The Isolation Station follows the recommendation that I made. Moreover, it can be implemented with or without a Mesh network. It works as follows: Mesh -> AW (51 or 70) -> FW -> AW (51 or 70) -> [FW] -> PIN -> PCs The mandatory FW is configured such that no ports are open on the "righthand side/outside" and only a small number of ports are open on the "leftside side/inside". There is software (AOS and INI) loaded on the "inside" AW that "publishes/pushes" data from the "protected" system to the "outside" AW. The "outside" AW has software on it (AOS) that allows it to mirror the protected system's data in the same tag names. This allows applications to run on the "outside" AW as if they were on the "inside". "Inside" to "outside" data transfer is the default. With appropriate configuration on the inside, protected two-way configuration is possible as well. My sketch is intended to show that the "inside" AW connects to the firewall using its second Ethernet port. Does this help? Regards, =20 Alex Johnson Invensys Systems, Inc. 10900 Equity Drive Houston, TX 77041 713.329.8472 (voice) 713.329.1700 (fax) 713.329.1600 (switchboard) alex.johnson@xxxxxxxxxxxxxxxx -----Original Message----- From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx] On Behalf Of Jack.Easley@xxxxxxx Sent: Monday, September 11, 2006 8:30 AM To: foxboro@xxxxxxxxxxxxx Subject: Re: [foxboro] Mesh Network Security (Again) Alex,=3D0D=3D0A =3D0D=3D0A Foxboro currently markets a security solution for intranet access to the=3D0D=3D =3D0A Mesh Network. It is called an Isolation Station. The hardware consists=3D0D=3D =3D0A of an AW on the Mesh, an AW on the intranet, and a firewall in between.=3D0D=3D =3D0A Of course these are both two NIC AWs, with the MESH AW serving data to=3D0D=3D =3D0A intranet AW through the firewall. They can be Windows or Unix and are=3D0D=3D0A secutity hardened by Foxboro. Contact Foxboro Sales or Security Services=3D0D=3D =3D0A for exact details.=3D0D=3D0A =3D0D=3D0A Jack Easley=3D0D=3D0A =3D0D=3D0A -----Original Message-----=3D0D=3D0A From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx]=3D0D=3D =3D0A On Behalf Of Johnson, Alex P (IPS)=3D0D=3D0A Sent: Monday, September 11, 2006 7:44 AM=3D0D=3D0A To: foxboro@xxxxxxxxxxxxx=3D0D=3D0A Subject: Re: [foxboro] Mesh Network Security (Again)=3D0D=3D0A =3D0D=3D0A Tom,=3D0D=3D0A As with the Nodebus based control network, we do not support directly=3D0D=3D0A connecting non-IPS equipment to the Mesh network.=3D0D=3D0A =3D0D=3D0A Instead, we recommend that you do as you have done in the past. That is,=3D0D=3D =3D0A add another NIC to workstations and link those NICs to a plant network.=3D0D=3D =3D0A That network would then be linked to your primary network = using=3D0D=3D0A appropriate isolation techniques like firewalls.=3D0D=3D0A =3D0D=3D0A Regards,=3D0D=3D0A =3D0D=3D0A AJ=3D0D=3D0A =3D0D=3D0A =3D0D=3D0A -----Original Message-----=3D0D=3D0A From: foxboro-bounce@xxxxxxxxxxxxx on behalf of=3D0D=3D0A tom.vandewater@xxxxxxxxxxxxxx=3D0D=3D0A Sent: Mon 9/11/2006 8:35 AM=3D0D=3D0A To: foxboro@xxxxxxxxxxxxx=3D0D=3D0A Subject: [foxboro] Mesh Network Security (Again)=3D0D=3D0A =3D0D=3D0A Hi List,=3D0D=3D0A I am looking for specific information on an actual security=3D0D=3D0A implementation scheme that Invensys supports in a MESH architecture=3D0D=3D0A implementation.=3D0D=3D0A Is anyone from Invensys or one of their customers already using a=3D0D=3D =3D0A Firewall to the Mesh network? If so, what physical device and method of=3D0D=3D =3D0A connection to the MESH is being used? Does the Firewall Device have=3D0D=3D0A dual connections to the A & B root switches on the MESH? Can it be=3D0D=3D0A connected as a GB uplink for large volume throughput to the higher level=3D0D=3D =3D0A network? An Invensys designed/approved firewall uplink to corporate=3D0D=3D0A networks would be extremely marketable to the users and would = show=3D0D=3D0A customers that Invensys actually has a plan for security on = their=3D0D=3D0A systems.=3D0D=3D0A In the past, on Nodebus/Carrierband systems it seemed like most users=3D0D=3D =3D0A were encouraged to pass data up to corporate process information systems=3D0D=3D =3D0A via 2nd Ethernet ports on multiple Sun boxes and later MS boxes. This=3D0D=3D =3D0A created the need to implement security on every port connected and there=3D0D=3D =3D0A was no easy way to decouple all of those ports in the event of = a=3D0D=3D0A suspected security breach. When the MS boxes were introduced security=3D0D=3D =3D0A became much more difficult because Foxboro tied all critical system=3D0D=3D0A processes to a login such as Fox on the MS Windows system making it=3D0D=3D0A extremely difficult to even change the password without breaking the=3D0D=3D0A system. This hardly inspired confidence in Invensys from the = user=3D0D=3D0A community. The fact that there are so many potential security holes in=3D0D=3D =3D0A the MS OS and default applications, and that MS security updates cannot=3D0D=3D =3D0A automatically be applied as patches are released without breaking things=3D0D=3D =3D0A on the Foxboro MS based system is already a huge issue with skeptical=3D0D=3D0A users.=3D0D=3D0A The concept of a single point of access from one network level to the=3D0D=3D =3D0A level above is hardly a new one. It is called a "firewall" and you are=3D0D=3D =3D0A probably reading this message because my company allowed me to send this=3D0D=3D =3D0A email through ours and your company allowed you to receive it through=3D0D=3D0A yours. =3D3D20=3D0D=3D0A With the MESH, Foxboro could provide a single firewall to the control=3D0D=3D =3D0A system via a GB uplink connection to the root switches, users could=3D0D=3D0A utilize a single point of access to the control network that could be=3D0D=3D0A maintained much more easily and could be physically disconnected if a=3D0D=3D0A security breach was suspected.=3D0D=3D0A Is there anyone out there with hands-on experience in=3D0D=3D0A implementing security measures on the MESH network or is = everyone=3D0D=3D0A propagating the previous problem by putting 3rd Ethernet ports on all of=3D0D=3D =3D0A their MESH servers and jumping each of them to multiple ports on the=3D0D=3D0A corporate network? Again, thanks for any insight you may be able to=3D0D=3D0A provide. The extent of my networking security experience has only been=3D0D=3D =3D0A garnered by managing my own home network with cable modem WAN=3D0D=3D0A connection, wireless router, and wireless access points but even that=3D0D=3D0A has made me realize the need for a better solution for control systems.=3D0D=3D =3D0A =3D0D=3D0A Tom VandeWater=3D0D=3D0A Control Systems Developer/Analyst=3D0D=3D0A Dow Corning Corporation=3D0D=3D0A Carrollton, KY USA=3D0D=3D0A =3D0D=3D0A =3D0D=3D0A =3D0D=3D0A _______________________________________________________________________=3D= 0D=3D =3D0A This mailing list is neither sponsored nor endorsed by Invensys Process=3D0D=3D =3D0A Systems (formerly The Foxboro Company). Use the info you obtain here at=3D0D=3D =3D0A your own risks. Read http://www.thecassandraproject.org/disclaimer.html=3D0D=3D =3D0A =3D0D=3D0A foxboro mailing list: //www.freelists.org/list/foxboro=3D0D=3D =3D0A to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=3D3Djoin=3D =3D0D=3D0A to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=3D3Dleave=3D =3D0D=3D0A =3D0D=3D0A =3D0D=3D0A =3D0D=3D0A -- No attachments (even text) are allowed --=3D0D=3D0A -- Type: application/ms-tnef=3D0D=3D0A -- File: winmail.dat=3D0D=3D0A =3D0D=3D0A =3D0D=3D0A =3D0D=3D0A =3D0D=3D0A _______________________________________________________________________=3D= 0D=3D =3D0A This mailing list is neither sponsored nor endorsed by Invensys Process=3D0D=3D =3D0A Systems (formerly The Foxboro Company). Use the info you obtain here at=3D0D=3D =3D0A your own risks. Read http://www.thecassandraproject.org/disclaimer.html=3D0D=3D =3D0A =3D0D=3D0A foxboro mailing list: //www.freelists.org/list/foxboro=3D0D=3D =3D0A to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=3D3Djoin=3D =3D0D=3D0A to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=3D3Dleave=3D =3D0D=3D0A =3D0D=3D0A =3D0D=3D0A Confidentiality Notice: This email message, including any attachments, =3D0A contains or may contain confidential information intended only for the =3D0A addressee. If you are not an intended recipient of this message, be = =3D0A advised that any reading, dissemination, forwarding, printing, copying=3D0A or other use of this message or its attachments is strictly prohibited. I=3D f=3D0A you have received this message in error, please notify the sender =3D0A immediately by reply message and delete this email message and any=3D0A attachments from your system.=3D0D=3D0A =20 =20 _______________________________________________________________________ This mailing list is neither sponsored nor endorsed by Invensys Process Systems (formerly The Foxboro Company). Use the info you obtain here at your own risks. Read http://www.thecassandraproject.org/disclaimer.html =20 foxboro mailing list: //www.freelists.org/list/foxboro to subscribe: = mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Djoin to unsubscribe: = mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Dleave =20 _______________________________________________________________________ This mailing list is neither sponsored nor endorsed by Invensys Process Systems (formerly The Foxboro Company). Use the info you obtain here at your own risks. Read http://www.thecassandraproject.org/disclaimer.html foxboro mailing list: //www.freelists.org/list/foxboro to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave