Re: [foxboro] Aim* Security
- From: "Johnson, Alex (Foxboro)" <ajohnson@xxxxxxxxxxx>
- To: foxboro@xxxxxxxxxxxxx
- Date: Tue, 19 Apr 2005 16:30:31 -0400
netAIM*API uses ports that are configured in /opt/aim/bin/an_init.cfg file.
Here are the relevant lines:
[TCPIP]
*servr = 127.0.0.1 45678 /dev/tcp 1024
1AW51E = 151.128.8.68 45678 /dev/tcp 1024
The 45678 entry is the port number in use.
******* Something of an advertisement ***********
By the way, as was pointed out to me not so long ago, you can put a firewall
between the AW51 and the PC and close all the ports but the one and you can
still have problems.
AW -> FW (open port 45678) -> PC
In particular, a Denial of Service attack - in the configuration shown above
- virus would hit the open port on the firewall. Once it sees that that port
is open, it would repeatedly hit it. Hitting the port causes load on the
AW51 and can slow it down.
We are actually building a solution to this problem called the 'Isolation
Station' which is based on the 'Isolation Station software'. The ISS is
basically AOS and the INI51/70. This package allows the AW to push data to
the PC outside the firewall.
The trick is that the FW is completely closed on the "out/PC"side and open
to one port only on the "in/AW"side - like this:
AW -> (open port 45678) FW -> PC
If you want more information let me know.
Regards,
Alex Johnson
Invensys Process Systems
Invensys Systems, Inc.
10707 Haddington
Houston, TX 77043
713.722.2859 (voice)
713.722.2700 (switchboard)
713.932.0222 (fax)
ajohnson@xxxxxxxxxxx
-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeremy Milum
Sent: Tuesday, April 19, 2005 2:39 PM
To: foxboro@xxxxxxxxxxxxx
Subject: [foxboro] Aim* Security
Currently we have two ethernet cards in our Aim* Win2K box: one on the
DCS 2nd ethernet network to collect data, and the other on the plant deskto=
p
network to serve data. I don't like this since if the box is compromised it=
has
a direct connection to the Solaris boxes on the DCS side (which are also
very vulnerable). I would like to put both ethernet cards on the plant sid=
e
and allow only open the ports (for one card) that Aim* needs in my firewall=
.
So one card would still serve the data, and one collect, but if the box is=
=20
compromised only one port will be open to the DCS side (or however many
Aim* needs). =20
Sooooooo, what ports are needed by Aim*, and does this sound like
an OK solution?
Jeremy
--=20
Patron saints in general are broadband connections to the Almighty
- Michelle Delio, Wired News
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
foxboro mailing list: http://www.freelists.org/list/foxboro
to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
foxboro mailing list: http://www.freelists.org/list/foxboro
to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
Other related posts: