© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Jeffrey A. Shearer, PMP Principal Security Consultant Network and Security.

Slides:



Advertisements
Similar presentations
Chapter 1: Introduction to Scaling Networks
Advertisements

Technical Track Securing EtherNet/IP Networks Presented by: Paul Didier - Cisco Eddie Lee - Moxa.
Guide to Network Defense and Countermeasures Second Edition
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Terri Lahey LCLS Facility Advisory Committee 20 April 2006 LCLS Network Security Terri Lahey.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Manufacturing & IT Network Convergence Bryce Barnes - Cisco Systems Vertical.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Clinic Security and Policy Enforcement in Windows Server 2008.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
Agenda Review route summarization Cisco acquire Sourcefire Review Final Exam.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
1 Chapter 12: VPN Connectivity in Remote Access Designs Designs That Include VPN Remote Access Essential VPN Remote Access Design Concepts Data Protection.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Introducing Network Design Concepts Designing and Supporting Computer Networks.
12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 1: Introduction to Scaling Networks Scaling Networks.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Exploring the Enterprise Network Infrastructure Introducing Routing and Switching.
April 09, 2008 The Demilitarized Zone as an Information Protection Network, By Parvathy Subramanian 1 The Demilitarized Zone as an Information Protection.
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved. PUBLIC PUBLIC CO900G L03 - Design, Implement, and Manage FactoryTalk Security.
How to Integrate Security Tools to Defend Data Assets Robert Lara Senior Enterprise Solutions Consultant, GTSI.
Firewall Security.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Exploring the Enterprise Network Infrastructure Introducing Routing and Switching.
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Introducing Network Design Concepts Designing and Supporting Computer Networks.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 VLANs LAN Switching and Wireless – Chapter 3.
NETWORK INFRASTRUCTURE SECURITY Domain 5. Computer Security “in short, the average computer is about as secure as a wet paper bag, and it is one of the.
Selecting a Network Topology for Reliable Machine Control
Copyright © 2014 Rockwell Automation, Inc. All Rights Reserved.Rev 5058-CO900E PUBLIC INFORMATION T3 - Network Assessment James Taylor, Business Development.
Copyright © 2013 Rockwell Automation, Inc. All rights reserved. PUBLIC INFORMATION Rev 5058-CO900E PUBLIC INFORMATION Welcome & Introduction Plant-wide.
Security fundamentals Topic 10 Securing the network perimeter.
Plant-wide Benefits of EtherNet/IP Seminar
Understand Server Protection LESSON Security Fundamentals.
Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.
IS3220 Information Technology Infrastructure Security
Copyright © 2015 Rockwell Automation, Inc. All Rights Reserved. PUBLIC PUBLIC CO900H L02 - Applying Basic EtherNet/IP Features in Converged Plantwide.
Networks Infrastructure and Security Portfolio Overview
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 10 Network Security Management.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Creating the Network Design Designing and Supporting Computer Networks – Chapter.
© 2003, Cisco Systems, Inc. All rights reserved. 2-1 Campus Network Design.
Networks and Security Great Demo
IoT Edge Analytics Richa Asarawala Software Engineer 10/20/1016.
Security fundamentals
What Every Plant-Floor Engineer Needs to Know About Working with IT
A M E M B E R O F T H E K E N D A L L G R O U P
Chapter 7. Identifying Assets and Activities to Be Protected
Critical Security Controls
SECURITY ZONES.
Configuring and Troubleshooting Routing and Remote Access
Click to edit Master subtitle style
Introduction to Networking
To Join the Teleconference
IS4550 Security Policies and Implementation
Unit 27: Network Operating Systems
Best Practices for Configuring Stratix Managed Switches
Presentation transcript:

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Jeffrey A. Shearer, PMP Principal Security Consultant Network and Security Services SESAM Møde 6/ IT-Sikkerhed Erik Gross Jensen Solution Architect software

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. What We Are Delivering Together Education Series Stratix 8000, and portfolio Reference Architectures for Manufacturing Common Technology View Network and Security Services

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Network Management IT and Production Control Automation and Control Applications CIP-Based Support in the Network Local Applications (Device Manager) IT Network Management (SNMP-Based) Command Line Interface

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Reference Material Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 4

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Reference Architectures for Manufacturing Gbps Link for Failover Detection Firewall (Active) Firewall (Standby) Layer 3 Router Layer 3 Switch Stack Layer 2 Switch Drive Controller Drive HMI Controller Drive HMI Distributed I/O Level 0–2 HMI Cell/Area #1 (Redundant Star Topology) Cell/Area #2 (Ring Topology) Cell/Area #3 (Bus/Star Topology) Cell/Area Zone Manufacturing Zone Level 3 Demilitarized Zone (DMZ) Enterprise Zone Levels 4 and 5 Windows 2003 Servers Remote desktop connection VPN FactoryTalk Application Servers View Historian AssetCentre Transaction Manager FactoryTalk Services Platform Directory Security Data Servers Network Services DNS, DHCP, syslog server Network and security management Design guidance –Methodology – built on Industry Standards –Best practices and recommendations –Documented configuration settings –Tested with Industrial Applications –Cisco “Validated” network design “Future-ready” network foundation –CIP Safety, CIP Sync, CIP Motion –Voice, Video

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. High Level Architecture Review Remote access involves cooperation between: –Enterprise Zone Information Technologies (IT) and infrastructure of the facility –Automation Demilitarized Zone (Automation DMZ) Knowledge of traffic that must move from the plant to enterprise systems –Manufacturing Zone Cell and Area devices Traffic flow and protocols Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 6

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Enterprise Zone –“Levels” 4 & 5 owned by Information Technologies (IT) –Traditionally some VLAN’s in place –Campus to Campus communications –IT knowledgeable with routing and firewalls You need to work with the IT personnel to get access to the DMZ –Don’t bypass these fine folks! Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 7

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Automation DMZ –Shared ownership by IT and Manufacturing professionals “Typically” –IT owns firewalls –IT configures the switches on behalf of Manufacturing professionals –Manufacturing professionals own DMZ terminal servers, application servers, patch management servers DMZ requires cooperation from both IT and Manufacturing Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 8

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Why a Demilitarized Zone (DMZ)? To preserve smooth plantwide operations and functioning of the Industrial Automation and Control System (IACS) application and IACS network, this zone requires clear isolation and protection from the Enterprise zone via security devices within the Demilitarized zone (DMZ) This insulation not only enhances security segmentation between the Enterprise and Manufacturing zones, but may also represent an organization boundary where IT and manufacturing organizational responsibilities interface. This approach permits the Manufacturing zone to function entirely on its own, irrespective of the connectivity status to the higher levels Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 9

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Controlling Access to the Manufacturing Zone Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 10 No Direct Traffic Flow from Enterprise to Manufacturing Zone

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. DMZ Topology Firewall(s) –Enterprise Interface –DMZ Interface –Manufacturing Interface Firewalls are used to block or allow access to devices on these interfaces based on a set of rules There will be assets like switches and servers that are part of the DMZ Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 11

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Manufacturing Zone Division of plant into functional areas for secured access –ISA-SP99 “Zones and Conduit” model OEM’s Participation –IP Address –VLAN ID’s –Access layer to Distribution layer cooperation System design requires full cooperation of all System Integrators, OEM’s, IT and Engineering Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 12

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Manufacturing Zone Defense in depth still applies to manufacturing zone Defense in depth steps in the manufacturing zone is still applied to: –Device Hardening –Application –Computers –Networks –Physical Rockwell Automation products support the defense in depth strategy Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 13

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Defense in Depth Designs Copyright © 2010 Rockwell Automation, Inc. All rights reserved. 14 (Confidential – For Internal Use Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 14 Apply security products and supporting a defense- in-depth (or layered) architecture; 1.Network & Security Design 2.Limit physical access to all equipment 3.Control access to automation networks 4.Control access to computers and keep them up to date 5.Control access to software applications that are used to configure devices 6.Control access to both the configuration and data in automation devices Perimeter Enforcement Device Security Security Services Application Computer Device Physical Network This is not a “one size fits all problem” …you are in the best position to decide which risks are the most urgent and which tools to use to reduce that risk Design

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Configuration Access Control Using FactoryTalk Security (Confidential – For Internal Use Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 15 How does it work? –Provides centralized authentication and access control by verifying the identity of each user (and computer) who attempts to access the automation system and then either granting or denying each user's request to perform particular actions on features and resources within the system Authentication – verifies a user’s identity and verifies that a request for service originates with that user. Authorization – verifies a user’s request to access a software product, feature, or system resource against a set of defined access permissions. –Authenticates and authorizes users against a set of defined permissions held in the FactoryTalk Directory Application Computer Device Physical Network

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Application: Device Configuration (Confidential – For Internal Use Only) Copyright © 2009 Rockwell Automation, Inc. All rights reserved. 16 Use FactoryTalk Security to –Control computer and user access to devices –Control use of selected software applications that access devices Perimeter Enforcement Application Operating System Device Physical Network

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. 17 FactoryTalk Security (FTS-05) Product Policies –Defines which functions, features or users of a software application can be used across your site or enterprise System Policies –Define the rules that govern how security is implemented (like Password expirations) across your site or enterprise Computer and Computer Groups –Defines which computers can be used to access your automation system Networks and Devices –Defines which actions can be performed on a specific hardware resource User and User Groups (roles) –Defines which users or groups of users can get access to your automation system Product Policies –Restrict access to the features of individual FactoryTalk-enabled products –Only users with the required level of access can use the product features that you have secured. System policies –Define general security rules, such as how frequently passwords must be changed Computers and Groups –You can use these accounts to enforce line-of-sight security –Combine individual computer accounts into groups, to make it easier to manage security. Networks and Devices –Secure access to control hardware –Securable actions can be defined for all similar devices, groups of devices or can be defined on a device by device basis –Actions and devices can be put into groups for easier management (new in CPR9) Users and User Groups –FactoryTalk User User accounts that are held in the FactoryTalk Directory –Windows Linked User User accounts that already exist in a Windows domain or workgroup –Combine user accounts into User Groups to set up role-based security access; Windows-linked User Group – reference user groups that already exist in a Windows Domain FactoryTalk Group – combine individual Users and other groups into a FactoryTalk Group –Including Windows Linked groups

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Manufacturing Security Design Physical Security – limit physical access to authorized personnel: areas, control panels, devices, cabling, and control room – escort and track visitors Network Security – infrastructure framework – e.g. firewalls with intrusion detection and intrusion prevention systems (IDS/IPS), and integrated protection of networking equipment such as switches and routers Computer Hardening – patch management, antivirus software as well as removal of unused applications, protocols, and services Application Security – authentication, authorization, and audit software Device Hardening – change management and restrictive access

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Tenants of a Good Security Design: The Physical - Switch Lock-in & Block-out Panduit/RA Physical Layer Reference Architectures Design Guide – MN05 PSL-DCPL PSL-DCJB

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Additional Resources Website : Whitepapers –Reference Architectures for ManufacturingReference Architectures for Manufacturing –Securing Manufacturing Computer and Controller AssetsSecuring Manufacturing Computer and Controller Assets –Production Software within Manufacturing Reference Architectures Design and Implementation Guides –ODVA - Network Infrastructure for EtherNet/IP: Introduction and ConsiderationsODVA - Network Infrastructure for EtherNet/IP: Introduction and Considerations –ODVA - EtherNet/IP Media Planning and Installation ManualODVA - EtherNet/IP Media Planning and Installation Manual –Rockwell Automation and Cisco Design and Implementation Guide – manufacturing reference architecturesRockwell Automation and Cisco Design and Implementation Guide – manufacturing reference architectures

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Additional Resources - Webcasts Rockwell Automation and Cisco webcasts: What Every IT Professional Should Know about Plant Floor NetworkingWhat Every IT Professional Should Know about Plant Floor Networking What Every Plant Floor Controls Engineer Should Know about Working with ITWhat Every Plant Floor Controls Engineer Should Know about Working with IT Rockwell Automation Knowledge Network webcasts: Rockwell Automation and Cisco: Best Practices Reference Architectures: Fundamentals of Ethernet Network Design Securing Manufacturing and Enterprise Network Convergence Industrial Ethernet Resiliency

© 2009 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. Available Resources Whitepapers –Stratix Switches within Integrated Architecture –Achieving Secure Remote Access to Plant Floor Applications and Data –Recommendations for Designing, Selecting, Configuring and Maintaining Wireless EtherNet/IP Networks –Industrial Ethernet Resiliency – late summer –IT Ready for OEMs – late summer Design and Implementation Guides –DIG 2.0 – Stratix 8000, resiliency, performance –Panduit and Rockwell Automation Physical Layer Reference Architectures

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.