Re: [foxboro] Foxwacth2?
- From: "Simpelaar, Marco" <msimpela@xxxxxxxxxxx>
- To: foxboro@xxxxxxxxxxxxx
- Date: Wed, 26 Feb 2003 10:03:56 -0500
Stan,
The devices that you see in your hosts file are part of the Remote Plus
system. This
is the new and improved version of the Foxwatch product.
A bit of history: For remote support Foxboro used to supply a modem
connected to a COMM10.
Via this way Foxboro could get a terminal window when dialing in from the
Foxwatch center in Foxmass.
The biggest disadvantage was that no TCP/IP traffic was possible, so no
remote X-window, telnet or FTP
was possible.
These days a router is supplied so that TCP/IP traffic is possible from and
to the Foxwatch center. This means
that we (Foxboro) can use normal telnet/ftp/x-window to do troubleshooting.
Why is a router needed? Well: every I/A system uses the 151.128.x.x address
range and only expects IP addresses
in this range. So the router does the necessary network address translation
(NAT) and filtering to keep the good
packets in and the rest out. This enables Foxboro to do remote
troubleshooting from the Foxmass (or Baarn or
Singapore) office.
The 151.128.8.123 IP address is the Remote Plus router. The other 3 IP
addresses are used only when
Foxboro is logged into the site.
Security:
When connecting a DCS to the rest of the world it is important to understand
the implications of this.
Foxboro has a well documented security protocol on how to deal with remote
support. This includes:
* physical security
Foxwatch room in Foxmass is behind locked doors, just unplug the phone
line of your router when not
in use, All 3 TAC centers (Foxmass,Baarn,Singapore) have identical setups
with identical databases,
basically a redundant setup.
* social security
Only certified Foxboro engineers are allowed to dialin to customers, all
actions are logged on file
and/or video, Foxboro engineer can have voice contact with customer to
update the customer on what he/she
is doing.
* technical security
Standard of the shelf communications equipment is used, all specs are
available. That's much better than
trying security through obscurity.
Dialback is recommended. There is filtering in both the onsite router and
the Foxboro router to
keep bad packets out and the good packets in.
At the customer site there should be a policy on how to handle connections
from the outside world to the DCS.
And with the outisde world I mean everything that is not DCS related: the IT
network that is connected to the
2nd ethernet port of an AW. Any phone connections into the DCS, including
Remote Plus. Remote engineering stations
via X-window sessions etc...
Contact a CSC center (www.foxboro.com - Technical Support link) if you have
any detailed questions
about Remote Plus and its implementation onsite.
Marco Simpelaar - EMEATAC
Europe, Middle East & Africa Technical Assistance Centre
Invensys Systems Nederland N.V.
E-Mail ips_emeatac@xxxxxxxxxxx
Internet www.ips.csc.invensys.com
Tel +31-35-5484125
Fax +31-35-5484175
-----Original Message-----
From: stan [mailto:stanb@xxxxxxxx]
Sent: dinsdag 25 februari 2003 19:17
To: Foxboro List
Subject: [foxboro] Foxwacth2?
Our local Foxboro service guy was in here today, and asked for a copy of
/etc/hosts off of one of the machines in my zone> I asked curiously what he
needed this for, and he mumbled something about a new FoxWatch
configuration.
Knowing this had been done already in another persons zone, I went and
looked around I found the following in /etc/hosts:
#*****************************************************
# Start of IA Remote Plus Addresses
# created Fri Mar 30 14:38:41 GMT 2001
#*****************************************************
#
# The following host entries were created by the
# IA Remote Plus Software Install sub-system. Any
# additional entries should be placed AFTER the End
# delimiter.
#
151.128.8.123 fxwrtr
151.128.8.124 foxwatch2
151.128.8.125 foxwatch1
151.128.8.126 fxwsrvr
#
#*****************************************************
# End of IA Remote Plus Addresses
#*****************************************************
Being the curious sort, I tried telneting to the first one of thes:
AW0102# telnet 151.128.8.123
Trying 151.128.8.123...
Connected to 151.128.8.123.
Escape character is '^]'.
login:
Interesting, I asked the group leader in that zone if he knew what the
appropriate userid, and password to access this mysterious device was, he
said no.
I'm curious about how other people feel about a vendor putting equipment on
our (the customers) networks that we are not provided access to?
--
"They that would give up essential liberty for temporary safety deserve
neither liberty nor safety."
-- Benjamin Franklin
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at your
own risks. Read http://www.thecassandraproject.org/disclaimer.html
foxboro mailing list: //www.freelists.org/list/foxboro
to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
foxboro mailing list: //www.freelists.org/list/foxboro
to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
Other related posts:
