Security appliances with integrated switch- Even more secure and more cost effective

Transcription

1 Security appliances with integrated switch- Even more secure and more cost effective There is currently a great deal of discussion about the issue of cyber security and its optimisation. But not many businesses have a concrete idea even of the types of dangers against which they must defend themselves. With its new Security Appliances FL MGuard RS2005 and RS4004, Phoenix Contact provides new devices with innovative functions that effectively protect the network from the many types of attacks. Today, plants are generally made up of complex machines and systems that are characterized by a high degree of automation. In the course of the forward-looking Industry 4.0 project, automation is likely to increase. Such solutions must be equipped with IT security that is oriented both on system requirements and user needs. IT security needs to erect appropriate impediments to the usual attack vectors, such as the Internet. On the other hand, production systems need to operate with increasing efficiency. Downtimes not only result in financial loss, but also jeopardise delivery dates and therefore the manufacturer s reputation. That is why, in addition to the constantly connected networks through which machines and systems communicate, remote maintenance access and thus networks outside the company must be considered and measures taken to protect against the dangers they pose.

2 The continuous networking of machines and systems to form comprehensive systems has increased significantly, especially in recent years. However, during the planning and construction of individual system components, those responsible often did not expect communication that would cross the borders of the system. That is why the issue of IT security was often neglected. Past attacks have made it clear, however, that even special industrial protocols and proprietary technologies are threatened. Easy to operate even without special IT knowhow In order to compete effectively, businesses are constantly looking for potential improvements. Users focus on issues such as cost, security, bandwidth, availability, stability, and reduction of complexity and installation cost. To address these demands, Phoenix Contact has added devices with an integrated switch to the proven FL MGuard security appliances (Figure 1). The new components save space on the DIN rail and simplify installation. They are available with one unmanaged switch with five ports or one managed switch with four ports and a DMZ (Demilitarised Zone) port. SD (Secure Digital) memory cards can be used as interchangeable configuration memories to facilitate quick device replacement. Figure 1 - The new security router from Phoenix Contact. As a result of their function and price, the FL MGuard RS2005 basic series security appliances are suitable for addressing simple routing and/or remote maintenance applications with a maximum of two VPN (Virtual Private Network) tunnels and guarantee a high level of security. As required, a firewall that is easily set up without IT know-how can be used to control data traffic. The five built-in Ethernet ports allow internal networking of the system and connect it to the superordinate network through a router port. Situation-appropriate switchover of predefined firewall rules In addition to the routing functions, FL MGuard RS4004 security appliances offer the full functional scope of a firewall and VPN as well as a DMZ port and managed switch with four ports. The precisely configurable Stateful Inspection firewall filters communication based on clearly organised input and output rules. This ensures that only data exchanges authorised

3 by the user take place. The FL MGuard RS4004 also has a conditional firewall that allows situation-appropriate, predefined switchover of firewall rules. This enables the firewall to be switched between rules for various operating conditions by means of simple triggering events. This may be necessary because during productive operation and during local or remote system maintenance, certain connections should be allowed or forbidden. For example, it may be sensible to cut off all data traffic from or to the superordinate network when a control cabinet door is opened. This would isolate the service technician working locally on the system simply and effectively from the superordinate network. Another example would be allowing machine and system updates to be carried out only at suitable times, such as during regularly scheduled maintenance periods. At those times, an authorised person could use a key to switch the firewall over to allow access to the update server. This avoids the necessity of configuration change, saving time and money. The security level is also raised, since spontaneous configuration changes are often prone to errors (Figure 2). Figure 2a & b - Conditional firewall for situation-appropriate switchover in which two different firewall settings (Figure 2a and Figure 2b) are pictured. Additional connection of an isolated system The DMZ port can be used to connect an additional network. This third network is protected by means of a firewall from the other two, which are connected to the WAN and LAN ports. The DMZ port raises the security level significantly because the systems connected through it work virtually in isolation from the other systems. One example is a mail server that must, of course, be accessible through the Internet so that it can receive s. At the same time, internal users need to access the server in order to send s. But the internal users need to be isolated from the external Internet. Production data archiving systems and special remote maintenance access can operate in the DMZ. Machines and systems can thus be integrated into the superordinate network through the WAN port with the help of routing functions and enjoy the protection of the firewall at the same time. The remote maintenance that must be accessible when it is needed is implemented through the DMZ

4 port. The previously mentioned conditional firewall allows the user to activate special preset remote maintenance options (Figure 3). Dynamic monitoring of all Windows systems Figure 3 - DMZ port for secure connection of superordinate systems. In the era of the Stuxnet worm, which is tailored to attack automation systems, dynamic monitoring of all Windows systems in the production environment significantly increases the level of security. Phoenix Contact offers so-called CIFS (Common Internet File System) Integrity Monitoring (CIM), an antivirus protection system that is in compliance with industry specifications and available as an additional license for the FL MGuard RS4004 security appliances. CIM, which works like an anti-virus sensor, but does not need to reload virus patterns, detects whether malware has infected a Windows system consisting of control, operator unit, and PC. Thus, operators can run firewalls and CIM in parallel to achieve maximum protection in systems previously thought unprotectable. These include networks that use out-of-date operating systems; whose (software) standard settings were certified by the manufacturer or an official body when a change would mean losing authorisation from that body; that cannot be equipped with a virus scanner in time-critical industrial applications; that cannot download virus pattern updates because they lack a connection to the Internet, for instance (Figure 4). Summary The new FL MGuard RS2005 and RS4004 security appliances are very well suited to implementing a secure, cost-effective, and reliable security and/or remote maintenance solution. The three-level security concept supported by RS4004 devices, made up of conditional firewall, DMZ, and CIFS Integrity Figure 4 - The principle of CIM (CIFS Integrity Monitoring).

5 Monitoring (CIM), allows construction of new security architectures for the secure operation of automation solutions that are manageable for the user. Multi-level concept for protection against unauthorised access If you are interested in publishing this article, please contact Becky Smith: or telephone The new generation of fanless security routers from Phoenix Contact wins over customers with reliable security and performance. These compact devices in metal housings that can be mounted to the mounting rail have an SD card slot for easy device replacement and input/output connections. Based on a hardened Embedded Linux operating system, the RS4004 series has four coordinated security components: A bidirectional Stateful Inspection firewall with a conditional firewall A DMZ port for another isolated network A highly secure VPN gateway and Optional protection against malware using CIFS Integrity Monitoring The RS2005 series devices have been designed for use as industrial VPN field routers, so they can be used directly on the machine or as central security components in distributed networks. They provide up to two parallel VPN tunnels, a simple twoclick firewall, an integrated switch, and flexible routing functions.