Re: [foxboro] Mesh Network Security (Again)

• From: "Johnson, Alex P \(IPS\)" <alex.johnson@xxxxxxxxxxxxxxxx>
• To: <foxboro@xxxxxxxxxxxxx>
• Date: Mon, 11 Sep 2006 10:26:59 -0400

I understand your comments, but the recommendation on the use of the
Mesh network is as I have stated.

Regards,
=20
Alex Johnson
Invensys Systems, Inc.
10900 Equity Drive
Houston, TX 77041
713.329.8472 (voice)
713.329.1700 (fax)
713.329.1600 (switchboard)
alex.johnson@xxxxxxxxxxxxxxxx

-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx]
On Behalf Of tom.vandewater@xxxxxxxxxxxxxx
Sent: Monday, September 11, 2006 8:39 AM
To: foxboro@xxxxxxxxxxxxx
Subject: Re: [foxboro] Mesh Network Security (Again)

Alex,
        In the past you had a network backbone that couldn't support the
amount of data that users needed to pass to upper level systems.  With a
5MB/Sec tokenbus, and 10MB/Sec Ethernet segments with a single collision
domain you didn't really have any other avenue than multiple 2nd
Ethernet solutions to move the data up. =3D20
        Maintaining a host of 2nd Ethernet ports, and now 3rd Ethernet
ports to connect to upper level networks is a method of the distant
past.  With a Multi-Path, Ethernet, Self-Healing, High-Speed, (MESH),
Network you have provided a switched Ethernet solution that can replace
all of that in a much more user friendly environment and provide a
single point of access for use by all of your customers in building
their InFusion ECS Enterprise Control System.

Foxboro advertising follows:

"The InFusion ECS is the world's first Enterprise Control
System-allowing the use of ALL of today's leading process automation and
information systems together, regardless of supplier or generation, as
one unified business environment. The InFusion ECS fosters a
collaborative environment by making the plant visible to the enterprise
and the enterprise visible to the plant, dramatically increasing plant
and business operational agility. And, by facilitating the
transformation of data to information to knowledge to wisdom to action,
the InFusion ECS accelerates decision-making while enhancing the ability
to detect and effectively respond to unanticipated problems."

        If the company really wants to provide an environment such as
the one described above, you need to provide a standardized access point
to your system that also employs a single consistent API interface or
SQL database for all upstream applications to tap into.  The current
tangled web of interfaces, applications, and on platform solutions that
were required in the past are no longer keeping pace with other
application interface solutions that make it easier to access control
system information.  I still consider the global object manager designed
by Foxboro in the mid 80's as a viable on-platform mechanism to pass
data between MESH stations.  It was the Object Oriented design that
allowed it to withstand the test of time.  The interfaces that emerged
over the years to pass data up the ladder were not as fortunate.  Now is
the time for Foxboro/Invensys to take the next step in that arena.

Tom VandeWater
Control Systems Developer/Analyst
Dow Corning Corporation
Carrollton, KY  USA


-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx]
On Behalf Of Johnson, Alex P (IPS)
Sent: Monday, September 11, 2006 8:44 AM
To: foxboro@xxxxxxxxxxxxx
Subject: Re: [foxboro] Mesh Network Security (Again)

Tom,
As with the Nodebus based control network, we do not support directly
connecting non-IPS equipment to the Mesh network.

Instead, we recommend that you do as you have done in the past. That is,
add another NIC to workstations and link those NICs to a plant network.
That network would then be linked to your primary network using
appropriate isolation techniques like firewalls.

Regards,

AJ


-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx on behalf of
tom.vandewater@xxxxxxxxxxxxxx
Sent: Mon 9/11/2006 8:35 AM
To: foxboro@xxxxxxxxxxxxx
Subject: [foxboro] Mesh Network Security (Again)
=3D20
Hi List,
   I am looking for specific information on an actual security
implementation scheme that Invensys supports in a MESH architecture
implementation.
       Is anyone from Invensys or one of their customers already using a
Firewall to the Mesh network?  If so, what physical device and method of
connection to the MESH is being used?  Does the Firewall Device have
dual connections to the A & B root switches on the MESH?  Can it be
connected as a GB uplink for large volume throughput to the higher level
network?  An Invensys designed/approved firewall uplink to corporate
networks would be extremely marketable to the users and would show
customers that Invensys actually has a plan for security on their
systems.
   In the past, on Nodebus/Carrierband systems it seemed like most users
were encouraged to pass data up to corporate process information systems
via 2nd Ethernet ports on multiple Sun boxes and later MS boxes.  This
created the need to implement security on every port connected and there
was no easy way to decouple all of those ports in the event of a
suspected security breach.  When the MS boxes were introduced security
became much more difficult because Foxboro tied all critical system
processes to a login such as Fox on the MS Windows system making it
extremely difficult to even change the password without breaking the
system. This hardly inspired confidence in Invensys from the user
community.  The fact that there are so many potential security holes in
the MS OS and default applications, and that MS security updates cannot
automatically be applied as patches are released without breaking things
on the Foxboro MS based system is already a huge issue with skeptical
users.
   The concept of a single point of access from one network level to the
level above is hardly a new one.  It is called a "firewall" and you are
probably reading this message because my company allowed me to send this
email through ours and your company allowed you to receive it through
yours. =3D3D20
   With the MESH, Foxboro could provide a single firewall to the control
system via a GB uplink connection to the root switches, users could
utilize a single point of access to the control network that could be
maintained much more easily and could be physically disconnected if a
security breach was suspected.
       Is there anyone out there with hands-on experience in
implementing security measures on the MESH network or is everyone
propagating the previous problem by putting 3rd Ethernet ports on all of
their MESH servers and jumping each of them to multiple ports on the
corporate network?  Again, thanks for any insight you may be able to
provide.  The extent of my networking security experience has only been
garnered by managing my own home network with cable modem WAN
connection, wireless router, and wireless access points but even that
has made me realize the need for a better solution for control systems.

Tom VandeWater
Control Systems Developer/Analyst
Dow Corning Corporation
Carrollton, KY  USA

=3D20
=3D20
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
=3D20
foxboro mailing list:             //www.freelists.org/list/foxboro
to subscribe:         =3D
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3D3Djoin
to unsubscribe:      =3D
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3D3Dleave
=3D20


-- No attachments (even text) are allowed --
-- Type: application/ms-tnef
-- File: winmail.dat


=3D20
=3D20
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
=3D20
foxboro mailing list:             //www.freelists.org/list/foxboro
to subscribe:         =3D
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3D3Djoin
to unsubscribe:      =3D
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3D3Dleave
=3D20
=20
=20
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
=20
foxboro mailing list:             //www.freelists.org/list/foxboro
to subscribe:         =
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Djoin
to unsubscribe:      =
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Dleave
=20

 
 
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
 
foxboro mailing list:             //www.freelists.org/list/foxboro
to subscribe:         mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe:      mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
 

Other related posts:

• » Re: [foxboro] Mesh Network Security (Again)
• » Re: [foxboro] Mesh Network Security (Again)
• » Re: [foxboro] Mesh Network Security (Again)
• » Re: [foxboro] Mesh Network Security (Again)
• » Re: [foxboro] Mesh Network Security (Again)
• » Re: [foxboro] Mesh Network Security (Again)
• » Re: [foxboro] Mesh Network Security (Again)
• » Re: [foxboro] Mesh Network Security (Again)
• » Re: [foxboro] Mesh Network Security (Again)
• » Re: [foxboro] Mesh Network Security (Again)
• » Re: [foxboro] Mesh Network Security (Again)

1. Home
2. foxboro
3. Archive
4. 09-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---