draft v0.4 The IAONA Handbook for Network Security 1



Similar documents
draft v0.4 The IAONA Handbook for Network Security 1

IAONA IAONA e.v. Universitätsplatz Magdeburg Germany. draft v0.4 The IAONA Handbook for Network Security 1

Load Balance Router R258V

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Using Innominate mguard over BGAN

Gigabit SSL VPN Security Router

UTT Technologies offers an effective solution to protect the network against 80 percent of internal attacks:

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

White Paper Copyright 2011 Nomadix, Inc. All Rights Reserved. Thursday, January 05, 2012

Remote Connection to a WAGO using a High-Speed Internet connection Application note

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Outline (Network Security Challenge)

Figure 41-1 IP Filter Rules

Protecting the Home Network (Firewall)

Innominate mguard Version 6

Lab Configuring Access Policies and DMZ Settings

CISCO IOS NETWORK SECURITY (IINS)

Cisco WRVS4400N Wireless-N Gigabit Security Router: Cisco Small Business Routers

Virtual Server and DDNS. Virtual Server and DDNS. For BIPAC 741/743GE

Configure A VoIP Network

your Gateway Windows network installationguide b wireless series Router model WBR-100 Configuring Installing

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

FIREWALLS & CBAC. philip.heimer@hh.se

How To Use A Cisco Wvvvdns4400N Wireless-N Gigabit Security Router For Small Businesses

Networking: EC Council Network Security Administrator NSA

Firewalls (IPTABLES)

Internet Security Firewalls

Understanding Windows Server 2003 Networking p. 1 The OSI Model p. 2 Protocol Stacks p. 4 Communication between Stacks p. 13 Microsoft's Network

SonicWALL PCI 1.1 Implementation Guide

Gigabit Content Security Router

Chapter 15. Firewalls, IDS and IPS

Break Internet Bandwidth Limits Higher Speed. Extreme Reliability. Reduced Cost.

Avaya G700 Media Gateway Security - Issue 1.0

Firewall Firewall August, 2003

Chapter 11 Cloud Application Development

Internet Security Firewalls

N-CAP Users Guide Everything You Need to Know About Using the Internet! How Firewalls Work

Funkwerk UTM Release Notes (english)

Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

8. Firewall Design & Implementation

Knowledgebase Solution

Designing a security policy to protect your automation solution

PPTP Server Access Through The

Common Remote Service Platform (crsp) Security Concept

Hirschmann. Simply a good Connection. White paper: Security concepts. based on EAGLE system. Security-concepts Frank Seufert White Paper Rev. 1.

Network Configuration Settings

About Firewall Protection

Firewalls, IDS and IPS

DDoS Protection Technology White Paper

E-commerce Production Firewalls

EDR-G903/G902 User s Manual

Avaya TM G700 Media Gateway Security. White Paper

The Internet of Things (IoT) and Industrial Networks. Guy Denis Rockwell Automation Alliance Manager Europe 2015

Lucent VPN Firewall Security in x Wireless Networks

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Management Software. Web Browser User s Guide AT-S106. For the AT-GS950/48 Gigabit Ethernet Smart Switch. Version Rev.

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

Networking. Systems Design and. Development. CRC Press. Taylor & Francis Croup. Boca Raton London New York. CRC Press is an imprint of the

A Division of Cisco Systems, Inc. 10/100 4-Port. VPN Router. User Guide WIRED RV042. Model No.

information security and its Describe what drives the need for information security.

Secure Network Design: Designing a DMZ & VPN

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

D-Link DFL-700. Manual

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 4 Customizing Your Network Settings

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Using a VPN with CentraLine AX Systems

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

Chapter 4: Security of the architecture, and lower layer security (network security) 1

Network Security Topologies. Chapter 11

Security perimeter. Internet. - Access control, monitoring and management. Differentiate between insiders and outsiders - Different types of outsiders

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Network Access Security. Lesson 10

APNIC elearning: Network Security Fundamentals. 20 March :30 pm Brisbane Time (GMT+10)

Recommended IP Telephony Architecture

108Mbps Super-G TM Wireless LAN Router with XR USER MANUAL

Network Security Firewall

Cisco RV082 Dual WAN VPN Router Cisco Small Business Routers

Multi-Homing Dual WAN Firewall Router

Astaro Deployment Guide High Availability Options Clustering and Hot Standby

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

Network Security Firewall Manual Building Networks for People

COMPUTER NETWORK TECHNOLOGY (300)

How To Protect Your Network From Attack From Outside From Inside And Outside

Chapter 4 Customizing Your Network Settings

If you have questions or find errors in the guide, please, contact us under the following address:

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Innominate mguard Version 7.0 Configuration Examples

Savvius Insight Initial Configuration

By David G. Holmberg, Ph.D., Member ASHRAE

Network Security Firewall Manual Building Networks for People

Stateful Inspection Technology

Black Box Penetration Testing For GPEN.KM V1.0 Month dd "#$!%&'(#)*)&'+!,!-./0!.-12!1.03!0045!.567!5895!.467!:;83!-/;0!383;!

Chapter 4 Security and Firewall Protection

Network Security Fundamentals

Security Requirements for Firewalls

Transcription:

IAONA Handbook Network Security Version 1.3 draft v0.4 The IAONA Handbook for Network Security 1

The IAONA Handbook for Network Security Version 1.3 Published by IAONA e.v. Based on the work of IAONAs Joint Technical Working Group (JTWG) Network Security. Recipients of this document are invited to submit, with their comments, notification of any relevant patent rights of which they are aware and to provide supporting documentation. The following parties have contributed to this document: DEHOF computertechnik ABB Data Systems Innominate AG ininet GmbH / VPI Hirschmann AC GmbH TRUMPF Laser GmbH + Co. KG University Magdeburg WAGO Kontakttechnik Matthias Dehof (Chairman JTWG Network Security) Martin Naedele, Dacfey Dzung Detlef Kilian Steffen Bruß, Frank Merkel Peter Brügger Klaus Reister, Ralf Kaptur Rainer Thieringer Marcus Tangermann Christoph Möller All illustrations, charts and layout examples shown in this document are intended solely for purposes of example. IAONA assumes no responsibility or liability (including intellectual property liability) for actual use based upon examples given in this publication. Reproduction of the contents of this copyrighted publication, in whole or in part, without written permission of IAONA is prohibited. IAONA, 2005 IAONA e.v. Universitätsplatz 2 39106 Magdeburg Germany info@iaona.org http://www.iaona.org Version 1.3 IAONA Handbook Network Security 2

Contents 1 Introduction...5 2 Basics for Industrial Ethernet Security...7 2.1 What is Security?...7 2.2 Security Classification...9 2.2.1 Security Classification Example - Light Bulb Factory...10 2.2.2 Security Classification Example - Automotive parts...10 2.2.3 Security Classification Example Pharmaceutical process...11 2.3 The IP protocol family...11 2.3.1 Design of the IP family...12 2.3.2 Security Problems of IP...13 2.4 Communication relations in an enterprise network...14 2.5 Network architecture for Industrial Ethernet...16 2.6 Defense strategy...18 2.6.1 Hard-perimeter...18 2.6.2 Defense-in-depth...19 2.7 Security Components...20 2.7.1 Packet Filter...20 2.7.2 Application Gateway...22 2.7.3 Demilitarized Zone (DMZ)...23 2.7.4 Switches...23 2.7.5 Router 23 2.8 Differences between Office and Automation Networks...24 3 IAONA Security Methodology...27 3.1 Security demand classification...28 3.2 Communication relations...29 3.3 Defense Strategy...31 3.4 Defense Structures...31 3.5 Devices / Protocols...33 3.6 Defense measures...34 4 The Security Cookbook...37 4.1 Remote Access...37 4.1.1 Terminal Server...37 4.1.2 Network Manager...38 5 IAONA Security Data Sheet...40 5.1 How to fill out the SDS...40 5.1.1 General...40 5.1.2 Page 1 - General...41 5.1.3 Page 2 - Network Ports and Services...41 5.1.4 Naming Conventions...42 5.2 Security Data Sheet Creator (SDS-C)...42 6 Annex: Communication Relations Table Template...43 7 Annex: Security Data Sheet Template...44 8 Annex: Security Data Sheet XML Schema...47 Version 1.3 IAONA Handbook Network Security 3

9 Annex: Network Services...49 9.1 ICMP...51 9.2 ARP...52 9.3 DHCP...52 9.4 DNS...53 9.5 FTP...53 9.6 TFTP...54 9.7 Telnet...54 9.8 SMTP...55 9.9 SSH...56 9.10 SNMP...56 9.11 HTTP...57 9.12 DynDNS...58 9.13 Modbus-TCP...59 9.14 EtherNet/IP...59 9.15 ETHERNET Powerlink...60 9.16 RPC / DCOM...60 9.17 LDAP...61 9.18 Kerberos...61 9.19 IPSEC...62 9.20 PPTP...63 9.21 L2TP / IPsec...63 9.22 SOAP...64 9.23 Remote control software...65 9.24 NDDS...65 9.25 MAP/MMS...66 9.26 RADIUS...66 10 Annex: IAONA SDS Logo...68 11 References...69 Version 1.3 IAONA Handbook Network Security 4

1 Introduction Ethernet based communication systems have entered the factory floor. During the last 5 years different fields of application using different Ethernet based communication protocols and technologies have been established ranging from web based management of devices to motion control applications. This increasing use of Ethernet based services and devices came for many companies through the backdoor: first a simple FTP session for firmware uploads and a telnet session for changing settings, then a web server for advanced and comfortable configuration and diagnostics, and finally the use of real-time Ethernet communication protocols for device communication within control applications. It was a small step from using these devices point-to-point connected to a serviceman's laptop to connecting the devices to a company network. With the broad use of PC based devices, it was possible to connect anything and for quite a time, finally, the network was just what is was made for. But with the increasing use of Ethernet based communication technologies also the problems of this technology have entered the factory network. The possible data exchange using emails or direct device access will enable an undue influence on the devices by hackers, with-collar criminals, or even unilluminated employees. When more people were accessing the network - and an increasing number of non-technicians and non-employees were among them - the network was opened to the Internet and was used for web-access and email services. Thereby, viruses and worms coming with laptops and emails, some of them do no harm but others may cause the loss of a complete production line. Even when these viruses have no direct effect on devices, overloaded network traffic is even worse than a single deleted hard disk. The direct access to control devices using HTTP or SNMP based device management systems will, in principle, enable unauthorized people to acquire control system and production system sensitive data and to change sensitive system settings causing economic disadvantages. As a matter of fact, the IT departments are confronted with a complete new line of problems. Any intrusion, by accident or intention has a bigger effect than in the office world. An automation network needs to be fail-safe. Data within an automation system need to be protected from unauthorized access. The unauthorized change of control relevant data or even the circumvention of a data exchange may result in a production system break down. A down time of a production line of a few minutes can cost some thousands of Euros because it may take some hours to restart the complete line. In contrast to this a short breakdown in the office environment is equally disturbing, but the consequences are different. To cope with the mentioned problems and to ensure the security of industrial communication systems special technologies and strategies have been developed or even from the office world adapted to the factory floor. One important role within this process has been played by the IAONA Joint Technical Working Group (JTWG) Network Security. Within this JTWG the state of the art of network security technologies for industrial application have been collected and aggregated to an advice for best practice. Based on the results of the IAONA JTWG Network Security the Handbook - Network Security has been created. It will be maintained by the members of the JTWG and reflects the current status of technology. The Handbook is not a static book, but subject to change to keep up with threats and developments. The Handbook was designed to establish "know-how" for network security in industrial applications and make this accessible for to users Version 1.3 The IAONA Handbook for Network Security 5

give recommendations on how to plan secure networks provide tools for network analysis and escalation schemes create guideline for network security to be provided to IT and factory floor personnel give input to normative committees, such as IEC The user's benefits are support for security risk analysis, support in the selection of appropriate security measures and most important - the avoidance of production down time caused by security leaks. All-in-all, the IAONA Handbook - Network Security will provide interested people with the necessary knowledge about existing security problems, useable security architectures, and all necessary activities to establish these architectures. To follow this aims the handbook is organized as follows. Within the following (the second) chapter necessary basics about network security will be described. This includes a definition of the term Security, the term of IAONA Security Classes, the description of basic protocols, structures, and architectures and its security problems, defense strategies, and security components with its security relevant behavior. The third chapter will describe in detail the security methodology developed by IAONA JTWG Network Security with strategies, structures, devices, protocols, and defense measures. Chapter four can be seen as a cookbook for network security providing best practice scenarios for special application cases. Chapter five introduces the IAONA Security Data Sheet, a mean for collection and distribution of security relevant information of devices, systems, and networks based on the IAONA Security Methodology. Within this chapter the IAONA Security Data Sheet will be described in detail and its application and benefits in practice will be considered. The handbook will conclude with three annexes. The first annex will provide a template of the IAONA Security Data Sheet and the second one will give the XML schema used for the computer based processing of the IAONA Security Data Sheet. The third annex will provide a detailed listing and description of 28 Ethernet based communication protocols used within factory communication systems including a security relevant survey of each protocol. The full version of this IAONA Handbook is currently only available for IAONA s members! Please contact IAONA s office for more information! Version 1.3 The IAONA Handbook Network Security 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information