Transcript Traveling Physicist Questionaire - api-documents.web.cern.ch

Traveling Physicist
Questionaire
Bob Cowles – SLAC
[email protected]
13 March 2003
HTASC Traveling Physicist
1
SLAC Survey covers …
•
•
•
•
SSRL
BaBar
NLC
GLAST
13 March 2003
HTASC Traveling Physicist
2
Regularly host physicists from
other institutes?
• SSRL
– Meetings 2-3/mo with 10 people
– Medium term 100-150 users/mo staying days to 3 weeks
• BaBar
– Meetings 3/yr with 180-210 people
– Long term 200-300 resident more than several days per week
• NLC
– Meetings 2/yr with 4+ people, 5 others/yr
– Long term 3-4 people
• GLAST
– Meetings 5/yr, 3-4 workshops
– Long term 4-6 people
13 March 2003
HTASC Traveling Physicist
3
Regular travel to other institutes to
do research?
• SSRL
– 10-20 trips/month
• BaBar
– 5-10 people making infrequent trips
• NLC
– .5 FTE at KEK on rotation
• GLAST
– 12 trips/yr + 6 meetings with 20-30 people
13 March 2003
HTASC Traveling Physicist
4
Host IT resources for groups with
large outside contributions? How is
access controlled?
• SSRL
– no
• BaBar
– yes. SLAC assigned userid + password
• NLC
– no
• GLAST
– yes. SLAC assigned userid + password
13 March 2003
HTASC Traveling Physicist
5
Guests use SLAC or home
resources for research?
• SSRL
– Combination
• BaBar
– Mostly SLAC, but varies
• NLC
– Combination; short term use home resources
• GLAST
– SLAC resources
13 March 2003
HTASC Traveling Physicist
6
Can SLAC users freely connect to
resources from outside?
• No. While it should be possible to perform
legitimate work, we reserve right to offer only
secure means to perform work
• Except for ssh & AFS home directories, wellknown services are generally restricted
• Access to ftp, web, email through central servers
• Offsite access to Windows and NFS file servers
is blocked or requires tunnel
13 March 2003
HTASC Traveling Physicist
7
Are guests allowed access to
internal resources? How?
• Guests who are sponsored and register
with user organization and sign AUP may
have account & internal IP address
• Visitor network allows non-registered
access Internet but treated as general
public
• All wireless access points are on visitor
network.
13 March 2003
HTASC Traveling Physicist
8
How does SLAC authenticate users
and guests?
• Generally, through SLAC assigned Unix
(AFS) or Windows userid + password
• Some groups with special req’ts maintain
their own userid database (SSRL, MCC)
• Grid usage of certificates but hope to
avoid that (Virtual Smart Card server)
13 March 2003
HTASC Traveling Physicist
9
Any specialized tools for SLAC
users to connect from the outside?
• ssh (teraterm, f-secure)
• Microsoft VPN
• Citrix ICA
13 March 2003
HTASC Traveling Physicist
10
Policies on availability of internal
information to HEP / general public
• Some information on primary (Unix) web
server and in AFS restricted by IP address
• Restricted IIS web servers require
Windows userid / password (encrypted)
• BaBar has “lightly protected” (htaccess)
web space
• SSRL users restricted from each other’s
data
13 March 2003
HTASC Traveling Physicist
11
Policies or tools for access to
resources from hotels or homes?
• Personal firewalls are recommended
• User is responsible for all use
• Firewalls sometimes prevent VPN or Citrix
access – fallback is web-based email or
ssh unix server and run pine
13 March 2003
HTASC Traveling Physicist
12
Would coordinated common effort
be a good idea? HEP Portal?
• Coordinated, common effort on firewall
openings for VPN (MS, IPsec, etc.) or
Citrix would be a good idea.
• Assess to unix-style print servers from
Windows machines is difficult
• Not clear if “portal” is a thing to be
maintained or a standard that each HEP
site implements?
13 March 2003
HTASC Traveling Physicist
13