CT392 - Industrial Demilitarized Zone Design Principles
|
|
- Roderick Moore
- 7 years ago
- Views:
Transcription
1 CT392 - Demilitarized Design Principles Rev 5058-CO900E
2 Agenda Fundamentals and Review What is an IDMZ? Methodology Network Segmentation 2
3 Fundamentals and Review
4 Purdue Reference Model MES - Manufacturing Execution System measures and controls production facilities; it tracks and measures key operational criteria such as product, equipment, labor, inventory, defects, etc.; a key interface to the Enterprise-level applications; Level 3 & 4 Historian - Collects historical data from the plant floor applications and reports or displays them in various report formats; Level 3 SCADA - Supervisory Control and Data Acquisition; large scale distributed measurement and control systems, usually covers a geographical area; Level 3 HMI - Human Machine Interfaces display operational status to operation personnel and may allow them to perform basic functions (e.g. start/stop a process); Level 2 Programmable Automation Controller or Programmable Logic Controller; controls a subset (Cell/Area), e.g. a line or function, as well as the relevant devices in that Cell/Area; Level 1 Sensor/Actuator device - a device that measures or controls key functions or aspects of the industrial automation process; Level 0
5 Campus Network Diagram to Ground Our Conversation Hierarchal, modular and scalable building blocks Creates small domains - clear demarcations and segmentation Fault domain (e.g. Layer 2 loops), broadcast domain, domains of trust (security) Easier to grow, understand and troubleshoot Multi-tier switch model Core Aggregates distribution switches Backbone of network DMZ connectivity Distribution Aggregates access switches Provides Layer 3 services Access Aggregates industrial automation and control system () devices Provides Layer 2 services Core Distribution Access
6 Layers and Levels Layer 2 Access Switch Layer 3 Distribution Switch Catalyst 3750 StackWise Switch Stack Cell/Area s Levels 0 2 Level 2 HMI Phone Rockwell Automation Stratix 5700/8000 Layer 2 Access Switch HMI Safety I/O Safety Controller Controller Camera Instrumentation Media & Connectors Cell/Area #1 Redundant Star Topology Flex Links Resiliency MCC I/O Soft Starter Level 1 Cell/Area #2 Controller Ring Topology Resilient Ethernet Protocol (REP) Servo Drive Cell/Area #3 Bus/Star Topology Level 0 Drive
7 Go Beyond Defense in Depth Search.com defines Defense in depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. The strategy is based on the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier PUBLIC Copyright INFORMATION 2009 Rockwell Automation, Inc. All rights reserved. 8
8 Agenda Fundamentals and Review What is an IDMZ? Network Segmentation Methodology 9
9 Network Convergence Continuing Trend Corporate Network Corporate Network Back-Office Mainframes and Servers (ERP, MES, etc.) Human Machine Interface (HMI) Control Network Gateway Supervisory Control Office Applications, Internetworking, Data Servers, Storage Back-Office Mainframes and Servers (ERP, MES, etc.) Controller Office Applications, Internetworking, Data Servers, Storage Phone Controller Camera Supervisory Control Safety Controller Robotics Motors, Drives Actuators Robotics I/O Motors, Drives Actuators Safety I/O Sensors and other Input/Output Devices Human Machine Interface (HMI) Sensors and other Input/Output Devices Network Network Traditional 3 Tier Network Model Converged Plantwide EtherNet/IP Network Model EtherNet/IP - Enabling/Driving Convergence of Control and Information 10 N
10 Network Convergence Continued Trend Demilitarized (IDMZ) Wide Area Network (WAN) Physical or Virtualized Servers ERP, Active Directory (AD), AAA Radius Call Manager Office Applications, Internetworking, Data Servers, Storage Enterprise Physical or Virtualized Servers Patch Management Remote Gateway Services Application Mirror AV Server Gbps Link for Failover Detection Firewall (Active) Firewall (Standby) Firewalls for separation Unified Threat Management Authentication & Authorization Application & Data Sharing via replication or terminal services DMZ Physical or Virtualized Servers FactoryTalk Application Servers & Services Platform Network Services e.g. DNS, AD, DHCP, AAA Remote Access Server (RAS) Call Manager Storage Array Phone Remote Access Server Drive Controller Camera I/O Supervisory Control Safety Controller Mobile User Linking Device Instrumentation Condition Monitoring Human Machine Interface (HMI) Soft Starter Motors, Drives Actuators Safety I/O Overload Relay I/O Robotics Motor Control Center Plant-wide / Site-wide Network Integrated Architecture 11
11 What is an DMZ? A IDMZ, or Demilitarized, is a sub-network placed between a trusted network (industrial) and an untrusted network (enterprise). The IDMZ contains business facing assets that act as brokers between the trusted and untrusted networks. Traffic never travels directly across the IDMZ. A properly designed IDMZ can be unplugged if compromised and still allow the industrial network to operate without disruption.
12 Demilitarized (DMZ) Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network. The purpose of the DMZ is to add an additional layer of security to the trusted network UNTRUSTED Web Proxy BROKER TRUSTED
13 Demilitarized (IDMZ) Controlling Access to the Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network. The purpose of the IDMZ is to add an additional layer of security to the trusted network Enterprise DMZ TRUSTED? UNTRUSTED? BROKER TRUSTED
14 Demilitarized (IDMZ) Controlling Access to the All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly traverse the IDMZ Only path between zones No common protocols in each logical firewall No control traffic into the IDMZ, CIP stays home No primary services are permanently housed in the IDMZ IDMZ shall not permanently house data Application data mirror to move data into and out of the Limit outbound connections from the IDMZ Be prepared to turn-off access via the firewall Disconnect Point Replicated Services Disconnect Point Trusted? Untrusted? Enterprise Trusted IDMZ No Direct Traffic
15 Demilitarized (IDMZ) Controlling Access to the Set-up functional sub-zones in the IDMZ to segment access to data and services (e.g. Partner zone, Operations, IT) Trusted? Untrusted? Enterprise Disconnect Point Terminal Services Patch Management AV Server Multiple Functional Subzones IDMZ No Direct Traffic Historian Mirror Web Services Operations Application Server Disconnect Point Trusted
16 Controlling Access to the Level 5 Level 4 , Intranet, etc. Enterprise Network Site Business Planning and Logistics Network Enterprise Remote Gateway Services Application Mirror Patch Management Web Services Operations AV Server Application Server Firewall Firewall Web CIP DMZ Level 3 Level 2 Level 1 FactoryTalk Application Server FactoryTalk Client Batch Control FactoryTalk Directory Operator Interface Discrete Control Engineering Workstation FactoryTalk Client Drive Control Remote Access Server Engineering Workstation Continuous Process Control Site Operations and Control Area Supervisory Control Operator Interface Safety Control Basic Control Cell/Area Level 0 Sensors Drives Actuators Robots Process Logical Model Automation and Control System () Converged Multi-discipline Network No Direct Traffic Flow between Enterprise and
17 Agenda Fundamentals and Review What is an IDMZ? Methodology Network Segmentation 18
18 Methodology Develop a scientific method to develop repeatable, measureable and maintainable solution(s) Look at the problem holistically and drill down to each system 19
19 IDMZ / Network Reconnaissance (Design Pre-work) Identify types of Assets in and those that support Manufacturing Identify who owns the hardware and software on the asset. Recon Phase Design Phase Identify Assets Or Asset Classes Identify Asset Owners Requirements Phase Architectural Phase Tech. Design Phase Implement Maintain ACTION Document Assets by documentation, interviews and network scanning ACTION Document Asset Owners and Schedule Interviews 20
20 Classify Asset Types Goal: Identify assets that support manufacturing process. Goal: Identify if asset belongs in the or Enterprise. 21
21 Diagram Data Sources Feeding Higher Level Assets 22
22 Identify System Owners / Users DC 23
23 Interview Process Interview process identifies how the owners and clients of the assets Operate Configure Patch Upgrade Identifies where the data is produced and consumed This process is used to gather requirements 24
24 IDMZ / Network Design Methodology Requirements are a statement identifying a capability, physical characteristic or quality factor that bounds a product or process problem for which a solution will be pursued. (Source: IEEE Standard ) High level architectural recommendations that are proposed to meet the customer requirements. Detailed information usually written by the coder or implementer that describes how the system or product will be programmed, configured to meet the customer requirements and the high level architecture. The system components are brought together and tested during this phase per the testing plan System has been Verified and Validated and is maintained by Operations and Maintenance Requirements Phase Architectural Phase Technical Design Phase Implementation Maintain ACTION Interview all system owners to gather requirements for operations, configuration and maintenance. ACTION Produce high level documentation and drawings to meet every requirement ACTION Produce detailed documentation such as drawings, switch configurations, VLAN, IP Address, Firewall ACL s ACTION Verify, was the product built right and Validate, was the right product built process ACTION Modify configurations and assets to fix anomalies or required operational changes. 25
25 High Level Architecture Enterprise DMZ 26
26 How to Derive High Level Architecture Enterprise Client Actor MES Order Entry Historian QC Systems DMZ No Control Protocols Through the Firewall(s) 27
27 Move the Assets Around To Minimize Cross Traffic Especially Control Protocols Enterprise Historian Client Actor MES Order Entry DMZ Historian Mirror Data Proxy Historian QC Systems 28
28 High Level Architecture Review All Use Cases and Meet All Requirements Enterprise Use Case Configure Historian from Enterprise DMZ Remote Desktop Gateway 29
29 High Level Architecture Review Use Cases Enterprise Use Case Move Data From Historian to Enterprise Historian DMZ Historian Mirror 30
30 Assets Typically Found in DMZs Level 5 Level 4 , Intranet, etc. Router Enterprise Network Site Business Planning and Logistics Network Enterprise Remote Access Technologies Terminal Services Patch Management AV Server Historian Mirror Web Services Operations File Transfer Server Firewall Web CIP IDMZ Level 3 FactoryTalk Application Server FactoryTalk Directory Engineering Workstation Domain Controller Firewall Site Manufacturing Operations and Control Level 2 Level 1 FactoryTalk Client Operator Interface FactoryTalk Client Batch Control Discrete Control Drive Control Engineering Workstation Continuous Process Control Operator Interface Safety Control Area Supervisory Control Basic Control Cell/Area Level 0 Sensors Drives Actuators Robots Process
31 Assets Typically Found in DMZs Level 5 Level 4 , Intranet, etc. Router Enterprise Network Site Business Planning and Logistics Network Enterprise Windows Server Updating Service (WSUS) Terminal Services Patch Management AV Server Historian Mirror Web Services Operations File Transfer Server Firewall Web CIP IDMZ Level 3 FactoryTalk Application Server FactoryTalk Directory Engineering Workstation Domain Controller Firewall Site Manufacturing Operations and Control Level 2 Level 1 FactoryTalk Client Operator Interface FactoryTalk Client Batch Control Discrete Control Drive Control Engineering Workstation Continuous Process Control Operator Interface Safety Control Area Supervisory Control Basic Control Cell/Area Level 0 Sensors Drives Actuators Robots Process
32 IDMZ / Network Design Methodology Requirements are a statement identifying a capability, physical characteristic or quality factor that bounds a product or process problem for which a solution will be pursued. (Source: IEEE Standard ) High level architectural recommendations that are proposed to meet the customer requirements. Detailed information usually written by the coder or implementer that describes how the system or product will be programmed, configured to meet the customer requirements and the high level architecture. The system components are brought together and tested during this phase per the testing plan System has been Verified and Validated and is maintained by Operations and Maintenance Requirements Phase Architectural Phase Technical Design Phase Implementation Maintain ACTION Interview all system owners to gather requirements for operations, configuration and maintenance. ACTION Produce high level documentation and drawings to meet every requirement ACTION Produce detailed documentation such as drawings, switch configurations, VLAN, IP Address, Firewall ACL s ACTION Verify, was the product built right and Validate, was the right product built process ACTION Modify configurations and assets to fix anomalies or required operational changes. 37
33 Agenda Fundamentals and Review What is an IDMZ? Methodology Network Segmentation 38
34 Architecture to support IDMZ Division of plant-wide / sitewide architectures into functional areas for secured access ISA-99 s and Conduit model OEM s Participation IP Address VLAN ID s Access layer to Distribution layer cooperation System design requires full cooperation of all System Integrators, OEM s, IT and Plant/Site Engineering Copy 39
35 Data Link / Network Layers Availability Control Systems are Designed with Availability Requirement First! Availability VLAN 101 VLAN 41 Patch Management Terminal Services Application Mirror AV Server FactoryTalk Application Servers View Historian AssetCentre Transaction Manager FactoryTalk Services Platform Directory /Audit Data Servers Remote Access Server Gbps Link for Failover Detection Firewall (Active) Catalyst 6500/4500 Cisco ASA 5500 Catalyst 3750 StackWise Switch Stack ERP, , Wide Area Network (WAN) Firewall (Standby) Cisco Catalyst Switch Network Services DNS, DHCP, syslog server Network and security mgmt Enterprise Levels 4 and 5 Demilitarized (IDMZ) Demilitarized (IDMZ) Site Operations and Control Level 3 Layer 2 Access Link Layer 2 Interswitch Link/ 802.1Q Trunk Layer 3 Link Cell/Area #1 Cell/Area #2 Cell/Area #3 Drive Controller VLAN 102 HMI I/O VLAN 42 I/O Rockwell Automation Stratix 8000 Layer 2 Access Switch Controller VLAN 103 HMI Drive VLAN 43 HMI I/O VLAN 104 VLAN 105 Controller Drive VLAN 44 Cell/Area s Levels 0 2
36 Structure and Hierarchy Network Segmentation: Building Block for Availability Availability Layer 2 Access Switch Layer 3 Distribution Switch Layer 3 Building Block Catalyst 3750 StackWise Switch Stack Cell/Area s Levels 0 2 Level 2 HMI Phone Controller Camera Building Block Instrumentation Media & Connectors Cell/Area #1 Redundant Star Topology Flex Links Resiliency The Cell/Area zone is a Layer 2 network for a functional area (plant-wide or site-wide) Key network considerations include: Structure and hierarchy using smaller Layer 2 building blocks Logical segmentation for traffic management and policy enforcement (e.g. QoS, ) to accommodate time-sensitive applications Layer 2 Rockwell Automation Stratix 5700/8000 Layer 2 Access Switch Layer 2 HMI MCC Building I/OBlockSoft Starter Level 1 Cell/Area #2 Controller Ring Topology Resilient Ethernet Protocol (REP) Servo Drive Safety I/O Cell/Area #3 Bus/Star Topology Level 0 Drive Safety Controller Layer 2 Building Block 41
37 Questions? Rev 5058-CO900E
Choosing the correct Time Synchronization Protocol and incorporating the 1756-TIME module into your Application
Choosing the correct Time Synchronization Protocol and incorporating the 1756-TIME module into your Application By: Josh Matson Various Time Synchronization Protocols From the earliest days of networked
More informationScalable Secure Remote Access Solutions
Scalable Secure Remote Access Solutions Jason Dely, CISSP Principal Security Consultant jdely@ra.rockwell.com Scott Friberg Solutions Architect Cisco Systems, Inc. sfriberg@cisco.com Jeffrey A. Shearer,
More informationREFERENCE ARCHITECTURES FOR MANUFACTURING
Synopsis Industry adoption of EtherNet/IP TM for control and information resulted in the wide deployment of standard Ethernet in manufacturing. This deployment acts as the technology enabler for the convergence
More informationAUP28 - Implementing Security and IP Protection
AUP28 - Implementing Security and IP Protection Features in the Integrated Architecture Mads Laier DK Commercial Engineer Logix & Networks Rev 5058-CO900E Agenda Why IACS Security Now! Defense in depth
More informationSecuring The Connected Enterprise
Securing The Connected Enterprise Pack Expo 2015 Las Vegas Chelsea An Business Development Lead, Network & Security PUBLIC Copyright 2015 Rockwell Automation, Inc. All Rights Reserved. 8 Connected Enterprise
More informationNetwork Security Trends & Fundamentals of Securing EtherNet/IP Networks
Network Security Trends & Fundamentals of Securing EtherNet/IP Networks Presented by Rockwell Automation Industrial Network Security Trends Security Quips "Good enough" security now, is better than "perfect"
More informationSecure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation
Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation Rev 5058-CO900C Agenda Control System Network Security Defence in Depth Secure Remote Access Examples
More informationT46 - Integrated Architecture Tools for Securing Your Control System
T46 - Integrated Architecture Tools for Securing Your Control System PUBLIC PUBLIC - 5058-CO900G Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. The Connected Enterprise PUBLIC Copyright
More informationThe Internet of Things (IoT) and Industrial Networks. Guy Denis gudenis@cisco.com Rockwell Automation Alliance Manager Europe 2015
The Internet of Things (IoT) and Industrial Networks Guy Denis gudenis@cisco.com Rockwell Automation Alliance Manager Europe 2015 Increasingly Everything will be interconnected 50 Billion Smart Objects
More informationAUP28. Implementing Security In Integrated Architecture Practical security solutions for Industrial Control System (ICS)
AUP28 Implementing Security In Integrated Architecture Practical security solutions for Industrial Control System (ICS) Clive Barwise, Rockwell Automation European Product Manager Networks and Security
More informationProduction Software Within Manufacturing Reference Architectures
Production Software Within Manufacturing Reference Architectures Synopsis Industry adoption of EtherNet/IP for control and information has driven the wide deployment of standard Ethernet for manufacturing
More informationPR03. High Availability
PR03 High Availability Related Topics NI10 Ethernet/IP Best Practices NI15 Enterprise Data Collection Options NI16 Thin Client Overview Solution Area 4 (Process) Agenda Overview Controllers & I/O Software
More informationControlLogix and CompactLogix 5370 Segmentation Methods for Plant-wide/ Site-wide Networks with OEM Convergence-ready Solutions
Network Segmentation Methodology Application Guide ControlLogix and CompactLogix 5370 Segmentation Methods for Plant-wide/ Site-wide Networks with OEM Convergence-ready Solutions By Josh Matson and Gregory
More informationComputer System Security Updates
Why patch? If you have already deployed a network architecture, such as the one recommended by Rockwell Automation and Cisco in the Converged Plantwide Ethernet Design and Implementation Guide (http://www.ab.com/networks/architectures.html),
More informationTop-Down Network Design
Top-Down Network Design Chapter Five Designing a Network Topology Copyright 2010 Cisco Press & Priscilla Oppenheimer Topology A map of an internetwork that indicates network segments, interconnection points,
More informationPlantPAx op weg naar Connected Enterprise.
AUP 46 PlantPAx op weg naar Connected Enterprise. Wim van der Heide Solution Architect Copyright 2015 Rockwell Automation, Inc. All rights reserved. 2 Agenda 1. Waarom zou u moeten migreren? 1. Connected
More informationSimplifying the Transition to Virtualization TS17
Simplifying the Transition to Virtualization TS17 Name Sandeep Redkar Title Manager Process Solutions Date 11 th February 2015 Agenda Overview & Drivers Virtualization for Production Rockwell Automation
More informationNetwork & Security Services (NSS) Because Infrastructure Matters
Network & Security Services (NSS) Because Infrastructure Matters Andrew Ballard Commercial Director Services & Support - EMEA Rev 5058-CO900E THE CONNECTED ENTERPRISE Headquarters Optimized for Rapid Value
More informationAchieving Secure, Remote Access to Plant-Floor Applications and Data
Achieving Secure, Remote Access to Plant-Floor Applications and Data Abstract To increase the flexibility and efficiency of production operations, manufacturers are adopting open networking standards for
More informationNETE-4635 Computer Network Analysis and Design. Designing a Network Topology. NETE4635 - Computer Network Analysis and Design Slide 1
NETE-4635 Computer Network Analysis and Design Designing a Network Topology NETE4635 - Computer Network Analysis and Design Slide 1 Network Topology Design Themes Hierarchy Redundancy Modularity Well-defined
More informationCHAPTER 6 DESIGNING A NETWORK TOPOLOGY
CHAPTER 6 DESIGNING A NETWORK TOPOLOGY Expected Outcomes Able to identify terminology that will help student discuss technical goals with customer. Able to introduce a checklist that can be used to determine
More informationDas sollte jeder ITSpezialist über. Automations- und Produktionsnetzwerke wissen
Das sollte jeder ITSpezialist über Automations- und Produktionsnetzwerke wissen Frank Schirra, Rockwell Automation Solution Architect Edi Truttmann, Cisco Systems Network Solution Sales Specialist 2012
More informationSecuring Manufacturing Computing and Controller Assets
Securing Manufacturing Computing and Controller Assets Rockwell Automation and Cisco Four Key Initiatives: Common Technology View: A single system architecture, using open, industry standard networking
More informationIndustrial Security Solutions
Industrial Security Solutions Building More Secure Environments From Enterprise to End Devices You have assets to protect. Control systems, networks and software can all help defend against security threats
More informationRedesigning automation network security
White Paper WP152006EN Redesigning automation network security Presented at Power and Energy Automation Conference (PEAC), Spokane, WA, March 2014 Jacques Benoit Eaton s Cooper Power Systems Abstract The
More informationPhysical Infrastructure for a Resilient Converged Plantwide Ethernet Architecture
Physical Infrastructure for a Resilient Converged Plantwide Ethernet Architecture Industrial Ethernet networking is advancing technology applications throughout the plant. These applications are rapidly
More informationCisco Networking Professional-6Months Project Based Training
Cisco Networking Professional-6Months Project Based Training Core Topics Cisco Certified Networking Associate (CCNA) 1. ICND1 2. ICND2 Cisco Certified Networking Professional (CCNP) 1. CCNP-ROUTE 2. CCNP-SWITCH
More informationStratix Switches Within Integrated Architecture. Dave VanGompel, Principal Application Engineer
Written By: Mark Devonshire, Product Manager Dave VanGompel, Principal Application Engineer Synopsis Industry adoption of EtherNet/IP for control and information has driven the wide deployment of standard
More informationSecure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco
Secure Access into Industrial Automation and Systems Industry Best Practice and Trends Serhii Konovalov Venkat Pothamsetty Cisco Vendor offers a remote firmware update and PLC programming. Contractor asks
More informationSquare D Model 6 Motor Control Centers
Square D Model 6 Motor Control Centers with Ethernet Communications What is industrial Ethernet? Over the past few years the use of Ethernet communications has spread into every corner of the business
More informationScalable, Secure Remote Monitoring Solutions Stay a step ahead by remotely monitoring your critical assets
Scalable, Secure Remote Monitoring Solutions Stay a step ahead by remotely monitoring your critical assets PUBLIC PUBLIC - 5058-CO900G Why Is This Important? What s Driving This Need? Customer Impact It
More informationPlant-wide Network Infrastructure. Copyright 2012 Rockwell Automation, Inc. All rights reserved.
Plant-wide Network Infrastructure Agenda Additional On-site Information EtherNet/IP Considerations Logical Design Considerations Physical Layer Design Consideration Testing Considerations Plant-Floor and
More informationSecuring the Connected Enterprise
Securing the Connected Enterprise ABID ALI, Network and Security Consultant. Why Infrastructure Matters Rapidly Growing Markets Global Network Infrastructure and Security Markets 13.7% CAGR over the next
More informationIndustrial Security in the Connected Enterprise
Industrial Security in the Connected Enterprise Presented by Rockwell Automation 2008 Cisco Systems, Inc. and Rockwell Automation, Inc. All rights reserved. THE CONNECTED ENTERPRISE Optimized for Rapid
More informationScalable Secure Remote Access Solutions for OEMs
Scalable Secure Remote Access Solutions for OEMs Introduction Secure remote access to production assets, data, and applications, along with the latest collaboration tools, provides manufacturers with the
More informationDesign Considerations for Securing Industrial Automation and Control System Networks
Design Considerations for Securing Industrial Automation and Control System Networks Synopsis Rockwell Automation and Cisco Four Key Initiatives: Common Technology View: A single system architecture, using
More informationManufacturing and the Internet of Everything
Manufacturing and the Internet of Everything Johan Arens, CISCO (joarens@cisco.com) Business relevance of the Internet of everything Manufacturing trends Business imperatives and outcomes A vision of the
More informationIP Telephony Management
IP Telephony Management How Cisco IT Manages Global IP Telephony A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge Design, implement, and maintain a highly available, reliable, and resilient
More informationAllen-Bradley Stratix 5700 Network Address Translation (NAT)
00:00:BC:66:0F:C7 DANGER SINK\ SOURCE SOURCE 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 00 08 01 09 02 10 03 11 04 12 05 13 06 14 07 15 COM COM 0 1 NC NC +V +V 00 08 01
More informationSecuring Process Control Systems
Securing Process Control Systems Bradford H. Hegrat, CISSP, CISM Sr. Principal Security Consultant Network & Security Services Rockwell Automation Process Solutions User Group (PSUG) November 14-15, 2011
More informationRecommended IP Telephony Architecture
Report Number: I332-009R-2006 Recommended IP Telephony Architecture Systems and Network Attack Center (SNAC) Updated: 1 May 2006 Version 1.0 SNAC.Guides@nsa.gov This Page Intentionally Left Blank ii Warnings
More informationCourse Syllabus. Fundamentals of Windows Server 2008 Network and Applications Infrastructure. Key Data. Audience. Prerequisites. At Course Completion
Key Data Product #: 3380 Course #: 6420A Number of Days: 5 Format: Certification Exams: Instructor-Led None This course syllabus should be used to determine whether the course is appropriate for the students,
More informationStratix Industrial Networks Infrastructure At-A-Glance
Stratix ing and Routing Services Router Wireless Distribution Services Router Hardware Features Ports Per Module 2 5 to 16 4 and 9 port 6, 10, 18 and 20 port 8, 10, 16, 18, 24 port 6 and 10 port base switches
More informationOverview of Routing between Virtual LANs
Overview of Routing between Virtual LANs This chapter provides an overview of virtual LANs (VLANs). It describes the encapsulation protocols used for routing between VLANs and provides some basic information
More informationIntrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks
Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks Dale Peterson Director, Network Security Practice Digital Bond, Inc. 1580 Sawgrass Corporate Parkway, Suite 130 Sunrise, FL 33323
More informationAUD20 - Industrial Network Security
AUD20 - Industrial Network Security Lesley Van Loo EMEA Senior Commercial engineer - Rockwell Automation Rev 5058-CO900B Copyright 2012 Rockwell Automation, Inc. All rights reserved. 2 Agenda Connected
More informationSecuring Manufacturing Control Networks. Alan J. Raveling, CISSP November 2 nd 5 th Pack Expo 2014
Securing Manufacturing Control Networks Alan J. Raveling, CISSP November 2 nd 5 th Pack Expo 2014 As Internet-enabled technologies such as cloud and mobility grow, the need to understand the potential
More informationSecurity for. Industrial. Automation. Considering the PROFINET Security Guideline
Security for Industrial Considering the PROFINET Security Guideline Automation Industrial IT Security 2 Plant Security Physical Security Physical access to facilities and equipment Policies & Procedures
More informationProcess Control Networks Secure Architecture Design
Process Control Networks Secure Architecture Design Guest Speaker Robert Alston Principle Lead Network and Security Consultant Over 25 years network experience including design, implementation, troubleshooting
More informationSecuring Networks with Cisco Routers and Switches (642-637)
Securing Networks with Cisco Routers and Switches (642-637) Exam Description: The 642-637 Securing Networks with Cisco Routers and Switches exam is the exam associated with the CCSP, CCNP Security, and
More informationConfiguration Management: Best Practices White Paper
Configuration Management: Best Practices White Paper Document ID: 15111 Contents Introduction High Level Process Flow for Configuration Management Create Standards Software Version Control and Management
More informationNetwork & Security Services Rockwell Automation s Specialist team of Network & Security Specialists
Network & Security Services Rockwell Automation s Specialist team of Network & Security Specialists Sonny Kailola Customer Support & Maintenance (CSM) Rev 5058-CO900D Copyright 2015 Rockwell Automation,
More informationCisco Discovery 3: Introducing Routing and Switching in the Enterprise 157.8 hours teaching time
Essential Curriculum Computer Networking II Cisco Discovery 3: Introducing Routing and Switching in the Enterprise 157.8 hours teaching time Chapter 1 Networking in the Enterprise-------------------------------------------------
More informationSecure Networks for Process Control
Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than
More informationManufacturing Operations Management. Dennis Brandl
Manufacturing Operations Management Dennis Brandl BR&L Consulting Peter Owen Eli Lilly & Co Dennis Brandl 1 Objectives Review the ISA 95 standards and how they are being used in companies like Eli Lilly
More informationAluminium Smelter Benefits from New Approach to Networking
Aluminium Smelter Benefits from New Approach to Networking Customer Case Study One of world s largest aluminium smelters uses Ethernet-to-the-Factory to improve manufacturing efficiency. EXECUTIVE SUMMARY
More informationCCT vs. CCENT Skill Set Comparison
Operation of IP Data Networks Recognize the purpose and functions of various network devices such as Routers, Switches, Bridges and Hubs Select the components required to meet a given network specification
More informationFiber Optic Infrastructure Application Guide
Fiber Optic Infrastructure Application Guide Deploying a Fiber Optic Physical Infrastructure to Support Converged Plantwide EtherNet/IP November 2011 Publlication ENET-TD003A-EN-E: About PANDUIT PANDUIT
More informationSecurity Threats VPNs and IPSec AAA and Security Servers PIX and IOS Router Firewalls. Intrusion Detection Systems
Course Overview Security Threats VPNs and IPSec AAA and Security Servers PIX and IOS Router s IPSec 3002 IKE 515 CA s Intrusion Detection Systems 4210 VPNs Routers 2 The security threats section will cover
More informationSecuring E-Commerce. Agenda. The Security Problem IC Security: Key Elements Designing and Implementing. 3203 1346_06_2000_c1_sec3
Securing E-Commerce 1 Agenda The Security Problem IC Security: Key Elements Designing and Implementing 2 The Security Dilemma Internet Business Value Internet Access Corporate Intranet Internet Presence
More informationSecure Access into Industrial Automation and Control Systems Best Practice and Trends
Secure Access into Industrial Automation and Systems Best Practice and Trends Serhii Konovalov Venkat Pothamsetty Cisco Collaborating to Advance System Security Vendor offers a remote firmware update and
More informationCisco Certified Security Professional (CCSP)
529 Hahn Ave. Suite 101 Glendale CA 91203-1052 Tel 818.550.0770 Fax 818.550.8293 www.brandcollege.edu Cisco Certified Security Professional (CCSP) Program Summary This instructor- led program with a combination
More informationConfiguring PROFINET
CHAPTER 9 This chapter describes how to configure the PROFINET feature on the Cisco IE 3000 switch. Understanding PROFINET, page 9-1, page 9-4 Displaying the PROFINET Configuration, page 9-5 Troubleshooting
More informationEthernet Design Considerations for Control System Networks AN INTRODUCTION
Ethernet Design Considerations for Control System Networks AN INTRODUCTION PUBLICATION ENET-SO001A-EN-E November 2007 Contact Rockwell Customer Support Telephone 1.440.646.3434 Online Support http://www.rockwellautomation.com/support/
More informationFirewall Environments. Name
Complliiance Componentt DEEFFI INITION Description Rationale Firewall Environments Firewall Environment is a term used to describe the set of systems and components that are involved in providing or supporting
More information- Introduction to PIX/ASA Firewalls -
1 Cisco Security Appliances - Introduction to PIX/ASA Firewalls - Both Cisco routers and multilayer switches support the IOS firewall set, which provides security functionality. Additionally, Cisco offers
More informationStratix 5700 Network Address Translation. Quick Start
Stratix 5700 Network Address Translation Quick Start Important User Information Solid state equipment has operational characteristics differing from those of electromechanical equipment. Safety Guidelines
More informationCourse Contents CCNP (CISco certified network professional)
Course Contents CCNP (CISco certified network professional) CCNP Route (642-902) EIGRP Chapter: EIGRP Overview and Neighbor Relationships EIGRP Neighborships Neighborship over WANs EIGRP Topology, Routes,
More informationDr. György Kálmán gyorgy@mnemonic.no
COMMUNICATION AND SECURITY IN CURRENT INDUSTRIAL AUTOMATION Dr. György Kálmán gyorgy@mnemonic.no Agenda Connected systems historical overview Current trends, concepts, pre and post Stuxnet Risks and threats
More informationNetwork Security Topologies. Chapter 11
Network Security Topologies Chapter 11 Learning Objectives Explain network perimeter s importance to an organization s security policies Identify place and role of the demilitarized zone in the network
More informationNetwork System Design Lesson Objectives
Network System Design Lesson Unit 1: INTRODUCTION TO NETWORK DESIGN Assignment Customer Needs and Goals Identify the purpose and parts of a good customer needs report. Gather information to identify network
More informationNetwork Security. Outlines: Introduction to Network Security Dfii Defining Security Zones DMZ. July 2010. Network Security 08
Network Security (Principles i & Practices) Outlines: Introduction to Network Security Dfii Defining Security Zones DMZ By: Arash Habibi Lashkari July 2010 1 Introduction to Network Security Model of Network
More informationSecure Remote Support
Secure Remote Support - Monitor, Manage, Configure remote assets - Cloud Based Data Collection Tom Peshek Program Manager Remote Services and Support - 5058-CO900G Remote Monitoring and Diagnostics Value
More informationNEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus
NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus CSCI - 440 Network Security and Perimeter Protection 3-0-3 CATALOG DESCRIPTION This
More informationState of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD005.001. Effective Date: April 7, 2005
State of New Mexico Statewide Architectural Configuration Requirements Title: Network Security Standard S-STD005.001 Effective Date: April 7, 2005 1. Authority The Department of Information Technology
More informationDMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch
DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch What You Will Learn A demilitarized zone (DMZ) is a separate network located in the neutral zone between a private (inside)
More informationInformation Technology Security Guideline. Network Security Zoning
Information Technology Security Guideline Network Security Zoning Design Considerations for Placement of s within Zones ITSG-38 This page intentionally left blank. Foreword The Network Security Zoning
More informationIACS Network Security and the Demilitarized Zone
CHAPTER 6 IACS Network Security and the Demilitarized Zone Overview This chapter focuses on network security for the IACS network protecting the systems, applications, infrastructure, and end-devices.
More informationINTRUSION DETECTION SYSTEMS and Network Security
INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS
More informationCIP-005-3 Electronic Security Perimeter (ESP) - Dan Mishra FRCC Compliance Workshop May 09-13, 2011
CIP-005-3 Electronic Security Perimeter (ESP) - Dan Mishra FRCC Compliance Workshop May 09-13, 2011 1 Purpose Specific NERC CIP-005 Requirements Underlying fundamentals of the ESP architecture Building
More informationBuilding Secure Networks for the Industrial World
Building Secure Networks for the Industrial World Anders Felling Vice President, International Sales Westermo Group Managing Director Westermo Data Communication AB 1 Westermo What do we do? Robust data
More informationE-Commerce Security Perimeter (ESP) Identification and Access Control Process
Electronic Security Perimeter (ESP) Identification and Access Control Process 1. Introduction. A. This document outlines a multi-step process for identifying and protecting ESPs pursuant to the North American
More informationTrademark Notice. General Disclaimer
Trademark Notice General Disclaimer Intelligent Management, Centralized Operation & Maintenance Huawei Data Center Network Management Solution A data center is an integrated IT application environment
More informationNetwork Virtualization and Data Center Networks 263-3825-00 Data Center Virtualization - Basics. Qin Yin Fall Semester 2013
Network Virtualization and Data Center Networks 263-3825-00 Data Center Virtualization - Basics Qin Yin Fall Semester 2013 1 Walmart s Data Center 2 Amadeus Data Center 3 Google s Data Center 4 Data Center
More informationSession 14: Functional Security in a Process Environment
Abstract Session 14: Functional Security in a Process Environment Kurt Forster Industrial IT Solutions Specialist, Autopro Automation Consultants In an ideal industrial production security scenario, the
More information100-101: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)
100-101: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1) Course Overview This course provides students with the knowledge and skills to implement and support a small switched and routed network.
More informationState of Texas. TEX-AN Next Generation. NNI Plan
State of Texas TEX-AN Next Generation NNI Plan Table of Contents 1. INTRODUCTION... 1 1.1. Purpose... 1 2. NNI APPROACH... 2 2.1. Proposed Interconnection Capacity... 2 2.2. Collocation Equipment Requirements...
More informationArchitecture Overview
Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and
More informationFIREWALLS & CBAC. philip.heimer@hh.se
FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that
More informationUtility Modernization Cyber Security City of Glendale, California
Utility Modernization Cyber Security City of Glendale, California Cyber Security Achievements Cyber Security Achievements (cont) 1. Deploying IT Security Awareness training program Q4 2012 2. Purchased
More informationVirtualized System Reduces Client s Capital and Maintenance Costs
Virtualized System Reduces Client s Capital and Maintenance Costs Insert Photo Here Steve Malyszko, P. E. President Steve Schneebeli Lead Systems Engineer Rockwell Automation Process Solutions User Group
More informationENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0
ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS Version 2.0 July 20, 2012 Table of Contents 1 Foreword... 1 2 Introduction... 1 2.1 Classification... 1 3 Scope... 1
More informationDisaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs
Disaster Recovery Design Ehab Ashary University of Colorado at Colorado Springs As a head of the campus network department in the Deanship of Information Technology at King Abdulaziz University for more
More informationCisco Certified Network Expert (CCNE)
529 Hahn Ave. Suite 101 Glendale CA 91203-1052 Tel 818.550.0770 Fax 818.550.8293 www.brandcollege.edu Cisco Certified Network Expert (CCNE) Program Summary This instructor- led program with a combination
More information70-647: Windows Server Enterprise Administration
70-647: Windows Server Enterprise Administration Course Introduction Course Introduction Chapter 01 - Planning for Active Directory Lesson 1: Logical Design The Forest How Will AD DS be Used? Requirements
More informationIPv6 Integration in Federal Government: Adopt a Phased Approach for Minimal Disruption and Earlier Benefits
IPv6 Integration in Federal Government: Adopt a Phased Approach for Minimal Disruption and Earlier Benefits Abstract U.S. federal government agencies are required to integrate IPv6 into their network infrastructures,
More informationDesigning a Windows Server 2008 Network Infrastructure
Designing a Windows Server 2008 Network Infrastructure MOC6435 About this Course This five-day course will provide students with an understanding of how to design a Windows Server 2008 Network Infrastructure
More informationVirtualization In Manufacturing Industries. Copyright 2012 Rockwell Automation, Inc. All rights reserved.
Virtualization In Manufacturing Industries Rev 5058-CO900C What is Virtualization? Traditionally the OS and its applications were tightly coupled to the hardware they were installed on Virtualization breaks
More informationA host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.
A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based
More informationTÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS
Mestrado em Engenharia de Redes de Comunicações TÓPICOS AVANÇADOS EM REDES ADVANCED TOPICS IN NETWORKS 2008-2009 Exemplos de Projecto - Network Design Examples 1 Hierarchical Network Design 2 Hierarchical
More information