Re: [foxboro] Mesh Network Security (Again)
- From: "Johnson, Alex P \(IPS\)" <alex.johnson@xxxxxxxxxxxxxxxx>
- To: <foxboro@xxxxxxxxxxxxx>
- Date: Mon, 11 Sep 2006 10:25:41 -0400
The Isolation Station follows the recommendation that I made. Moreover,
it can be implemented with or without a Mesh network. It works as
follows:
Mesh -> AW (51 or 70) -> FW -> AW (51 or 70) -> [FW] -> PIN -> PCs
The mandatory FW is configured such that no ports are open on the
"righthand side/outside" and only a small number of ports are open on
the "leftside side/inside".
There is software (AOS and INI) loaded on the "inside" AW that
"publishes/pushes" data from the "protected" system to the "outside" AW.
The "outside" AW has software on it (AOS) that allows it to mirror the
protected system's data in the same tag names. This allows applications
to run on the "outside" AW as if they were on the "inside".
"Inside" to "outside" data transfer is the default. With appropriate
configuration on the inside, protected two-way configuration is possible
as well.
My sketch is intended to show that the "inside" AW connects to the
firewall using its second Ethernet port.
Does this help?
Regards,
=20
Alex Johnson
Invensys Systems, Inc.
10900 Equity Drive
Houston, TX 77041
713.329.8472 (voice)
713.329.1700 (fax)
713.329.1600 (switchboard)
alex.johnson@xxxxxxxxxxxxxxxx
-----Original Message-----
From: foxboro-bounce@xxxxxxxxxxxxx [mailto:foxboro-bounce@xxxxxxxxxxxxx]
On Behalf Of Jack.Easley@xxxxxxx
Sent: Monday, September 11, 2006 8:30 AM
To: foxboro@xxxxxxxxxxxxx
Subject: Re: [foxboro] Mesh Network Security (Again)
Alex,=3D0D=3D0A
=3D0D=3D0A
Foxboro currently markets a security solution for intranet access to
the=3D0D=3D
=3D0A
Mesh Network. It is called an Isolation Station. The hardware
consists=3D0D=3D
=3D0A
of an AW on the Mesh, an AW on the intranet, and a firewall in
between.=3D0D=3D
=3D0A
Of course these are both two NIC AWs, with the MESH AW serving data
to=3D0D=3D
=3D0A
intranet AW through the firewall. They can be Windows or Unix and
are=3D0D=3D0A
secutity hardened by Foxboro. Contact Foxboro Sales or Security
Services=3D0D=3D
=3D0A
for exact details.=3D0D=3D0A
=3D0D=3D0A
Jack Easley=3D0D=3D0A
=3D0D=3D0A
-----Original Message-----=3D0D=3D0A
From: foxboro-bounce@xxxxxxxxxxxxx
[mailto:foxboro-bounce@xxxxxxxxxxxxx]=3D0D=3D
=3D0A
On Behalf Of Johnson, Alex P (IPS)=3D0D=3D0A
Sent: Monday, September 11, 2006 7:44 AM=3D0D=3D0A
To: foxboro@xxxxxxxxxxxxx=3D0D=3D0A
Subject: Re: [foxboro] Mesh Network Security (Again)=3D0D=3D0A
=3D0D=3D0A
Tom,=3D0D=3D0A
As with the Nodebus based control network, we do not support
directly=3D0D=3D0A
connecting non-IPS equipment to the Mesh network.=3D0D=3D0A
=3D0D=3D0A
Instead, we recommend that you do as you have done in the past. That
is,=3D0D=3D
=3D0A
add another NIC to workstations and link those NICs to a plant
network.=3D0D=3D
=3D0A
That network would then be linked to your primary network =
using=3D0D=3D0A
appropriate isolation techniques like firewalls.=3D0D=3D0A
=3D0D=3D0A
Regards,=3D0D=3D0A
=3D0D=3D0A
AJ=3D0D=3D0A
=3D0D=3D0A
=3D0D=3D0A
-----Original Message-----=3D0D=3D0A
From: foxboro-bounce@xxxxxxxxxxxxx on behalf of=3D0D=3D0A
tom.vandewater@xxxxxxxxxxxxxx=3D0D=3D0A
Sent: Mon 9/11/2006 8:35 AM=3D0D=3D0A
To: foxboro@xxxxxxxxxxxxx=3D0D=3D0A
Subject: [foxboro] Mesh Network Security (Again)=3D0D=3D0A
=3D0D=3D0A
Hi List,=3D0D=3D0A
I am looking for specific information on an actual security=3D0D=3D0A
implementation scheme that Invensys supports in a MESH
architecture=3D0D=3D0A
implementation.=3D0D=3D0A
Is anyone from Invensys or one of their customers already using
a=3D0D=3D
=3D0A
Firewall to the Mesh network? If so, what physical device and method
of=3D0D=3D
=3D0A
connection to the MESH is being used? Does the Firewall Device
have=3D0D=3D0A
dual connections to the A & B root switches on the MESH? Can it
be=3D0D=3D0A
connected as a GB uplink for large volume throughput to the higher
level=3D0D=3D
=3D0A
network? An Invensys designed/approved firewall uplink to
corporate=3D0D=3D0A
networks would be extremely marketable to the users and would =
show=3D0D=3D0A
customers that Invensys actually has a plan for security on =
their=3D0D=3D0A
systems.=3D0D=3D0A
In the past, on Nodebus/Carrierband systems it seemed like most
users=3D0D=3D
=3D0A
were encouraged to pass data up to corporate process information
systems=3D0D=3D
=3D0A
via 2nd Ethernet ports on multiple Sun boxes and later MS boxes.
This=3D0D=3D
=3D0A
created the need to implement security on every port connected and
there=3D0D=3D
=3D0A
was no easy way to decouple all of those ports in the event of =
a=3D0D=3D0A
suspected security breach. When the MS boxes were introduced
security=3D0D=3D
=3D0A
became much more difficult because Foxboro tied all critical
system=3D0D=3D0A
processes to a login such as Fox on the MS Windows system making
it=3D0D=3D0A
extremely difficult to even change the password without breaking
the=3D0D=3D0A
system. This hardly inspired confidence in Invensys from the =
user=3D0D=3D0A
community. The fact that there are so many potential security holes
in=3D0D=3D
=3D0A
the MS OS and default applications, and that MS security updates
cannot=3D0D=3D
=3D0A
automatically be applied as patches are released without breaking
things=3D0D=3D
=3D0A
on the Foxboro MS based system is already a huge issue with
skeptical=3D0D=3D0A
users.=3D0D=3D0A
The concept of a single point of access from one network level to
the=3D0D=3D
=3D0A
level above is hardly a new one. It is called a "firewall" and you
are=3D0D=3D
=3D0A
probably reading this message because my company allowed me to send
this=3D0D=3D
=3D0A
email through ours and your company allowed you to receive it
through=3D0D=3D0A
yours. =3D3D20=3D0D=3D0A
With the MESH, Foxboro could provide a single firewall to the
control=3D0D=3D
=3D0A
system via a GB uplink connection to the root switches, users
could=3D0D=3D0A
utilize a single point of access to the control network that could
be=3D0D=3D0A
maintained much more easily and could be physically disconnected if
a=3D0D=3D0A
security breach was suspected.=3D0D=3D0A
Is there anyone out there with hands-on experience in=3D0D=3D0A
implementing security measures on the MESH network or is =
everyone=3D0D=3D0A
propagating the previous problem by putting 3rd Ethernet ports on all
of=3D0D=3D
=3D0A
their MESH servers and jumping each of them to multiple ports on
the=3D0D=3D0A
corporate network? Again, thanks for any insight you may be able
to=3D0D=3D0A
provide. The extent of my networking security experience has only
been=3D0D=3D
=3D0A
garnered by managing my own home network with cable modem WAN=3D0D=3D0A
connection, wireless router, and wireless access points but even
that=3D0D=3D0A
has made me realize the need for a better solution for control
systems.=3D0D=3D
=3D0A
=3D0D=3D0A
Tom VandeWater=3D0D=3D0A
Control Systems Developer/Analyst=3D0D=3D0A
Dow Corning Corporation=3D0D=3D0A
Carrollton, KY USA=3D0D=3D0A
=3D0D=3D0A
=3D0D=3D0A
=3D0D=3D0A
_______________________________________________________________________=3D=
0D=3D
=3D0A
This mailing list is neither sponsored nor endorsed by Invensys
Process=3D0D=3D
=3D0A
Systems (formerly The Foxboro Company). Use the info you obtain here
at=3D0D=3D
=3D0A
your own risks. Read
http://www.thecassandraproject.org/disclaimer.html=3D0D=3D
=3D0A
=3D0D=3D0A
foxboro mailing list:
//www.freelists.org/list/foxboro=3D0D=3D
=3D0A
to subscribe:
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3D3Djoin=3D
=3D0D=3D0A
to unsubscribe:
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3D3Dleave=3D
=3D0D=3D0A
=3D0D=3D0A
=3D0D=3D0A
=3D0D=3D0A
-- No attachments (even text) are allowed --=3D0D=3D0A
-- Type: application/ms-tnef=3D0D=3D0A
-- File: winmail.dat=3D0D=3D0A
=3D0D=3D0A
=3D0D=3D0A
=3D0D=3D0A
=3D0D=3D0A
_______________________________________________________________________=3D=
0D=3D
=3D0A
This mailing list is neither sponsored nor endorsed by Invensys
Process=3D0D=3D
=3D0A
Systems (formerly The Foxboro Company). Use the info you obtain here
at=3D0D=3D
=3D0A
your own risks. Read
http://www.thecassandraproject.org/disclaimer.html=3D0D=3D
=3D0A
=3D0D=3D0A
foxboro mailing list:
//www.freelists.org/list/foxboro=3D0D=3D
=3D0A
to subscribe:
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3D3Djoin=3D
=3D0D=3D0A
to unsubscribe:
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3D3Dleave=3D
=3D0D=3D0A
=3D0D=3D0A
=3D0D=3D0A
Confidentiality Notice: This email message, including any attachments,
=3D0A
contains or may contain confidential information intended only for the
=3D0A
addressee. If you are not an intended recipient of this message, be =
=3D0A
advised that any reading, dissemination, forwarding, printing,
copying=3D0A
or other use of this message or its attachments is strictly prohibited.
I=3D
f=3D0A
you have received this message in error, please notify the sender =3D0A
immediately by reply message and delete this email message and any=3D0A
attachments from your system.=3D0D=3D0A
=20
=20
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
=20
foxboro mailing list: //www.freelists.org/list/foxboro
to subscribe: =
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Djoin
to unsubscribe: =
mailto:foxboro-request@xxxxxxxxxxxxx?subject=3Dleave
=20
_______________________________________________________________________
This mailing list is neither sponsored nor endorsed by Invensys Process
Systems (formerly The Foxboro Company). Use the info you obtain here at
your own risks. Read http://www.thecassandraproject.org/disclaimer.html
foxboro mailing list: //www.freelists.org/list/foxboro
to subscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=join
to unsubscribe: mailto:foxboro-request@xxxxxxxxxxxxx?subject=leave
Other related posts:
