Technical Track www.odva.org Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa.

Slides:



Advertisements
Similar presentations
Designing for Pervasive Network Security. Designing for Security Our aim in this section will be to concentrate on how campus Networks can be designed.
Advertisements

Cisco Router as a VPN Server. Agenda VPN Categories of VPN – Secure VPNs – Trusted VPN Hardware / Software Requirement Network Diagram Basic Router Configuration.
Encrypting Wireless Data with VPN Techniques
Network Security.
Chapter 1: Introduction to Scaling Networks
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 VLANs LAN Switching and Wireless – Chapter 3.
Network Security Essentials Chapter 11
1 Endpoint Security Considerations. 2 Agenda Open Networks PROs & CONs Challenges Alternatives.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
5-Network Defenses Dr. John P. Abraham Professor UTPA.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Chapter 12 Network Security.
IS Network and Telecommunications Risks
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Network Access Management Trends in IT Applications for Management Prepared by: Ahmed Ibrahim S
Top-Down Network Design Chapter Eight Developing Network Security Strategies Copyright 2010 Cisco Press & Priscilla Oppenheimer.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Jeffrey A. Shearer, PMP Principal Security Consultant Network and Security.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
NW Security and Firewalls Network Security
Intranet, Extranet, Firewall. Intranet and Extranet.
Network Security Essentials Chapter 11 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
1/28/2010 Network Plus Security Review Identify and Describe Security Risks People –Phishing –Passwords Transmissions –Man in middle –Packet sniffing.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Welcome to the Human Network Matt Duke 11/29/06.
Implementing Network Access Protection
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
Securing Wired Local Area Networks(LANs)
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.
Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Configuring Network Access Protection
CS460 Final Project Service Provider Scenario David Bergman Dong Jin Richard Bae Scott Greene Suraj Nellikar Wee Hong Yeo Virtual Customer: Mark Scifres.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.
© 2004, Cisco Systems, Inc. All rights reserved. CSPFA 3.2—3-1 Lesson 3 Cisco PIX Firewall Technology and Features.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Lesson 2a © 2005 Cisco Systems, Inc. All rights reserved. SNPA v4.0—2-1 Firewall Technologies and the Cisco Security Appliance.
IS3220 Information Technology Infrastructure Security
Cryptography and Network Security
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Networks and Security Great Demo
Security fundamentals
Chapter 7. Identifying Assets and Activities to Be Protected
CompTIA Security+ Study Guide (SY0-401)
Implementing Network Access Protection
Click to edit Master subtitle style
Firewalls.
CompTIA Security+ Study Guide (SY0-401)
IS4550 Security Policies and Implementation
How to Mitigate the Consequences What are the Countermeasures?
Implementing Client Security on Windows 2000 and Windows XP Level 150
Introduction to Network Security
LM 5. Wireless Network Security
Presentation transcript:

Technical Track Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 2 © 2011 ODVA, Inc. All rights reserved. Agenda Securing EtherNet/IP Networks Introduction Best Practices Isolated Control Network with Single Controller Isolated Network with multiple Controllers Enterprise Connected and Integrated Control Systems Other Considerations Emerging Industrial Security Technologies ISA 99

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 3 © 2011 ODVA, Inc. All rights reserved. Introduction High level paper for customers, implementers to identify security concepts per type of control networks. Start with Risk identification and analysis Identify Risk reduction and mitigation techniques There will be costs and trade-offs Differences between IT and Industrial Automation and Control Working with IT

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 4 © 2011 ODVA, Inc. All rights reserved. Who Needs to Talk to Whom?

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 5 © 2011 ODVA, Inc. All rights reserved. Control Network types Isolated Single Controller Single Controller 10s of devices Potentially multiple switches Limited non-CIP traffic Sharing data via sneaker net or transferable device Isolated Multiple Controller Multiple Controllers Up to 100s of devices 10s of switches, maybe a router A few networks Potentially multiple switches Controllers sharing data Some non-CIP traffic (e.g. HTTP, file sharing, etc.) Enterprise Connected Many Controllers Up to 1000s of devices Lots of switches and routers and other network infrastructure Many networks Sharing data, applications and services between Enterprise and Plant networks Could have lots of non-CIP traffic (e.g. Voice, Video, etc.)

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 6 © 2011 ODVA, Inc. All rights reserved. Best Practices – Isolated Single Controller Managed Switches Diagnostics Port Security Device Maintenance End-device security OS patches Anti-virus Network and Application monitoring and management

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 7 © 2011 ODVA, Inc. All rights reserved. Isolated Multiple Controller VLANs Basic segmentation Performance Quality of Service Protect key traffic from performance or some Denial of Service Previous Considerations and… IGMP (Multicast management) Network Resiliency Spanning Tree or Device Level Ring (DLR)

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 8 © 2011 ODVA, Inc. All rights reserved. Quality of Service Operations Classification and Marking Queuing and (Selective) Dropping Post-Queuing Operations

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 9 © 2011 ODVA, Inc. All rights reserved. Connected and Integrated Control Firewall and DMZ Control traffic flows Protect Plant from Enterprise threats Intrusion Detection Monitor and stop known and unknown attacks Previous Considerations and… Remote Access VPN to Firewall/DMZ Terminal Services into controlled, locked-down server

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 10 © 2011 ODVA, Inc. All rights reserved. Firewalls A firewall is a security device which is configured to permit, deny or proxy data connections set by the organization's security policy. Firewalls can either be hardware or software based A firewall's basic task is to control traffic between computer networks with different zones of trust Todays firewalls combine multilayer stateful packet inspection and multiprotocol application inspection Virtual Private Network (VPN), Anti-x, Authentication and Intrusion Prevention Services (IPS) have been integrated Despite these complexities, the primary role of the firewall is to enforce security policy Enterprise Plant

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 11 © 2011 ODVA, Inc. All rights reserved. De-Militarized Zone Enterprise Plant Demilitarized zone is a physical or logical sub-network that contains and exposes an entities external data and services to a larger un-trusted network Typically requires a Firewall DMZ may contain terminal server, replicated historian, AV, patch, DNS, AD/LDAP or mail servers. Buffers a zone from the threats, traffic, scans and other network-born activities in other networks DMZ

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 12 © 2011 ODVA, Inc. All rights reserved. Virtual Private Network (VPN) Overview Mechanism for secure communication over IP (Internet) Authenticity (unforged/trusted party) Integrity (unaltered/tampered) Confidentiality (unread) Remote Access (RA) VPN components Client (mobile or fixed) Termination device (high number of endpoints) VPN Security Appliance VPN Client or Browser VPN tunnel

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 13 © 2011 ODVA, Inc. All rights reserved. VPN - What Are We Talking About? Secure VPN includes a number of technologies IPsec L2TP/IPSec TLS (HTTPS/SSL) DTLS SSL HMAC-MD5 HMAC-SHA-1 RSA digital certificates Pre-Shared key DES 3DES AES RC4 TunnelingEncryptionAuthentication*Integrity *IKE 1st Phase, Not User Auth.

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 14 © 2011 ODVA, Inc. All rights reserved. Wireless CIP and EtherNet/IP, being based on open standards, is readily transportable over standard wireless technologies. Common wireless security practices include: IEEE 802.1x Network Access Control and authentication with shared keys Encryption – WPA2 is best practice Disable SSID broadcasting for control WLAN Rogue access point and end-point detection

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 15 © 2011 ODVA, Inc. All rights reserved. Authenticator (e.g. Access Point) Authentication Server (e.g. RADIUS) Wireless Client How 802.1x Works IEEE 802.1X (Port-based Network Access Control) restricts port access to authorized users only. Authentication is done using the local user database or an external RADIUS (Remote Authentication Dial In User Service) server.

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 16 © 2011 ODVA, Inc. All rights reserved. Security - Authentication MAC address filtering Fast Ethernet Moving Process Field Engineers Access Point AP Client MAC Address Access Rights Deny Allow Deny or Allow

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 17 © 2011 ODVA, Inc. All rights reserved. Other Security Considerations Other considerations include: Security enhanced operating systems Virtual Private Network (VPN) – tunneled encryption outside for traffic external to Plant network Enhanced authentication via Biometrics Network Access Control and Protection to verify every device on the network

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 18 © 2011 ODVA, Inc. All rights reserved. AUTHENTICATE users and devices to the network Posture and Remediate the device for policy compliance Audit and Report who is on my network Network Access Control Differentiated Access role based access control NAC is solution that uses a set of protocols to define and implement a policy that describes how to secure access to the network by devices. Network Access Control controls access to a network with policies, including pre-admission endpoint security policy checks and post- admission controls over where users and devices can go on a network and what they can do. Network Access Protection (NAP) is Microsofts implementation of NAC.

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 19 © 2011 ODVA, Inc. All rights reserved. ISA 99

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 20 © 2011 ODVA, Inc. All rights reserved. ISA 99 Working Groups

Technical Track2011 ODVA Industry Conference & 14 th Annual Meetingpage 21 © 2011 ODVA, Inc. All rights reserved. ISA 99 SALs

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.