Re: [foxboro] Mesh Network Security (Again)

  • From: <Jack.Easley@xxxxxxx>
  • To: <foxboro@xxxxxxxxxxxxx>
  • Date: Mon, 11 Sep 2006 08:29:48 -0500

Alex,=0D=0A
=0D=0A
Foxboro currently markets a security solution for intranet access to the=0D=
=0A
Mesh Network. It is called an Isolation Station. The hardware consists=0D=
=0A
of an AW on the Mesh, an AW on the intranet, and a firewall in between.=0D=
=0A
Of course these are both two NIC AWs, with the MESH AW serving data to=0D=
=0A
intranet AW through the firewall. They can be Windows or Unix and are=0D=0A
secutity hardened by Foxboro. Contact Foxboro Sales or Security Services=0D=
=0A
for exact details.=0D=0A
=0D=0A
Jack Easley=0D=0A
=0D=0A
-----Original Message-----=0D=0A
From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx]=0D=
=0A
On Behalf Of Johnson, Alex P (IPS)=0D=0A
Sent: Monday, September 11, 2006 7:44 AM=0D=0A
To: foxboro@xxxxxxxxxxxxx=0D=0A
Subject: Re: [foxboro] Mesh Network Security (Again)=0D=0A
=0D=0A
Tom,=0D=0A
As with the Nodebus based control network, we do not support directly=0D=0A
connecting non-IPS equipment to the Mesh network.=0D=0A
=0D=0A
Instead, we recommend that you do as you have done in the past. That is,=0D=
=0A
add another NIC to workstations and link those NICs to a plant network.=0D=
=0A
That network would then be linked to your primary network using=0D=0A
appropriate isolation techniques like firewalls.=0D=0A
=0D=0A
Regards,=0D=0A
=0D=0A
AJ=0D=0A
=0D=0A
=0D=0A
-----Original Message-----=0D=0A
From: foxboro-bounce@xxxxxxxxxxxxx on behalf of=0D=0A
tom.vandewater@xxxxxxxxxxxxxx=0D=0A
Sent: Mon 9/11/2006 8:35 AM=0D=0A
To: foxboro@xxxxxxxxxxxxx=0D=0A
Subject: [foxboro] Mesh Network Security (Again)=0D=0A
 =0D=0A
Hi List,=0D=0A
   I am looking for specific information on an actual security=0D=0A
implementation scheme that Invensys supports in a MESH architecture=0D=0A
implementation.=0D=0A
       Is anyone from Invensys or one of their customers already using a=0D=
=0A
Firewall to the Mesh network?  If so, what physical device and method of=0D=
=0A
connection to the MESH is being used?  Does the Firewall Device have=0D=0A
dual connections to the A & B root switches on the MESH?  Can it be=0D=0A
connected as a GB uplink for large volume throughput to the higher level=0D=
=0A
network?  An Invensys designed/approved firewall uplink to corporate=0D=0A
networks would be extremely marketable to the users and would show=0D=0A
customers that Invensys actually has a plan for security on their=0D=0A
systems.=0D=0A
   In the past, on Nodebus/Carrierband systems it seemed like most users=0D=
=0A
were encouraged to pass data up to corporate process information systems=0D=
=0A
via 2nd Ethernet ports on multiple Sun boxes and later MS boxes.  This=0D=
=0A
created the need to implement security on every port connected and there=0D=
=0A
was no easy way to decouple all of those ports in the event of a=0D=0A
suspected security breach.  When the MS boxes were introduced security=0D=
=0A
became much more difficult because Foxboro tied all critical system=0D=0A
processes to a login such as Fox on the MS Windows system making it=0D=0A
extremely difficult to even change the password without breaking the=0D=0A
system. This hardly inspired confidence in Invensys from the user=0D=0A
community.  The fact that there are so many potential security holes in=0D=
=0A
the MS OS and default applications, and that MS security updates cannot=0D=
=0A
automatically be applied as patches are released without breaking things=0D=
=0A
on the Foxboro MS based system is already a huge issue with skeptical=0D=0A
users.=0D=0A
   The concept of a single point of access from one network level to the=0D=
=0A
level above is hardly a new one.  It is called a "firewall" and you are=0D=
=0A
probably reading this message because my company allowed me to send this=0D=
=0A
email through ours and your company allowed you to receive it through=0D=0A
yours. =3D20=0D=0A
   With the MESH, Foxboro could provide a single firewall to the control=0D=
=0A
system via a GB uplink connection to the root switches, users could=0D=0A
utilize a single point of access to the control network that could be=0D=0A
maintained much more easily and could be physically disconnected if a=0D=0A
security breach was suspected.=0D=0A
       Is there anyone out there with hands-on experience in=0D=0A
implementing security measures on the MESH network or is everyone=0D=0A
propagating the previous problem by putting 3rd Ethernet ports on all of=0D=
=0A
their MESH servers and jumping each of them to multiple ports on the=0D=0A
corporate network?  Again, thanks for any insight you may be able to=0D=0A
provide.  The extent of my networking security experience has only been=0D=
=0A
garnered by managing my own home network with cable modem WAN=0D=0A
connection, wireless router, and wireless access points but even that=0D=0A
has made me realize the need for a better solution for control systems.=0D=
=0A
=0D=0A
Tom VandeWater=0D=0A
Control Systems Developer/Analyst=0D=0A
Dow Corning Corporation=0D=0A
Carrollton, KY  USA=0D=0A
=0D=0A
 =0D=0A
 =0D=0A
_______________________________________________________________________=0D=
=0A
This mailing list is neither sponsored nor endorsed by Invensys Process=0D=
=0A
Systems (formerly The Foxboro Company). Use the info you obtain here at=0D=
=0A
your own risks. Read http://www.thecassandraproject.org/disclaimer.html=0D=
=0A
 =0D=0A
foxboro mailing list:             //www.freelists.org/list/foxboro=0D=
=0A
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Djoin=
=0D=0A
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Dleave=
=0D=0A
 =0D=0A
=0D=0A
=0D=0A
-- No attachments (even text) are allowed --=0D=0A
-- Type: application/ms-tnef=0D=0A
-- File: winmail.dat=0D=0A
=0D=0A
=0D=0A
 =0D=0A
 =0D=0A
_______________________________________________________________________=0D=
=0A
This mailing list is neither sponsored nor endorsed by Invensys Process=0D=
=0A
Systems (formerly The Foxboro Company). Use the info you obtain here at=0D=
=0A
your own risks. Read http://www.thecassandraproject.org/disclaimer.html=0D=
=0A
 =0D=0A
foxboro mailing list:             //www.freelists.org/list/foxboro=0D=
=0A
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Djoin=
=0D=0A
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Dleave=
=0D=0A
 =0D=0A
=0D=0A
Confidentiality Notice: This email message, including any attachments, =0A
contains or may contain confidential information intended only for the =0A
addressee. If you are not an intended recipient of this message, be =0A
advised that any reading, dissemination, forwarding, printing, copying=0A
or other use of this message or its attachments is strictly prohibited. I=
f=0A
you have received this message in error, please notify the sender =0A
immediately by reply message and delete this email message and any=0A
attachments from your system.=0D=0A
 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             //www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
 

Other related posts: