CT392 - Industrial Demilitarized Zone Design Principles

Size: px
Start display at page:

Download "CT392 - Industrial Demilitarized Zone Design Principles"

Transcription

1 CT392 - Demilitarized Design Principles Rev 5058-CO900E

2 Agenda Fundamentals and Review What is an IDMZ? Methodology Network Segmentation 2

3 Fundamentals and Review

4 Purdue Reference Model MES - Manufacturing Execution System measures and controls production facilities; it tracks and measures key operational criteria such as product, equipment, labor, inventory, defects, etc.; a key interface to the Enterprise-level applications; Level 3 & 4 Historian - Collects historical data from the plant floor applications and reports or displays them in various report formats; Level 3 SCADA - Supervisory Control and Data Acquisition; large scale distributed measurement and control systems, usually covers a geographical area; Level 3 HMI - Human Machine Interfaces display operational status to operation personnel and may allow them to perform basic functions (e.g. start/stop a process); Level 2 Programmable Automation Controller or Programmable Logic Controller; controls a subset (Cell/Area), e.g. a line or function, as well as the relevant devices in that Cell/Area; Level 1 Sensor/Actuator device - a device that measures or controls key functions or aspects of the industrial automation process; Level 0

5 Campus Network Diagram to Ground Our Conversation Hierarchal, modular and scalable building blocks Creates small domains - clear demarcations and segmentation Fault domain (e.g. Layer 2 loops), broadcast domain, domains of trust (security) Easier to grow, understand and troubleshoot Multi-tier switch model Core Aggregates distribution switches Backbone of network DMZ connectivity Distribution Aggregates access switches Provides Layer 3 services Access Aggregates industrial automation and control system () devices Provides Layer 2 services Core Distribution Access

6 Layers and Levels Layer 2 Access Switch Layer 3 Distribution Switch Catalyst 3750 StackWise Switch Stack Cell/Area s Levels 0 2 Level 2 HMI Phone Rockwell Automation Stratix 5700/8000 Layer 2 Access Switch HMI Safety I/O Safety Controller Controller Camera Instrumentation Media & Connectors Cell/Area #1 Redundant Star Topology Flex Links Resiliency MCC I/O Soft Starter Level 1 Cell/Area #2 Controller Ring Topology Resilient Ethernet Protocol (REP) Servo Drive Cell/Area #3 Bus/Star Topology Level 0 Drive

7 Go Beyond Defense in Depth Search.com defines Defense in depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. The strategy is based on the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier PUBLIC Copyright INFORMATION 2009 Rockwell Automation, Inc. All rights reserved. 8

8 Agenda Fundamentals and Review What is an IDMZ? Network Segmentation Methodology 9

9 Network Convergence Continuing Trend Corporate Network Corporate Network Back-Office Mainframes and Servers (ERP, MES, etc.) Human Machine Interface (HMI) Control Network Gateway Supervisory Control Office Applications, Internetworking, Data Servers, Storage Back-Office Mainframes and Servers (ERP, MES, etc.) Controller Office Applications, Internetworking, Data Servers, Storage Phone Controller Camera Supervisory Control Safety Controller Robotics Motors, Drives Actuators Robotics I/O Motors, Drives Actuators Safety I/O Sensors and other Input/Output Devices Human Machine Interface (HMI) Sensors and other Input/Output Devices Network Network Traditional 3 Tier Network Model Converged Plantwide EtherNet/IP Network Model EtherNet/IP - Enabling/Driving Convergence of Control and Information 10 N

10 Network Convergence Continued Trend Demilitarized (IDMZ) Wide Area Network (WAN) Physical or Virtualized Servers ERP, Active Directory (AD), AAA Radius Call Manager Office Applications, Internetworking, Data Servers, Storage Enterprise Physical or Virtualized Servers Patch Management Remote Gateway Services Application Mirror AV Server Gbps Link for Failover Detection Firewall (Active) Firewall (Standby) Firewalls for separation Unified Threat Management Authentication & Authorization Application & Data Sharing via replication or terminal services DMZ Physical or Virtualized Servers FactoryTalk Application Servers & Services Platform Network Services e.g. DNS, AD, DHCP, AAA Remote Access Server (RAS) Call Manager Storage Array Phone Remote Access Server Drive Controller Camera I/O Supervisory Control Safety Controller Mobile User Linking Device Instrumentation Condition Monitoring Human Machine Interface (HMI) Soft Starter Motors, Drives Actuators Safety I/O Overload Relay I/O Robotics Motor Control Center Plant-wide / Site-wide Network Integrated Architecture 11

11 What is an DMZ? A IDMZ, or Demilitarized, is a sub-network placed between a trusted network (industrial) and an untrusted network (enterprise). The IDMZ contains business facing assets that act as brokers between the trusted and untrusted networks. Traffic never travels directly across the IDMZ. A properly designed IDMZ can be unplugged if compromised and still allow the industrial network to operate without disruption.

12 Demilitarized (DMZ) Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network. The purpose of the DMZ is to add an additional layer of security to the trusted network UNTRUSTED Web Proxy BROKER TRUSTED

13 Demilitarized (IDMZ) Controlling Access to the Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network. The purpose of the IDMZ is to add an additional layer of security to the trusted network Enterprise DMZ TRUSTED? UNTRUSTED? BROKER TRUSTED

14 Demilitarized (IDMZ) Controlling Access to the All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly traverse the IDMZ Only path between zones No common protocols in each logical firewall No control traffic into the IDMZ, CIP stays home No primary services are permanently housed in the IDMZ IDMZ shall not permanently house data Application data mirror to move data into and out of the Limit outbound connections from the IDMZ Be prepared to turn-off access via the firewall Disconnect Point Replicated Services Disconnect Point Trusted? Untrusted? Enterprise Trusted IDMZ No Direct Traffic

15 Demilitarized (IDMZ) Controlling Access to the Set-up functional sub-zones in the IDMZ to segment access to data and services (e.g. Partner zone, Operations, IT) Trusted? Untrusted? Enterprise Disconnect Point Terminal Services Patch Management AV Server Multiple Functional Subzones IDMZ No Direct Traffic Historian Mirror Web Services Operations Application Server Disconnect Point Trusted

16 Controlling Access to the Level 5 Level 4 , Intranet, etc. Enterprise Network Site Business Planning and Logistics Network Enterprise Remote Gateway Services Application Mirror Patch Management Web Services Operations AV Server Application Server Firewall Firewall Web CIP DMZ Level 3 Level 2 Level 1 FactoryTalk Application Server FactoryTalk Client Batch Control FactoryTalk Directory Operator Interface Discrete Control Engineering Workstation FactoryTalk Client Drive Control Remote Access Server Engineering Workstation Continuous Process Control Site Operations and Control Area Supervisory Control Operator Interface Safety Control Basic Control Cell/Area Level 0 Sensors Drives Actuators Robots Process Logical Model Automation and Control System () Converged Multi-discipline Network No Direct Traffic Flow between Enterprise and

17 Agenda Fundamentals and Review What is an IDMZ? Methodology Network Segmentation 18

18 Methodology Develop a scientific method to develop repeatable, measureable and maintainable solution(s) Look at the problem holistically and drill down to each system 19

19 IDMZ / Network Reconnaissance (Design Pre-work) Identify types of Assets in and those that support Manufacturing Identify who owns the hardware and software on the asset. Recon Phase Design Phase Identify Assets Or Asset Classes Identify Asset Owners Requirements Phase Architectural Phase Tech. Design Phase Implement Maintain ACTION Document Assets by documentation, interviews and network scanning ACTION Document Asset Owners and Schedule Interviews 20

20 Classify Asset Types Goal: Identify assets that support manufacturing process. Goal: Identify if asset belongs in the or Enterprise. 21

21 Diagram Data Sources Feeding Higher Level Assets 22

22 Identify System Owners / Users DC 23

23 Interview Process Interview process identifies how the owners and clients of the assets Operate Configure Patch Upgrade Identifies where the data is produced and consumed This process is used to gather requirements 24

24 IDMZ / Network Design Methodology Requirements are a statement identifying a capability, physical characteristic or quality factor that bounds a product or process problem for which a solution will be pursued. (Source: IEEE Standard ) High level architectural recommendations that are proposed to meet the customer requirements. Detailed information usually written by the coder or implementer that describes how the system or product will be programmed, configured to meet the customer requirements and the high level architecture. The system components are brought together and tested during this phase per the testing plan System has been Verified and Validated and is maintained by Operations and Maintenance Requirements Phase Architectural Phase Technical Design Phase Implementation Maintain ACTION Interview all system owners to gather requirements for operations, configuration and maintenance. ACTION Produce high level documentation and drawings to meet every requirement ACTION Produce detailed documentation such as drawings, switch configurations, VLAN, IP Address, Firewall ACL s ACTION Verify, was the product built right and Validate, was the right product built process ACTION Modify configurations and assets to fix anomalies or required operational changes. 25

25 High Level Architecture Enterprise DMZ 26

26 How to Derive High Level Architecture Enterprise Client Actor MES Order Entry Historian QC Systems DMZ No Control Protocols Through the Firewall(s) 27

27 Move the Assets Around To Minimize Cross Traffic Especially Control Protocols Enterprise Historian Client Actor MES Order Entry DMZ Historian Mirror Data Proxy Historian QC Systems 28

28 High Level Architecture Review All Use Cases and Meet All Requirements Enterprise Use Case Configure Historian from Enterprise DMZ Remote Desktop Gateway 29

29 High Level Architecture Review Use Cases Enterprise Use Case Move Data From Historian to Enterprise Historian DMZ Historian Mirror 30

30 Assets Typically Found in DMZs Level 5 Level 4 , Intranet, etc. Router Enterprise Network Site Business Planning and Logistics Network Enterprise Remote Access Technologies Terminal Services Patch Management AV Server Historian Mirror Web Services Operations File Transfer Server Firewall Web CIP IDMZ Level 3 FactoryTalk Application Server FactoryTalk Directory Engineering Workstation Domain Controller Firewall Site Manufacturing Operations and Control Level 2 Level 1 FactoryTalk Client Operator Interface FactoryTalk Client Batch Control Discrete Control Drive Control Engineering Workstation Continuous Process Control Operator Interface Safety Control Area Supervisory Control Basic Control Cell/Area Level 0 Sensors Drives Actuators Robots Process

31 Assets Typically Found in DMZs Level 5 Level 4 , Intranet, etc. Router Enterprise Network Site Business Planning and Logistics Network Enterprise Windows Server Updating Service (WSUS) Terminal Services Patch Management AV Server Historian Mirror Web Services Operations File Transfer Server Firewall Web CIP IDMZ Level 3 FactoryTalk Application Server FactoryTalk Directory Engineering Workstation Domain Controller Firewall Site Manufacturing Operations and Control Level 2 Level 1 FactoryTalk Client Operator Interface FactoryTalk Client Batch Control Discrete Control Drive Control Engineering Workstation Continuous Process Control Operator Interface Safety Control Area Supervisory Control Basic Control Cell/Area Level 0 Sensors Drives Actuators Robots Process

32 IDMZ / Network Design Methodology Requirements are a statement identifying a capability, physical characteristic or quality factor that bounds a product or process problem for which a solution will be pursued. (Source: IEEE Standard ) High level architectural recommendations that are proposed to meet the customer requirements. Detailed information usually written by the coder or implementer that describes how the system or product will be programmed, configured to meet the customer requirements and the high level architecture. The system components are brought together and tested during this phase per the testing plan System has been Verified and Validated and is maintained by Operations and Maintenance Requirements Phase Architectural Phase Technical Design Phase Implementation Maintain ACTION Interview all system owners to gather requirements for operations, configuration and maintenance. ACTION Produce high level documentation and drawings to meet every requirement ACTION Produce detailed documentation such as drawings, switch configurations, VLAN, IP Address, Firewall ACL s ACTION Verify, was the product built right and Validate, was the right product built process ACTION Modify configurations and assets to fix anomalies or required operational changes. 37

33 Agenda Fundamentals and Review What is an IDMZ? Methodology Network Segmentation 38

34 Architecture to support IDMZ Division of plant-wide / sitewide architectures into functional areas for secured access ISA-99 s and Conduit model OEM s Participation IP Address VLAN ID s Access layer to Distribution layer cooperation System design requires full cooperation of all System Integrators, OEM s, IT and Plant/Site Engineering Copy 39

35 Data Link / Network Layers Availability Control Systems are Designed with Availability Requirement First! Availability VLAN 101 VLAN 41 Patch Management Terminal Services Application Mirror AV Server FactoryTalk Application Servers View Historian AssetCentre Transaction Manager FactoryTalk Services Platform Directory /Audit Data Servers Remote Access Server Gbps Link for Failover Detection Firewall (Active) Catalyst 6500/4500 Cisco ASA 5500 Catalyst 3750 StackWise Switch Stack ERP, , Wide Area Network (WAN) Firewall (Standby) Cisco Catalyst Switch Network Services DNS, DHCP, syslog server Network and security mgmt Enterprise Levels 4 and 5 Demilitarized (IDMZ) Demilitarized (IDMZ) Site Operations and Control Level 3 Layer 2 Access Link Layer 2 Interswitch Link/ 802.1Q Trunk Layer 3 Link Cell/Area #1 Cell/Area #2 Cell/Area #3 Drive Controller VLAN 102 HMI I/O VLAN 42 I/O Rockwell Automation Stratix 8000 Layer 2 Access Switch Controller VLAN 103 HMI Drive VLAN 43 HMI I/O VLAN 104 VLAN 105 Controller Drive VLAN 44 Cell/Area s Levels 0 2

36 Structure and Hierarchy Network Segmentation: Building Block for Availability Availability Layer 2 Access Switch Layer 3 Distribution Switch Layer 3 Building Block Catalyst 3750 StackWise Switch Stack Cell/Area s Levels 0 2 Level 2 HMI Phone Controller Camera Building Block Instrumentation Media & Connectors Cell/Area #1 Redundant Star Topology Flex Links Resiliency The Cell/Area zone is a Layer 2 network for a functional area (plant-wide or site-wide) Key network considerations include: Structure and hierarchy using smaller Layer 2 building blocks Logical segmentation for traffic management and policy enforcement (e.g. QoS, ) to accommodate time-sensitive applications Layer 2 Rockwell Automation Stratix 5700/8000 Layer 2 Access Switch Layer 2 HMI MCC Building I/OBlockSoft Starter Level 1 Cell/Area #2 Controller Ring Topology Resilient Ethernet Protocol (REP) Servo Drive Safety I/O Cell/Area #3 Bus/Star Topology Level 0 Drive Safety Controller Layer 2 Building Block 41

37 Questions? Rev 5058-CO900E

Choosing the correct Time Synchronization Protocol and incorporating the 1756-TIME module into your Application

Choosing the correct Time Synchronization Protocol and incorporating the 1756-TIME module into your Application Choosing the correct Time Synchronization Protocol and incorporating the 1756-TIME module into your Application By: Josh Matson Various Time Synchronization Protocols From the earliest days of networked

More information

Scalable Secure Remote Access Solutions

Scalable Secure Remote Access Solutions Scalable Secure Remote Access Solutions Jason Dely, CISSP Principal Security Consultant jdely@ra.rockwell.com Scott Friberg Solutions Architect Cisco Systems, Inc. sfriberg@cisco.com Jeffrey A. Shearer,

More information

REFERENCE ARCHITECTURES FOR MANUFACTURING

REFERENCE ARCHITECTURES FOR MANUFACTURING Synopsis Industry adoption of EtherNet/IP TM for control and information resulted in the wide deployment of standard Ethernet in manufacturing. This deployment acts as the technology enabler for the convergence

More information

AUP28 - Implementing Security and IP Protection

AUP28 - Implementing Security and IP Protection AUP28 - Implementing Security and IP Protection Features in the Integrated Architecture Mads Laier DK Commercial Engineer Logix & Networks Rev 5058-CO900E Agenda Why IACS Security Now! Defense in depth

More information

Securing The Connected Enterprise

Securing The Connected Enterprise Securing The Connected Enterprise Pack Expo 2015 Las Vegas Chelsea An Business Development Lead, Network & Security PUBLIC Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 8 Connected Enterprise

More information

Network Security Trends & Fundamentals of Securing EtherNet/IP Networks

Network Security Trends & Fundamentals of Securing EtherNet/IP Networks Network Security Trends & Fundamentals of Securing EtherNet/IP Networks Presented by Rockwell Automation Industrial Network Security Trends Security Quips "Good enough" security now, is better than "perfect"

More information

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation Rev 5058-CO900C Agenda Control System Network Security Defence in Depth Secure Remote Access Examples

More information

T46 - Integrated Architecture Tools for Securing Your Control System

T46 - Integrated Architecture Tools for Securing Your Control System T46 - Integrated Architecture Tools for Securing Your Control System PUBLIC PUBLIC - 5058-CO900G Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. The Connected Enterprise PUBLIC Copyright

More information

The Internet of Things (IoT) and Industrial Networks. Guy Denis gudenis@cisco.com Rockwell Automation Alliance Manager Europe 2015

The Internet of Things (IoT) and Industrial Networks. Guy Denis gudenis@cisco.com Rockwell Automation Alliance Manager Europe 2015 The Internet of Things (IoT) and Industrial Networks Guy Denis gudenis@cisco.com Rockwell Automation Alliance Manager Europe 2015 Increasingly Everything will be interconnected 50 Billion Smart Objects

More information

AUP28. Implementing Security In Integrated Architecture Practical security solutions for Industrial Control System (ICS)

AUP28. Implementing Security In Integrated Architecture Practical security solutions for Industrial Control System (ICS) AUP28 Implementing Security In Integrated Architecture Practical security solutions for Industrial Control System (ICS) Clive Barwise, Rockwell Automation European Product Manager Networks and Security

More information

Production Software Within Manufacturing Reference Architectures

Production Software Within Manufacturing Reference Architectures Production Software Within Manufacturing Reference Architectures Synopsis Industry adoption of EtherNet/IP for control and information has driven the wide deployment of standard Ethernet for manufacturing

More information

PR03. High Availability

PR03. High Availability PR03 High Availability Related Topics NI10 Ethernet/IP Best Practices NI15 Enterprise Data Collection Options NI16 Thin Client Overview Solution Area 4 (Process) Agenda Overview Controllers & I/O Software

More information

ControlLogix and CompactLogix 5370 Segmentation Methods for Plant-wide/ Site-wide Networks with OEM Convergence-ready Solutions

ControlLogix and CompactLogix 5370 Segmentation Methods for Plant-wide/ Site-wide Networks with OEM Convergence-ready Solutions Network Segmentation Methodology Application Guide ControlLogix and CompactLogix 5370 Segmentation Methods for Plant-wide/ Site-wide Networks with OEM Convergence-ready Solutions By Josh Matson and Gregory

More information

Computer System Security Updates

Computer System Security Updates Why patch? If you have already deployed a network architecture, such as the one recommended by Rockwell Automation and Cisco in the Converged Plantwide Ethernet Design and Implementation Guide (http://www.ab.com/networks/architectures.html),

More information

Top-Down Network Design

Top-Down Network Design Top-Down Network Design Chapter Five Designing a Network Topology Copyright 2010 Cisco Press & Priscilla Oppenheimer Topology A map of an internetwork that indicates network segments, interconnection points,

More information

PlantPAx op weg naar Connected Enterprise.

PlantPAx op weg naar Connected Enterprise. AUP 46 PlantPAx op weg naar Connected Enterprise. Wim van der Heide Solution Architect Copyright 2015 Rockwell Automation, Inc. All rights reserved. 2 Agenda 1. Waarom zou u moeten migreren? 1. Connected

More information

Simplifying the Transition to Virtualization TS17

Simplifying the Transition to Virtualization TS17 Simplifying the Transition to Virtualization TS17 Name Sandeep Redkar Title Manager Process Solutions Date 11 th February 2015 Agenda Overview & Drivers Virtualization for Production Rockwell Automation

More information

Network & Security Services (NSS) Because Infrastructure Matters

Network & Security Services (NSS) Because Infrastructure Matters Network & Security Services (NSS) Because Infrastructure Matters Andrew Ballard Commercial Director Services & Support - EMEA Rev 5058-CO900E THE CONNECTED ENTERPRISE Headquarters Optimized for Rapid Value

More information

Achieving Secure, Remote Access to Plant-Floor Applications and Data

Achieving Secure, Remote Access to Plant-Floor Applications and Data Achieving Secure, Remote Access to Plant-Floor Applications and Data Abstract To increase the flexibility and efficiency of production operations, manufacturers are adopting open networking standards for

More information

NETE-4635 Computer Network Analysis and Design. Designing a Network Topology. NETE4635 - Computer Network Analysis and Design Slide 1

NETE-4635 Computer Network Analysis and Design. Designing a Network Topology. NETE4635 - Computer Network Analysis and Design Slide 1 NETE-4635 Computer Network Analysis and Design Designing a Network Topology NETE4635 - Computer Network Analysis and Design Slide 1 Network Topology Design Themes Hierarchy Redundancy Modularity Well-defined

More information

CHAPTER 6 DESIGNING A NETWORK TOPOLOGY

CHAPTER 6 DESIGNING A NETWORK TOPOLOGY CHAPTER 6 DESIGNING A NETWORK TOPOLOGY Expected Outcomes Able to identify terminology that will help student discuss technical goals with customer. Able to introduce a checklist that can be used to determine

More information

Das sollte jeder ITSpezialist über. Automations- und Produktionsnetzwerke wissen

Das sollte jeder ITSpezialist über. Automations- und Produktionsnetzwerke wissen Das sollte jeder ITSpezialist über Automations- und Produktionsnetzwerke wissen Frank Schirra, Rockwell Automation Solution Architect Edi Truttmann, Cisco Systems Network Solution Sales Specialist 2012

More information

Securing Manufacturing Computing and Controller Assets

Securing Manufacturing Computing and Controller Assets Securing Manufacturing Computing and Controller Assets Rockwell Automation and Cisco Four Key Initiatives: Common Technology View: A single system architecture, using open, industry standard networking

More information

Industrial Security Solutions

Industrial Security Solutions Industrial Security Solutions Building More Secure Environments From Enterprise to End Devices You have assets to protect. Control systems, networks and software can all help defend against security threats

More information

Redesigning automation network security

Redesigning automation network security White Paper WP152006EN Redesigning automation network security Presented at Power and Energy Automation Conference (PEAC), Spokane, WA, March 2014 Jacques Benoit Eaton s Cooper Power Systems Abstract The

More information

Physical Infrastructure for a Resilient Converged Plantwide Ethernet Architecture

Physical Infrastructure for a Resilient Converged Plantwide Ethernet Architecture Physical Infrastructure for a Resilient Converged Plantwide Ethernet Architecture Industrial Ethernet networking is advancing technology applications throughout the plant. These applications are rapidly

More information

Cisco Networking Professional-6Months Project Based Training

Cisco Networking Professional-6Months Project Based Training Cisco Networking Professional-6Months Project Based Training Core Topics Cisco Certified Networking Associate (CCNA) 1. ICND1 2. ICND2 Cisco Certified Networking Professional (CCNP) 1. CCNP-ROUTE 2. CCNP-SWITCH

More information

Stratix Switches Within Integrated Architecture. Dave VanGompel, Principal Application Engineer

Stratix Switches Within Integrated Architecture. Dave VanGompel, Principal Application Engineer Written By: Mark Devonshire, Product Manager Dave VanGompel, Principal Application Engineer Synopsis Industry adoption of EtherNet/IP for control and information has driven the wide deployment of standard

More information

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco Secure Access into Industrial Automation and Systems Industry Best Practice and Trends Serhii Konovalov Venkat Pothamsetty Cisco Vendor offers a remote firmware update and PLC programming. Contractor asks

More information

Square D Model 6 Motor Control Centers

Square D Model 6 Motor Control Centers Square D Model 6 Motor Control Centers with Ethernet Communications What is industrial Ethernet? Over the past few years the use of Ethernet communications has spread into every corner of the business

More information

Scalable, Secure Remote Monitoring Solutions Stay a step ahead by remotely monitoring your critical assets

Scalable, Secure Remote Monitoring Solutions Stay a step ahead by remotely monitoring your critical assets Scalable, Secure Remote Monitoring Solutions Stay a step ahead by remotely monitoring your critical assets PUBLIC PUBLIC - 5058-CO900G Why Is This Important? What s Driving This Need? Customer Impact It

More information

Plant-wide Network Infrastructure. Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Plant-wide Network Infrastructure. Copyright 2012 Rockwell Automation, Inc. All rights reserved. Plant-wide Network Infrastructure Agenda Additional On-site Information EtherNet/IP Considerations Logical Design Considerations Physical Layer Design Consideration Testing Considerations Plant-Floor and

More information

Securing the Connected Enterprise

Securing the Connected Enterprise Securing the Connected Enterprise ABID ALI, Network and Security Consultant. Why Infrastructure Matters Rapidly Growing Markets Global Network Infrastructure and Security Markets 13.7% CAGR over the next

More information

Industrial Security in the Connected Enterprise

Industrial Security in the Connected Enterprise Industrial Security in the Connected Enterprise Presented by Rockwell Automation 2008 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. THE CONNECTED ENTERPRISE Optimized for Rapid

More information

Scalable Secure Remote Access Solutions for OEMs

Scalable Secure Remote Access Solutions for OEMs Scalable Secure Remote Access Solutions for OEMs Introduction Secure remote access to production assets, data, and applications, along with the latest collaboration tools, provides manufacturers with the

More information

Design Considerations for Securing Industrial Automation and Control System Networks

Design Considerations for Securing Industrial Automation and Control System Networks Design Considerations for Securing Industrial Automation and Control System Networks Synopsis Rockwell Automation and Cisco Four Key Initiatives: Common Technology View: A single system architecture, using

More information

Manufacturing and the Internet of Everything

Manufacturing and the Internet of Everything Manufacturing and the Internet of Everything Johan Arens, CISCO (joarens@cisco.com) Business relevance of the Internet of everything Manufacturing trends Business imperatives and outcomes A vision of the

More information

IP Telephony Management

IP Telephony Management IP Telephony Management How Cisco IT Manages Global IP Telephony A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge Design, implement, and maintain a highly available, reliable, and resilient

More information

Allen-Bradley Stratix 5700 Network Address Translation (NAT)

Allen-Bradley Stratix 5700 Network Address Translation (NAT) 00:00:BC:66:0F:C7 DANGER SINK\ SOURCE SOURCE 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 00 08 01 09 02 10 03 11 04 12 05 13 06 14 07 15 COM COM 0 1 NC NC +V +V 00 08 01

More information

Securing Process Control Systems

Securing Process Control Systems Securing Process Control Systems Bradford H. Hegrat, CISSP, CISM Sr. Principal Security Consultant Network & Security Services Rockwell Automation Process Solutions User Group (PSUG) November 14-15, 2011

More information

Recommended IP Telephony Architecture

Recommended IP Telephony Architecture Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings

More information

Course Syllabus. Fundamentals of Windows Server 2008 Network and Applications Infrastructure. Key Data. Audience. Prerequisites. At Course Completion

Course Syllabus. Fundamentals of Windows Server 2008 Network and Applications Infrastructure. Key Data. Audience. Prerequisites. At Course Completion Key Data Product #: 3380 Course #: 6420A Number of Days: 5 Format: Certification Exams: Instructor-Led None This course syllabus should be used to determine whether the course is appropriate for the students,

More information

Stratix Industrial Networks Infrastructure At-A-Glance

Stratix Industrial Networks Infrastructure At-A-Glance Stratix ing and Routing Services Router Wireless Distribution Services Router Hardware Features Ports Per Module 2 5 to 16 4 and 9 port 6, 10, 18 and 20 port 8, 10, 16, 18, 24 port 6 and 10 port base switches

More information

Overview of Routing between Virtual LANs

Overview of Routing between Virtual LANs Overview of Routing between Virtual LANs This chapter provides an overview of virtual LANs (VLANs). It describes the encapsulation protocols used for routing between VLANs and provides some basic information

More information

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323

More information

AUD20 - Industrial Network Security

AUD20 - Industrial Network Security AUD20 - Industrial Network Security Lesley Van Loo EMEA Senior Commercial engineer - Rockwell Automation Rev 5058-CO900B Copyright 2012 Rockwell Automation, Inc. All rights reserved. 2 Agenda Connected

More information

Securing Manufacturing Control Networks. Alan J. Raveling, CISSP November 2 nd 5 th Pack Expo 2014

Securing Manufacturing Control Networks. Alan J. Raveling, CISSP November 2 nd 5 th Pack Expo 2014 Securing Manufacturing Control Networks Alan J. Raveling, CISSP November 2 nd 5 th Pack Expo 2014 As Internet-enabled technologies such as cloud and mobility grow, the need to understand the potential

More information

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Security for. Industrial. Automation. Considering the PROFINET Security Guideline Security for Industrial Considering the PROFINET Security Guideline Automation Industrial IT Security 2 Plant Security Physical Security Physical access to facilities and equipment Policies & Procedures

More information

Process Control Networks Secure Architecture Design

Process Control Networks Secure Architecture Design Process Control Networks Secure Architecture Design Guest Speaker Robert Alston Principle Lead Network and Security Consultant Over 25 years network experience including design, implementation, troubleshooting

More information

Securing Networks with Cisco Routers and Switches (642-637)

Securing Networks with Cisco Routers and Switches (642-637) Securing Networks with Cisco Routers and Switches (642-637) Exam Description: The 642-637 Securing Networks with Cisco Routers and Switches exam is the exam associated with the CCSP, CCNP Security, and

More information

Configuration Management: Best Practices White Paper

Configuration Management: Best Practices White Paper Configuration Management: Best Practices White Paper Document ID: 15111 Contents Introduction High Level Process Flow for Configuration Management Create Standards Software Version Control and Management

More information

Network & Security Services Rockwell Automation s Specialist team of Network & Security Specialists

Network & Security Services Rockwell Automation s Specialist team of Network & Security Specialists Network & Security Services Rockwell Automation s Specialist team of Network & Security Specialists Sonny Kailola Customer Support & Maintenance (CSM) Rev 5058-CO900D Copyright 2015 Rockwell Automation,

More information

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise 157.8 hours teaching time

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise 157.8 hours teaching time Essential Curriculum Computer Networking II Cisco Discovery 3: Introducing Routing and Switching in the Enterprise 157.8 hours teaching time Chapter 1 Networking in the Enterprise-------------------------------------------------

More information

Secure Networks for Process Control

Secure Networks for Process Control Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than

More information

Manufacturing Operations Management. Dennis Brandl

Manufacturing Operations Management. Dennis Brandl Manufacturing Operations Management Dennis Brandl BR&L Consulting Peter Owen Eli Lilly & Co Dennis Brandl 1 Objectives Review the ISA 95 standards and how they are being used in companies like Eli Lilly

More information

Aluminium Smelter Benefits from New Approach to Networking

Aluminium Smelter Benefits from New Approach to Networking Aluminium Smelter Benefits from New Approach to Networking Customer Case Study One of world s largest aluminium smelters uses Ethernet-to-the-Factory to improve manufacturing efficiency. EXECUTIVE SUMMARY

More information

CCT vs. CCENT Skill Set Comparison

CCT vs. CCENT Skill Set Comparison Operation of IP Data Networks Recognize the purpose and functions of various network devices such as Routers, Switches, Bridges and Hubs Select the components required to meet a given network specification

More information

Fiber Optic Infrastructure Application Guide

Fiber Optic Infrastructure Application Guide Fiber Optic Infrastructure Application Guide Deploying a Fiber Optic Physical Infrastructure to Support Converged Plantwide EtherNet/IP November 2011 Publlication ENET-TD003A-EN-E: About PANDUIT PANDUIT

More information

Security Threats VPNs and IPSec AAA and Security Servers PIX and IOS Router Firewalls. Intrusion Detection Systems

Security Threats VPNs and IPSec AAA and Security Servers PIX and IOS Router Firewalls. Intrusion Detection Systems Course Overview Security Threats VPNs and IPSec AAA and Security Servers PIX and IOS Router s IPSec 3002 IKE 515 CA s Intrusion Detection Systems 4210 VPNs Routers 2 The security threats section will cover

More information

Securing E-Commerce. Agenda. The Security Problem IC Security: Key Elements Designing and Implementing. 3203 1346_06_2000_c1_sec3

Securing E-Commerce. Agenda. The Security Problem IC Security: Key Elements Designing and Implementing. 3203 1346_06_2000_c1_sec3 Securing E-Commerce 1 Agenda The Security Problem IC Security: Key Elements Designing and Implementing 2 The Security Dilemma Internet Business Value Internet Access Corporate Intranet Internet Presence

More information

Secure Access into Industrial Automation and Control Systems Best Practice and Trends

Secure Access into Industrial Automation and Control Systems Best Practice and Trends Secure Access into Industrial Automation and Systems Best Practice and Trends Serhii Konovalov Venkat Pothamsetty Cisco Collaborating to Advance System Security Vendor offers a remote firmware update and

More information

Cisco Certified Security Professional (CCSP)

Cisco Certified Security Professional (CCSP) 529 Hahn Ave. Suite 101 Glendale CA 91203-1052 Tel 818.550.0770 Fax 818.550.8293 www.brandcollege.edu Cisco Certified Security Professional (CCSP) Program Summary This instructor- led program with a combination

More information

Configuring PROFINET

Configuring PROFINET CHAPTER 9 This chapter describes how to configure the PROFINET feature on the Cisco IE 3000 switch. Understanding PROFINET, page 9-1, page 9-4 Displaying the PROFINET Configuration, page 9-5 Troubleshooting

More information

Ethernet Design Considerations for Control System Networks AN INTRODUCTION

Ethernet Design Considerations for Control System Networks AN INTRODUCTION Ethernet Design Considerations for Control System Networks AN INTRODUCTION PUBLICATION ENET-SO001A-EN-E November 2007 Contact Rockwell Customer Support Telephone 1.440.646.3434 Online Support http://www.rockwellautomation.com/support/

More information

Firewall Environments. Name

Firewall Environments. Name Complliiance Componentt DEEFFI INITION Description Rationale Firewall Environments Firewall Environment is a term used to describe the set of systems and components that are involved in providing or supporting

More information

- Introduction to PIX/ASA Firewalls -

- Introduction to PIX/ASA Firewalls - 1 Cisco Security Appliances - Introduction to PIX/ASA Firewalls - Both Cisco routers and multilayer switches support the IOS firewall set, which provides security functionality. Additionally, Cisco offers

More information

Stratix 5700 Network Address Translation. Quick Start

Stratix 5700 Network Address Translation. Quick Start Stratix 5700 Network Address Translation Quick Start Important User Information Solid state equipment has operational characteristics differing from those of electromechanical equipment. Safety Guidelines

More information

Course Contents CCNP (CISco certified network professional)

Course Contents CCNP (CISco certified network professional) Course Contents CCNP (CISco certified network professional) CCNP Route (642-902) EIGRP Chapter: EIGRP Overview and Neighbor Relationships EIGRP Neighborships Neighborship over WANs EIGRP Topology, Routes,

More information

Dr. György Kálmán gyorgy@mnemonic.no

Dr. György Kálmán gyorgy@mnemonic.no COMMUNICATION AND SECURITY IN CURRENT INDUSTRIAL AUTOMATION Dr. György Kálmán gyorgy@mnemonic.no Agenda Connected systems historical overview Current trends, concepts, pre and post Stuxnet Risks and threats

More information

Network Security Topologies. Chapter 11

Network Security Topologies. Chapter 11 Network Security Topologies Chapter 11 Learning Objectives Explain network perimeter s importance to an organization s security policies Identify place and role of the demilitarized zone in the network

More information

Network System Design Lesson Objectives

Network System Design Lesson Objectives Network System Design Lesson Unit 1: INTRODUCTION TO NETWORK DESIGN Assignment Customer Needs and Goals Identify the purpose and parts of a good customer needs report. Gather information to identify network

More information

Network Security. Outlines: Introduction to Network Security Dfii Defining Security Zones DMZ. July 2010. Network Security 08

Network Security. Outlines: Introduction to Network Security Dfii Defining Security Zones DMZ. July 2010. Network Security 08 Network Security (Principles i & Practices) Outlines: Introduction to Network Security Dfii Defining Security Zones DMZ By: Arash Habibi Lashkari July 2010 1 Introduction to Network Security Model of Network

More information

Secure Remote Support

Secure Remote Support Secure Remote Support - Monitor, Manage, Configure remote assets - Cloud Based Data Collection Tom Peshek Program Manager Remote Services and Support - 5058-CO900G Remote Monitoring and Diagnostics Value

More information

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus CSCI - 440 Network Security and Perimeter Protection 3-0-3 CATALOG DESCRIPTION This

More information

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005 State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology

More information

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch What You Will Learn A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside)

More information

Information Technology Security Guideline. Network Security Zoning

Information Technology Security Guideline. Network Security Zoning Information Technology Security Guideline Network Security Zoning Design Considerations for Placement of s within Zones ITSG-38 This page intentionally left blank. Foreword The Network Security Zoning

More information

IACS Network Security and the Demilitarized Zone

IACS Network Security and the Demilitarized Zone CHAPTER 6 IACS Network Security and the Demilitarized Zone Overview This chapter focuses on network security for the IACS network protecting the systems, applications, infrastructure, and end-devices.

More information

INTRUSION DETECTION SYSTEMS and Network Security

INTRUSION DETECTION SYSTEMS and Network Security INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS

More information

CIP-005-3 Electronic Security Perimeter (ESP) - Dan Mishra FRCC Compliance Workshop May 09-13, 2011

CIP-005-3 Electronic Security Perimeter (ESP) - Dan Mishra FRCC Compliance Workshop May 09-13, 2011 CIP-005-3 Electronic Security Perimeter (ESP) - Dan Mishra FRCC Compliance Workshop May 09-13, 2011 1 Purpose Specific NERC CIP-005 Requirements Underlying fundamentals of the ESP architecture Building

More information

Building Secure Networks for the Industrial World

Building Secure Networks for the Industrial World Building Secure Networks for the Industrial World Anders Felling Vice President, International Sales Westermo Group Managing Director Westermo Data Communication AB 1 Westermo What do we do? Robust data

More information

E-Commerce Security Perimeter (ESP) Identification and Access Control Process

E-Commerce Security Perimeter (ESP) Identification and Access Control Process Electronic Security Perimeter (ESP) Identification and Access Control Process 1. Introduction. A. This document outlines a multi-step process for identifying and protecting ESPs pursuant to the North American

More information

Trademark Notice. General Disclaimer

Trademark Notice. General Disclaimer Trademark Notice General Disclaimer Intelligent Management, Centralized Operation & Maintenance Huawei Data Center Network Management Solution A data center is an integrated IT application environment

More information

Network Virtualization and Data Center Networks 263-3825-00 Data Center Virtualization - Basics. Qin Yin Fall Semester 2013

Network Virtualization and Data Center Networks 263-3825-00 Data Center Virtualization - Basics. Qin Yin Fall Semester 2013 Network Virtualization and Data Center Networks 263-3825-00 Data Center Virtualization - Basics Qin Yin Fall Semester 2013 1 Walmart s Data Center 2 Amadeus Data Center 3 Google s Data Center 4 Data Center

More information

Session 14: Functional Security in a Process Environment

Session 14: Functional Security in a Process Environment Abstract Session 14: Functional Security in a Process Environment Kurt Forster Industrial IT Solutions Specialist, Autopro Automation Consultants In an ideal industrial production security scenario, the

More information

100-101: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

100-101: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1) 100-101: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1) Course Overview This course provides students with the knowledge and skills to implement and support a small switched and routed network.

More information

State of Texas. TEX-AN Next Generation. NNI Plan

State of Texas. TEX-AN Next Generation. NNI Plan State of Texas TEX-AN Next Generation NNI Plan Table of Contents 1. INTRODUCTION... 1 1.1. Purpose... 1 2. NNI APPROACH... 2 2.1. Proposed Interconnection Capacity... 2 2.2. Collocation Equipment Requirements...

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

FIREWALLS & CBAC. philip.heimer@hh.se

FIREWALLS & CBAC. philip.heimer@hh.se FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that

More information

Utility Modernization Cyber Security City of Glendale, California

Utility Modernization Cyber Security City of Glendale, California Utility Modernization Cyber Security City of Glendale, California Cyber Security Achievements Cyber Security Achievements (cont) 1. Deploying IT Security Awareness training program Q4 2012 2. Purchased

More information

Virtualized System Reduces Client s Capital and Maintenance Costs

Virtualized System Reduces Client s Capital and Maintenance Costs Virtualized System Reduces Client s Capital and Maintenance Costs Insert Photo Here Steve Malyszko, P. E. President Steve Schneebeli Lead Systems Engineer Rockwell Automation Process Solutions User Group

More information

ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0

ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0 ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS Version 2.0 July 20, 2012 Table of Contents 1 Foreword... 1 2 Introduction... 1 2.1 Classification... 1 3 Scope... 1

More information

Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs

Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs As a head of the campus network department in the Deanship of Information Technology at King Abdulaziz University for more

More information

Cisco Certified Network Expert (CCNE)

Cisco Certified Network Expert (CCNE) 529 Hahn Ave. Suite 101 Glendale CA 91203-1052 Tel 818.550.0770 Fax 818.550.8293 www.brandcollege.edu Cisco Certified Network Expert (CCNE) Program Summary This instructor- led program with a combination

More information

70-647: Windows Server Enterprise Administration

70-647: Windows Server Enterprise Administration 70-647: Windows Server Enterprise Administration Course Introduction Course Introduction Chapter 01 - Planning for Active Directory Lesson 1: Logical Design The Forest How Will AD DS be Used? Requirements

More information

IPv6 Integration in Federal Government: Adopt a Phased Approach for Minimal Disruption and Earlier Benefits

IPv6 Integration in Federal Government: Adopt a Phased Approach for Minimal Disruption and Earlier Benefits IPv6 Integration in Federal Government: Adopt a Phased Approach for Minimal Disruption and Earlier Benefits Abstract U.S. federal government agencies are required to integrate IPv6 into their network infrastructures,

More information

Designing a Windows Server 2008 Network Infrastructure

Designing a Windows Server 2008 Network Infrastructure Designing a Windows Server 2008 Network Infrastructure MOC6435 About this Course This five-day course will provide students with an understanding of how to design a Windows Server 2008 Network Infrastructure

More information

Virtualization In Manufacturing Industries. Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Virtualization In Manufacturing Industries. Copyright 2012 Rockwell Automation, Inc. All rights reserved. Virtualization In Manufacturing Industries Rev 5058-CO900C What is Virtualization? Traditionally the OS and its applications were tightly coupled to the hardware they were installed on Virtualization breaks

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS

TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS Mestrado em Engenharia de Redes de Comunicações TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 2008-2009 Exemplos de Projecto - Network Design Examples 1 Hierarchical Network Design 2 Hierarchical

More information