I understand your comments, but the recommendation on the use of the Mesh network is as I have stated. Regards, =20 Alex Johnson Invensys Systems, Inc. 10900 Equity Drive Houston, TX 77041 713.329.8472 (voice) 713.329.1700 (fax) 713.329.1600 (switchboard) alex.johnson@xxxxxxxxxxxxxxxx -----Original Message----- From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx] On Behalf Of tom.vandewater@xxxxxxxxxxxxxx Sent: Monday, September 11, 2006 8:39 AM To: foxboro@xxxxxxxxxxxxx Subject: Re: [foxboro] Mesh Network Security (Again) Alex, In the past you had a network backbone that couldn't support the amount of data that users needed to pass to upper level systems. With a 5MB/Sec tokenbus, and 10MB/Sec Ethernet segments with a single collision domain you didn't really have any other avenue than multiple 2nd Ethernet solutions to move the data up. =3D20 Maintaining a host of 2nd Ethernet ports, and now 3rd Ethernet ports to connect to upper level networks is a method of the distant past. With a Multi-Path, Ethernet, Self-Healing, High-Speed, (MESH), Network you have provided a switched Ethernet solution that can replace all of that in a much more user friendly environment and provide a single point of access for use by all of your customers in building their InFusion ECS Enterprise Control System. Foxboro advertising follows: "The InFusion ECS is the world's first Enterprise Control System-allowing the use of ALL of today's leading process automation and information systems together, regardless of supplier or generation, as one unified business environment. The InFusion ECS fosters a collaborative environment by making the plant visible to the enterprise and the enterprise visible to the plant, dramatically increasing plant and business operational agility. And, by facilitating the transformation of data to information to knowledge to wisdom to action, the InFusion ECS accelerates decision-making while enhancing the ability to detect and effectively respond to unanticipated problems." If the company really wants to provide an environment such as the one described above, you need to provide a standardized access point to your system that also employs a single consistent API interface or SQL database for all upstream applications to tap into. The current tangled web of interfaces, applications, and on platform solutions that were required in the past are no longer keeping pace with other application interface solutions that make it easier to access control system information. I still consider the global object manager designed by Foxboro in the mid 80's as a viable on-platform mechanism to pass data between MESH stations. It was the Object Oriented design that allowed it to withstand the test of time. The interfaces that emerged over the years to pass data up the ladder were not as fortunate. Now is the time for Foxboro/Invensys to take the next step in that arena. Tom VandeWater Control Systems Developer/Analyst Dow Corning Corporation Carrollton, KY USA -----Original Message----- From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx] On Behalf Of Johnson, Alex P (IPS) Sent: Monday, September 11, 2006 8:44 AM To: foxboro@xxxxxxxxxxxxx Subject: Re: [foxboro] Mesh Network Security (Again) Tom, As with the Nodebus based control network, we do not support directly connecting non-IPS equipment to the Mesh network. Instead, we recommend that you do as you have done in the past. That is, add another NIC to workstations and link those NICs to a plant network. That network would then be linked to your primary network using appropriate isolation techniques like firewalls. Regards, AJ -----Original Message----- From: foxboro-bounce@xxxxxxxxxxxxx on behalf of tom.vandewater@xxxxxxxxxxxxxx Sent: Mon 9/11/2006 8:35 AM To: foxboro@xxxxxxxxxxxxx Subject: [foxboro] Mesh Network Security (Again) =3D20 Hi List, I am looking for specific information on an actual security implementation scheme that Invensys supports in a MESH architecture implementation. Is anyone from Invensys or one of their customers already using a Firewall to the Mesh network? If so, what physical device and method of connection to the MESH is being used? Does the Firewall Device have dual connections to the A & B root switches on the MESH? Can it be connected as a GB uplink for large volume throughput to the higher level network? An Invensys designed/approved firewall uplink to corporate networks would be extremely marketable to the users and would show customers that Invensys actually has a plan for security on their systems. In the past, on Nodebus/Carrierband systems it seemed like most users were encouraged to pass data up to corporate process information systems via 2nd Ethernet ports on multiple Sun boxes and later MS boxes. This created the need to implement security on every port connected and there was no easy way to decouple all of those ports in the event of a suspected security breach. When the MS boxes were introduced security became much more difficult because Foxboro tied all critical system processes to a login such as Fox on the MS Windows system making it extremely difficult to even change the password without breaking the system. This hardly inspired confidence in Invensys from the user community. The fact that there are so many potential security holes in the MS OS and default applications, and that MS security updates cannot automatically be applied as patches are released without breaking things on the Foxboro MS based system is already a huge issue with skeptical users. The concept of a single point of access from one network level to the level above is hardly a new one. It is called a "firewall" and you are probably reading this message because my company allowed me to send this email through ours and your company allowed you to receive it through yours. =3D3D20 With the MESH, Foxboro could provide a single firewall to the control system via a GB uplink connection to the root switches, users could utilize a single point of access to the control network that could be maintained much more easily and could be physically disconnected if a security breach was suspected. Is there anyone out there with hands-on experience in implementing security measures on the MESH network or is everyone propagating the previous problem by putting 3rd Ethernet ports on all of their MESH servers and jumping each of them to multiple ports on the corporate network? Again, thanks for any insight you may be able to provide. The extent of my networking security experience has only been garnered by managing my own home network with cable modem WAN connection, wireless router, and wireless access points but even that has made me realize the need for a better solution for control systems. Tom VandeWater Control Systems Developer/Analyst Dow Corning Corporation Carrollton, KY USA =3D20 =3D20 _______________________________________________________________________ This mailing list is neither sponsored nor endorsed by Invensys Process Systems (formerly The Foxboro Company). Use the info you obtain here at your own risks. Read http://www.thecassandraproject.org/disclaimer.html =3D20 foxboro mailing list: //www.freelists.org/list/foxboro to subscribe: =3D mailto:foxboro-request@xxxxxxxxxxxxx?subject=3D3Djoin to unsubscribe: =3D mailto:foxboro-request@xxxxxxxxxxxxx?subject=3D3Dleave =3D20 -- No attachments (even text) are allowed -- -- Type: application/ms-tnef -- File: winmail.dat =3D20 =3D20 _______________________________________________________________________ This mailing list is neither sponsored nor endorsed by Invensys Process Systems (formerly The Foxboro Company). Use the info you obtain here at your own risks. Read http://www.thecassandraproject.org/disclaimer.html =3D20 foxboro mailing list: //www.freelists.org/list/foxboro to subscribe: =3D mailto:foxboro-request@xxxxxxxxxxxxx?subject=3D3Djoin to unsubscribe: =3D mailto:foxboro-request@xxxxxxxxxxxxx?subject=3D3Dleave =3D20 =20 =20 _______________________________________________________________________ This mailing list is neither sponsored nor endorsed by Invensys Process Systems (formerly The Foxboro Company). Use the info you obtain here at your own risks. Read http://www.thecassandraproject.org/disclaimer.html =20 foxboro mailing list: //www.freelists.org/list/foxboro to subscribe: = mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Djoin to unsubscribe: = mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Dleave =20 _______________________________________________________________________ This mailing list is neither sponsored nor endorsed by Invensys Process Systems (formerly The Foxboro Company). Use the info you obtain here at your own risks. Read http://www.thecassandraproject.org/disclaimer.html foxboro mailing list: //www.freelists.org/list/foxboro to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave