Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH.
Contents Overview Switch Security Firewalls Conclusion 3 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Information Security Definition : A collection of measures adopted to prevent unauthorized use, malicious use, denial of use, or modification of information, facts, data, or resources... 4 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH.
The Threats Components in a plant environment are more and more interconnected Plant environments are increasingly open to external influences Attacks are simple to instigate t using standard d tools, which h are always up to date Protocols (TCP/IP) and networks (Ethernet) are vulnerable Attacks are difficult to trace 5 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Attacks Attacks have different purposes : System intrusion (hacking) Destruction / sabotage / terrorism Fraud Theft of information Websiteattack Revenge Accidental manipulation 6 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH.
Forms of Attack Denial of Service (DOS) Virus / Trojan Horse / Worms Network saturation (TCP SYN, ICMP, ) System weaknesses, TCP/IP Access Attacks Social engineering, physical access Password breaking Impersonation, spoofing Collection of information / probing Capturing, Sniffing Probing TCP, ICMP 7 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Business Strategy Survey What percentage of network security attacks do you believe originate from inside or outside of your company? 13% 4% Inside Outside Don't know 83% Source:AT&T/Economist Intelligence Unit Networking and Business Strategy Survey, March-April 2004 8 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH.
Nessus Nessus is the world's most popular vulnerability scanner Used in over 75,000 organizations world-wide wide. 9 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. SCADA Plug-in 10 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 10
CERN SCADA Testing Switzerland Netwox Denial of Service Attack Nessus Vulnerability Attack Results of 51 different TOCSSiC* tests on networked industrial i control devices - mainly PLCs - using Netwox and Nessus Source: The Industrial Ethernet Book, November 2006 * Test stand On Control System Security program in CERN 11 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 11 Contents Overview Switch Security Firewalls Conclusion 12 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 12
Physical Access 13 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 13 Physical Access M12 Connectors 14 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 14
Unused Ports Unused ports can be switched off No access possible to network 15 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 15 Port Security Network access via a port can be limited to a specific device MAC address IP address Access violation Warning message to Management Station Port can be automatically switched off 16 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 16
802.1X Authentification RADIUS Client RADIUS 1 2 3 6 User requests authentication Switch requests proof of identity from client Client gives switch proof of identity RADIUS request is forwarded from switch to client 4 Switch forwards proof of identity 5 to RADIUS RADIUS requests challenge from client 7 8 Client gives challenge to switch Switch forwards challenge to RADIUS 10 9 RADIUS response is forwarded RADIUS checks challenge and from switch to client, activation of sends response controlled port 17 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 17 Physical LAN 18 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 18
Virtual LANs 19 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 19 Multiple VLANs per Switch 20 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 20
Management VLAN 21 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 21 Access To Network Devices SNMPv1 SNMPv2 SNMPv3 Telnet SSH Web Interface Acronyms: SNMP Simple Network.. M Management Protocol SSH Secure Shell Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 22 22
Contents Overview Switch Security Firewalls Conclusion 23 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 23 What is a Firewall? A firewall is a system or group of systems that enforces an access control policy between two networks. External Firewall DMZ Internet Internal Firewall Private Network 24 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 24
Functions Basic Protects against attacks from insecure networks Hides the internal network structure Advanced Access control: when and how may computers may communicate with each other User control: which users can access which services Protocol and Services control: which h protocols and services can run over which ports Data control: which data can be transmitted and received Logging, Accounting, and Auditing Alarming during attacks and failures 25 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 25 Limitations A firewall offers limited or no protection against: Internal attacks Social engineering attacks Attacks over permitted connections Malware such as Trojans, Viruses, Spyware, Phishing, or damaging active components (ActiveX, Java Applets, JavaScript) Passive attacks (Sniffing the LAN, traffic analysis, etc.) Improper use of mobile computers Removable media 26 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 26
Dual-homed Firewall Firewall with 2 Ethernet ports one for the secure network one for the insecure network Internet Private Network 27 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 27 Multi-homed Firewall with DMZ Firewall with 3 or more ports one for the secure network one for the insecure network one for the DeMilitarised Zone DMZ Internet Private Network Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 28 28
Screened Subnet Deployment of two firewalls, one either side of the DMZ External Firewall DMZ Internet Internal Firewall Private Network 29 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 29 High Security Firewall System Deployment of three firewalls Recommended by the BSI (German Federal Office for Information Security) Packet Filter DMZ Internet Packet Filter Application Filter Private Network 30 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 30
Firewalls and the OSI Model Proxies Application Presentation Session Stateful Inspection Packet Filter Transport Network Data link Physical 31 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 31 Stateful Inspection Communication is analyzed at Layer 4 (Transport) The firewall maintains a table of which devices are communicating Data is only allowed through the firewall from the insecure network if it has been requested from the secure network. Advantages The status of the connection is checked Cheaper and faster than Application Layer Firewalls Disadvantage The data inside id the packet is not checked 32 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 32
Stateful Inspection Insecure Secure Response Request Request X Response Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 33 33 Packet Filter Packets are analyzed and filtered at the Layer 3 (Network) level. Source IP address Source port Destination IP address Destination port Protocol Access Rules define which communication is allowed. Two alternative principles: Deny all (all traffic which is not explicitly permitted is denied) Laissez faire (all traffic which is not explicitly denied is allowed) 34 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 34
Packet Filter Special considerations Only the header of the packet is checked not the enclosed data (payload) Each individual packet is checked, but not the data stream itself Often implemented in a router (Access Control Lists) Advantages Fast to implement Disadvantages Neither the connection nor the data is checked Large number of rules Easy to make a mistake Maintenance after network changes 35 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 35 Packet Filtering Insecure Secure HTTP FTP 36 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 36
Application Layer Firewalls (Proxies) There is no direct communication between a Client on the secure network and a Server on the insecure network. Internet Proxy Private Network 37 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 37 Application Layer Firewalls (Proxies) Advantages The payload of the packet is examined Much more detailed log files Extremely high security Disadvantages Slower than Stateful Inspection Firewalls More expensive Fact of life The more security you want, the worse the performance of your network (and vice versa) 38 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 38
NAT / PAT Network Address Translation 1 to n / Port Address Translation All internal IP address are mapped to a single external IP address Hides the protected network s addressing scheme Reduces cost by sharing a single valid Internet address Network Address Translation 1 to 1 Individual internal addresses are mapped to individual external addresses Hides the network addressing while allowing incoming connections 39 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 39 Network Address Translation 1:n Maps multiple internal addresses to a single external address Source 10.10.10.44 Source 81.65.129.31 Source 10.10.10.55 Source 81.65.129.31 40 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 40
Network Address Translation 1:1 Maps internal and external addresses 1 to 1. Source 10.10.10.44 Source 81.65.129.44 Source 10.10.10.55 Source 81.65.129.55 41 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 41 Multiple Identical Cells 10.10.10.123 123 10.10.10.234 Automation Cell 10.10.10.0 192.168.23.0168 23 Core Network 10.10.10.123 10.10.10.0 0 Automation Cell 192.168.54.0 10.10.10.234 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 42 42
Firewall Techniques Hard Perimeter Office Network 43 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 43 Firewall Techniques Defence in Depth Office Network 44 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 44
Adding Security In a perfect world, you design the network security when you design the network. What if you want to add security to an existing network? Most firewalls are routers. 45 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 45 Transparent (Bridging) Firewalls 46 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 46
Symbols Used In Presentation Diagrams Industrial firewall and/or VPN Client/Server Corporate firewall and/or VPN Client/Server Corporate Network Corporate network Industrial network Internet 47 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 47 Basic Industrial Firewalling Corporate Network Office Network Automation Network Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 48 48
Access for Specific Devices Corporate Network Management Station Automation Network Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 49 49 Access for Specific Devices Corporate Network Maintenance Automation Network Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 50 50
Employee from an External Company Corporate Network Service Engineer DHCP Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 51 51 Contents Overview Switch Security Firewalls Conclusion 52 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 52
Conclusion Security should be designed into a network right from the start Managed switches provide a range of security features A control network should only be connected to another network via a firewall Successful protection requires a range of techniques 53 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 53 Contents Overview Switch Security Firewalls Conclusion Comments or Questions? 54 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. 54