Alex,=0D=0A =0D=0A Foxboro currently markets a security solution for intranet access to the=0D= =0A Mesh Network. It is called an Isolation Station. The hardware consists=0D= =0A of an AW on the Mesh, an AW on the intranet, and a firewall in between.=0D= =0A Of course these are both two NIC AWs, with the MESH AW serving data to=0D= =0A intranet AW through the firewall. They can be Windows or Unix and are=0D=0A secutity hardened by Foxboro. Contact Foxboro Sales or Security Services=0D= =0A for exact details.=0D=0A =0D=0A Jack Easley=0D=0A =0D=0A -----Original Message-----=0D=0A From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx]=0D= =0A On Behalf Of Johnson, Alex P (IPS)=0D=0A Sent: Monday, September 11, 2006 7:44 AM=0D=0A To: foxboro@xxxxxxxxxxxxx=0D=0A Subject: Re: [foxboro] Mesh Network Security (Again)=0D=0A =0D=0A Tom,=0D=0A As with the Nodebus based control network, we do not support directly=0D=0A connecting non-IPS equipment to the Mesh network.=0D=0A =0D=0A Instead, we recommend that you do as you have done in the past. That is,=0D= =0A add another NIC to workstations and link those NICs to a plant network.=0D= =0A That network would then be linked to your primary network using=0D=0A appropriate isolation techniques like firewalls.=0D=0A =0D=0A Regards,=0D=0A =0D=0A AJ=0D=0A =0D=0A =0D=0A -----Original Message-----=0D=0A From: foxboro-bounce@xxxxxxxxxxxxx on behalf of=0D=0A tom.vandewater@xxxxxxxxxxxxxx=0D=0A Sent: Mon 9/11/2006 8:35 AM=0D=0A To: foxboro@xxxxxxxxxxxxx=0D=0A Subject: [foxboro] Mesh Network Security (Again)=0D=0A =0D=0A Hi List,=0D=0A I am looking for specific information on an actual security=0D=0A implementation scheme that Invensys supports in a MESH architecture=0D=0A implementation.=0D=0A Is anyone from Invensys or one of their customers already using a=0D= =0A Firewall to the Mesh network? If so, what physical device and method of=0D= =0A connection to the MESH is being used? Does the Firewall Device have=0D=0A dual connections to the A & B root switches on the MESH? Can it be=0D=0A connected as a GB uplink for large volume throughput to the higher level=0D= =0A network? An Invensys designed/approved firewall uplink to corporate=0D=0A networks would be extremely marketable to the users and would show=0D=0A customers that Invensys actually has a plan for security on their=0D=0A systems.=0D=0A In the past, on Nodebus/Carrierband systems it seemed like most users=0D= =0A were encouraged to pass data up to corporate process information systems=0D= =0A via 2nd Ethernet ports on multiple Sun boxes and later MS boxes. This=0D= =0A created the need to implement security on every port connected and there=0D= =0A was no easy way to decouple all of those ports in the event of a=0D=0A suspected security breach. When the MS boxes were introduced security=0D= =0A became much more difficult because Foxboro tied all critical system=0D=0A processes to a login such as Fox on the MS Windows system making it=0D=0A extremely difficult to even change the password without breaking the=0D=0A system. This hardly inspired confidence in Invensys from the user=0D=0A community. The fact that there are so many potential security holes in=0D= =0A the MS OS and default applications, and that MS security updates cannot=0D= =0A automatically be applied as patches are released without breaking things=0D= =0A on the Foxboro MS based system is already a huge issue with skeptical=0D=0A users.=0D=0A The concept of a single point of access from one network level to the=0D= =0A level above is hardly a new one. It is called a "firewall" and you are=0D= =0A probably reading this message because my company allowed me to send this=0D= =0A email through ours and your company allowed you to receive it through=0D=0A yours. =3D20=0D=0A With the MESH, Foxboro could provide a single firewall to the control=0D= =0A system via a GB uplink connection to the root switches, users could=0D=0A utilize a single point of access to the control network that could be=0D=0A maintained much more easily and could be physically disconnected if a=0D=0A security breach was suspected.=0D=0A Is there anyone out there with hands-on experience in=0D=0A implementing security measures on the MESH network or is everyone=0D=0A propagating the previous problem by putting 3rd Ethernet ports on all of=0D= =0A their MESH servers and jumping each of them to multiple ports on the=0D=0A corporate network? Again, thanks for any insight you may be able to=0D=0A provide. The extent of my networking security experience has only been=0D= =0A garnered by managing my own home network with cable modem WAN=0D=0A connection, wireless router, and wireless access points but even that=0D=0A has made me realize the need for a better solution for control systems.=0D= =0A =0D=0A Tom VandeWater=0D=0A Control Systems Developer/Analyst=0D=0A Dow Corning Corporation=0D=0A Carrollton, KY USA=0D=0A =0D=0A =0D=0A =0D=0A _______________________________________________________________________=0D= =0A This mailing list is neither sponsored nor endorsed by Invensys Process=0D= =0A Systems (formerly The Foxboro Company). Use the info you obtain here at=0D= =0A your own risks. Read http://www.thecassandraproject.org/disclaimer.html=0D= =0A =0D=0A foxboro mailing list: //www.freelists.org/list/foxboro=0D= =0A to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Djoin= =0D=0A to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Dleave= =0D=0A =0D=0A =0D=0A =0D=0A -- No attachments (even text) are allowed --=0D=0A -- Type: application/ms-tnef=0D=0A -- File: winmail.dat=0D=0A =0D=0A =0D=0A =0D=0A =0D=0A _______________________________________________________________________=0D= =0A This mailing list is neither sponsored nor endorsed by Invensys Process=0D= =0A Systems (formerly The Foxboro Company). Use the info you obtain here at=0D= =0A your own risks. Read http://www.thecassandraproject.org/disclaimer.html=0D= =0A =0D=0A foxboro mailing list: //www.freelists.org/list/foxboro=0D= =0A to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Djoin= =0D=0A to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Dleave= =0D=0A =0D=0A =0D=0A Confidentiality Notice: This email message, including any attachments, =0A contains or may contain confidential information intended only for the =0A addressee. If you are not an intended recipient of this message, be =0A advised that any reading, dissemination, forwarding, printing, copying=0A or other use of this message or its attachments is strictly prohibited. I= f=0A you have received this message in error, please notify the sender =0A immediately by reply message and delete this email message and any=0A attachments from your system.=0D=0A _______________________________________________________________________ This mailing list is neither sponsored nor endorsed by Invensys Process Systems (formerly The Foxboro Company). Use the info you obtain here at your own risks. Read http://www.thecassandraproject.org/disclaimer.html foxboro mailing list: //www.freelists.org/list/foxboro to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave