225574199 - Ext: 3230web: usgroup.eu e-mail: [email protected]

April 29, 2011 14/14

Technology

Network Infrastructure for Academic IC CAD Environments