Re: [foxboro] 8.5+ and view only access?

  • From: "Easley, Jack" <Jack.Easley@xxxxxxxxxxxx>
  • To: "foxboro@xxxxxxxxxxxxx" <foxboro@xxxxxxxxxxxxx>
  • Date: Tue, 8 Mar 2011 13:58:41 -0600

I agree with Corey who sounds more knowledgeable in IT than I. Data diodes are 
best if you aren't required to pass anything back to the MESH. Sometimes its 
not us users who make the security decision as sometimes government agencies 
are assuming that role for us.

Jack Easley
Sr. I&C Technician
Luminant Power, Martin Lake Plant
Phone 903.836.6290
jack.easley@xxxxxxxxxxxx

-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx] On 
Behalf Of Corey R Clingo
Sent: Tuesday, March 08, 2011 1:48 PM
To: foxboro@xxxxxxxxxxxxx
Subject: Re: [foxboro] 8.5+ and view only access?

I presume you are talking Layer 3 when you say "firewall".  There is some 
risk -- small, maybe -- but a risk nonetheless, in allowing packets from 
outside the firewalled network to hit your AW.  The firewall may pass 
them, as they may be valid IP/UDP/TCP and pass the ruleset, but there 
*could* be vulnerabilities in the protocol itself that *may* be exploited 
to trigger buffer overflows or whatnot on the AW host.

Now, newer Windowses have ASLR, DEP, etc. that may render any such 
vulnerabilities little more than an annoyance.  But if you change the 
protocol, or stop direct packet access using some sort of application 
proxy (in this case, the Isolation Station), you add one more layer of 
defense that the adversary must get through.  The Stuxnet thumbnail file 
icon parsing local root exploit (on the vaunted Windows 7 even) makes me 
think Microsoft hasn't quite gotten the picture yet (and all software has 
bugs anyway).


Is that extra defense worth it?  The user must decide.  Some people go so 
far as to use "data diodes" that cannot physically pass any network 
traffic into the control system at all.


Corey
 



From:
"Brown, Stanley" <stan.brown@xxxxxxxxxxxxxxxxx>
To:
"foxboro@xxxxxxxxxxxxx" <foxboro@xxxxxxxxxxxxx>
Date:
03/08/2011 01:25 PM
Subject:
Re: [foxboro] 8.5+ and view only access?
Sent by:
foxboro-bounce@xxxxxxxxxxxxx



We have a firewall, and only open up the RDP port from our internal 
network to one Foxboro machine. As a matter of fact the Foxboro (non mesh) 
network is a RFC non-routable network, so even if the firewall were to 
mess up somehow, it's not possible to send packets to the (non mesh) 
Foxboro network, with the firewall doing port/address forwarding.

I am curious as to what additional protection you feel the isolation 
station brings you over the firewall?


> -----Original Message-----
> From: Stan Brown [mailto:stanb@xxxxxxxxx] On Behalf Of Easley, Jack
> Sent: Tuesday, March 08, 2011 2:16 PM
> To: foxboro@xxxxxxxxxxxxx
> Subject: Re: [foxboro] 8.5+ and viewonly access?
>
> We use a lot of View-Only Remote Desktops at version 8.4.2. Although we
> are not at 8.5 secure, we are NERCular. The only way this is allowed is
> because we use Foxboro Isolation Stations and a firewall in between the
> INI Server on the MESH and the Isolation Station AW in the Firewall
> Access Zone.
>
> I don't think RDP from Intranet straight to a MESH AW should ever be
> allowed, even with a firewall in between. RDP is much too vulnerable.
>
> Jack Easley
> Sr. I&C Technician
> Luminant Power, Martin Lake Plant
> Phone 903.836.6290
> jack.easley@xxxxxxxxxxxx
>
> -----Original Message-----
> From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-
> bounce@xxxxxxxxxxxxx] On Behalf Of stan
> Sent: Monday, March 07, 2011 3:04 PM
> To: Foxboro List
> Subject: [foxboro] 8.5+ and viewonly access?
>
> WE are installing our first 8.6 Windows node. It is configured with teh
> security options and AD controlers on the mesh. We have histroically
> provide manager (read only) access to our Foxboro nodes.
>
> I am thinking that RDP should be the way to do this on this node, but I
> am
> wondering if anyone else has walked this path before? If so, I would
> love
> to hear thier experiencees.
>
> --
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> A: Top-posting.
> Q: What is the most annoying thing in e-mail?
>
>



 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             //www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
 


Confidentiality Notice: This email message, including any attachments, 
contains or may contain confidential information intended only for the 
addressee. If you are not an intended recipient of this message, be advised 
that any reading, dissemination, forwarding, printing, copying or other use of 
this message or its attachments is strictly prohibited. If you have received 
this message in error, please notify the sender immediately by reply message 
and delete this email message and any attachments from your system. 

 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             //www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave

Other related posts:

  1. Home
  2. foxboro
  3. Archive
  4. 03-2011