I presume you are talking Layer 3 when you say "firewall". There is some risk -- small, maybe -- but a risk nonetheless, in allowing packets from outside the firewalled network to hit your AW. The firewall may pass them, as they may be valid IP/UDP/TCP and pass the ruleset, but there *could* be vulnerabilities in the protocol itself that *may* be exploited to trigger buffer overflows or whatnot on the AW host. Now, newer Windowses have ASLR, DEP, etc. that may render any such vulnerabilities little more than an annoyance. But if you change the protocol, or stop direct packet access using some sort of application proxy (in this case, the Isolation Station), you add one more layer of defense that the adversary must get through. The Stuxnet thumbnail file icon parsing local root exploit (on the vaunted Windows 7 even) makes me think Microsoft hasn't quite gotten the picture yet (and all software has bugs anyway). Is that extra defense worth it? The user must decide. Some people go so far as to use "data diodes" that cannot physically pass any network traffic into the control system at all. Corey From: "Brown, Stanley" <stan.brown@xxxxxxxxxxxxxxxxx> To: "foxboro@xxxxxxxxxxxxx" <foxboro@xxxxxxxxxxxxx> Date: 03/08/2011 01:25 PM Subject: Re: [foxboro] 8.5+ and view only access? Sent by: foxboro-bounce@xxxxxxxxxxxxx We have a firewall, and only open up the RDP port from our internal network to one Foxboro machine. As a matter of fact the Foxboro (non mesh) network is a RFC non-routable network, so even if the firewall were to mess up somehow, it's not possible to send packets to the (non mesh) Foxboro network, with the firewall doing port/address forwarding. I am curious as to what additional protection you feel the isolation station brings you over the firewall? > -----Original Message----- > From: Stan Brown [mailto:stanb@xxxxxxxxx] On Behalf Of Easley, Jack > Sent: Tuesday, March 08, 2011 2:16 PM > To: foxboro@xxxxxxxxxxxxx > Subject: Re: [foxboro] 8.5+ and viewonly access? > > We use a lot of View-Only Remote Desktops at version 8.4.2. Although we > are not at 8.5 secure, we are NERCular. The only way this is allowed is > because we use Foxboro Isolation Stations and a firewall in between the > INI Server on the MESH and the Isolation Station AW in the Firewall > Access Zone. > > I don't think RDP from Intranet straight to a MESH AW should ever be > allowed, even with a firewall in between. RDP is much too vulnerable. > > Jack Easley > Sr. I&C Technician > Luminant Power, Martin Lake Plant > Phone 903.836.6290 > jack.easley@xxxxxxxxxxxx > > -----Original Message----- > From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro- > bounce@xxxxxxxxxxxxx] On Behalf Of stan > Sent: Monday, March 07, 2011 3:04 PM > To: Foxboro List > Subject: [foxboro] 8.5+ and viewonly access? > > WE are installing our first 8.6 Windows node. It is configured with teh > security options and AD controlers on the mesh. We have histroically > provide manager (read only) access to our Foxboro nodes. > > I am thinking that RDP should be the way to do this on this node, but I > am > wondering if anyone else has walked this path before? If so, I would > love > to hear thier experiencees. > > -- > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > A: Top-posting. > Q: What is the most annoying thing in e-mail? > > _______________________________________________________________________ This mailing list is neither sponsored nor endorsed by Invensys Process Systems (formerly The Foxboro Company). Use the info you obtain here at your own risks. Read http://www.thecassandraproject.org/disclaimer.html foxboro mailing list: //www.freelists.org/list/foxboro to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave