Scalable Secure Remote Access Solutions

Similar documents
Secure Remote Access Solutions Balancing security and remote access Bob Hicks, Rockwell Automation

Simplifying the Transition to Virtualization TS17

AUP28 - Implementing Security and IP Protection

Das sollte jeder ITSpezialist über. Automations- und Produktionsnetzwerke wissen

Industrial Security Solutions

Securing The Connected Enterprise

Network Security Trends & Fundamentals of Securing EtherNet/IP Networks

Computer System Security Updates

The Internet of Things (IoT) and Industrial Networks. Guy Denis Rockwell Automation Alliance Manager Europe 2015

T46 - Integrated Architecture Tools for Securing Your Control System

Production Software Within Manufacturing Reference Architectures

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Virtualization In Manufacturing Industries. Copyright 2012 Rockwell Automation, Inc. All rights reserved.

AUP28. Implementing Security In Integrated Architecture Practical security solutions for Industrial Control System (ICS)

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

Achieving Secure, Remote Access to Plant-Floor Applications and Data

PR03. High Availability

REFERENCE ARCHITECTURES FOR MANUFACTURING

CompTIA Exam N CompTIA Network+ certification Version: 5.1 [ Total Questions: 1146 ]

Secure Access into Industrial Automation and Control Systems Industry Best Practice and Trends. Serhii Konovalov Venkat Pothamsetty Cisco

Extending FactoryTalk View Site Edition with Microsoft's Remote Desktop Services

Securing the Connected Enterprise

Network Security Topologies. Chapter 11

DMZ Network Visibility with Wireshark June 15, 2010

Virtualized System Reduces Client s Capital and Maintenance Costs

Owner of the content within this article is Written by Marc Grote

Scalable, Secure Remote Monitoring Solutions Stay a step ahead by remotely monitoring your critical assets

Why a Reverse Proxy with My Instant Communicator for mobiles??

Information Technology Security Guideline. Network Security Zoning

Process Control Networks Secure Architecture Design

Testing New Applications In The DMZ Using VMware ESX. Ivan Dell Era Software Engineer IBM

InTouch Access Anywhere

Top-Down Network Design

Associate in Science Degree in Computer Network Systems Engineering

Choosing the correct Time Synchronization Protocol and incorporating the 1756-TIME module into your Application

Securing Manufacturing Control Networks. Alan J. Raveling, CISSP November 2 nd 5 th Pack Expo 2014

INTRODUCTION TO VMWARE PRODUCT SUITE: VIRTUALIZATION SOLUTIONS

STERLING SECURE PROXY. Raj Kumar Integration Management, Inc.

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Network Virtualization Network Admission Control Deployment Guide

Secure Remote Support

VMware Virtual Desktop Infrastructure (VDI) - The Best Strategy for Managing Desktop Environments Mike Coleman, VMware (mcoleman@vmware.

Remote Desktop Gateway. Accessing a Campus Managed Device (Windows Only) from home.

ControlLogix and CompactLogix 5370 Segmentation Methods for Plant-wide/ Site-wide Networks with OEM Convergence-ready Solutions

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Scalable Secure Remote Access Solutions for OEMs

Building Secure Networks for the Industrial World

Lab Developing ACLs to Implement Firewall Rule Sets

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Network Configuration Settings

WW HMI SCADA-08 Remote Desktop Services Best Practices

Network Security Guidelines. e-governance

Fundamentals of Windows Server 2008 Network and Applications Infrastructure

Redesigning automation network security

Building a Reporting and Analytics System Connected Enterprise Seminar

How To Extend Security Policies To Public Clouds

13 Ways Through A Firewall

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

FactoryTalk Historian Site Edition Architectures and Design Considerations

Professional Integrated SSL-VPN Appliance for Small and Medium-sized businesses

Security for. Industrial. Automation. Considering the PROFINET Security Guideline

Ease Server Support With Pre-Configured Virtualization Systems

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Stratix 5700 Network Address Translation. Quick Start

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

INTRUSION DETECTION SYSTEMS and Network Security

Avaya TM G700 Media Gateway Security. White Paper

Avaya G700 Media Gateway Security - Issue 1.0

Lesson 5: Network perimeter security

Common Remote Service Platform (crsp) Security Concept

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Firewall Environments. Name

Designing and Implementing a Server Infrastructure

Case Study for Layer 3 Authentication and Encryption

CNS Implementing NetScaler 11.0 For App and Desktop Solutions

Secure Web Appliance. Reverse Proxy

Network Security Administrator

Secure Networks for Process Control

SECURING SAP NETWEAVER DEPLOYMENTS WITH SAFE-T RSACCESS

Chapter 2 TOPOLOGY SELECTION. SYS-ED/ Computer Education Techniques, Inc.

INTRODUCTION TO FIREWALL SECURITY

Network Access Security. Lesson 10

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab March 04, 2004

TF02 Virtualization in Manufacturing

COURSE OUTLINE MOC 20413: DESIGNING AND IMPLEMENTING A SERVER INFRASTRUCTURE

DEPLOYMENT OF I M INTOUCH (IIT) IN TYPICAL NETWORK ENVIRONMENTS. Single Computer running I m InTouch with a DSL or Cable Modem Internet Connection

Barracuda Networks Technical Documentation. Barracuda SSL VPN. Administrator s Guide. Version 2.x RECLAIM YOUR NETWORK

Security perimeter. Internet. - Access control, monitoring and management. Differentiate between insiders and outsiders - Different types of outsiders

Ignify ecommerce. Item Requirements Notes

T16 Information on the Go: Mobility Solutions

Industrial Security for Process Automation

Unified Threat Management, Managed Security, and the Cloud Services Model

EXAM Recertification for MCSE: Server Infrastructure. Buy Full Product.

Deploy Remote Desktop Gateway on the AWS Cloud

ACADEMIC PROGRAM REVIEW PC AGE 145 TALMADGE ROAD EDISON, NJ REVIEW DATE. Report Amended October 2011

13 Ways Through A Firewall What you don t know will hurt you

Lab Configuring Access Policies and DMZ Settings

Transcription:

Scalable Secure Remote Access Solutions Jason Dely, CISSP Principal Security Consultant jdely@ra.rockwell.com Scott Friberg Solutions Architect Cisco Systems, Inc. sfriberg@cisco.com Jeffrey A. Shearer, CISSP, PMP Principal Security Consultant jashearer@ra.rockwell.com Rev 5058-CO900C Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Agenda and Topic List What is Remote Access? What are the requirements? Secured remote Access Architectures DMZ Architectures Remote Desktop Protocol (RDP) Discussion & Demonstrations Secured File Transfer & Reverse Web Proxy Demonstrations

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Reference Material http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Reference Material http://www.cisco.com/en/us/docs/solutions/ Verticals/CPwE/CPwE_chapter6.html

Reference Material Publications numbers 1783-in005_-en-p.pdf 1783-um003_-ene.pdf Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Reference Material Buy and read operating system reference materials Invest in yourself

Copyright 2012 Rockwell Automation, Inc. All rights reserved. What is remote access? In order to answer this question you need to define the requirements What problems are you trying to solve and identify who has the problem? Requirements generation makes the designer consider Users / User Personas Problem Statements (i.e. what problem are we trying to solve?) Use Cases Users / User Personas Problem Statements Use Cases OEM, System Integrator Engineering Help Maintenance Troubleshoot Use Case : Remote Access from Hotel Room An OEM, SI Engineer is in a hotel and must help the customer troubleshoot a PLC or HMI program. The engineer uses the hotel internet connection and connects security to the machine at the customer site and is able to view PLC or HMI code.

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 8 Remote Access Requirements (1) Required to view a machine s ControlLogix processor from a hotel room to help troubleshoot the system OEM, SI, Engineer Factory Processing Filling Material Handling

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 9 Remote Access Requirements (2) Required to transfer a file containing ControlLogix code from a laptop to a manufacturing workstation. OEM, SI, Engineer Factory Processing Filling Material Handling

Remote Access Requirements (3) View manufacturing data from FactoryTalk VantagePoint to decision makers who are located in the enterprise (office) zone Data Center FactoryTalk Processing Filling Material Handling VantagePoint Server Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Copy 11 Remote Access Challenges Industrial Automation and Control System (IACS) applications are often managed by plant personnel, while enterprise-level remote access solutions such as VPNs are the responsibility of the IT organization. Remote access can expose critical IACS applications to viruses, malware and other risks that may be present when using remote or partner computers, potentially impacting manufacturing Limiting the accessibility to only functions that are appropriate for remote users

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Agenda and Topic List What is Remote Access? What are the requirements? Secured remote Access Architectures DMZ Architectures Remote Desktop Protocol (RDP) Discussion & Demonstrations Secured File Transfer & Reverse Web Proxy Demonstrations

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Controlling Access to the Manufacturing Zone Level 5 Level 4 E-Mail, Intranet, etc. Router Enterprise Network Site Business Planning and Logistics Network Enterprise Zone Terminal Services Patch Management AV Server Historian Mirror Web Services Operations Application Server Firewall Web E-Mail CIP DMZ Level 3 FactoryTalk Application Server FactoryTalk Directory Engineering Workstation Domain Controller Firewall Site Manufacturing Operations and Control Manufacturing Zone Level 2 Level 1 FactoryTalk Client Batch Control Operator Interface Discrete Control FactoryTalk Client Drive Control Engineering Workstation Continuous Process Control Operator Interface Safety Control Area Supervisory Control Basic Control Cell/Area Zone Level 0 Sensors Drives Actuators Robots Process No Direct Traffic Flow from Enterprise to Manufacturing Zone

Copyright 2012 Rockwell Automation, Inc. All rights reserved. High Level Architecture Review Remote access involves cooperation between: Enterprise Zone Information Technologies (IT) and infrastructure of the facility Automation Demilitarized Zone (Automation DMZ) To design it requires knowledge of data that must move from the plant to enterprise systems Manufacturing Zone Cell and Area devices Industrial Protocols

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Enterprise Zone Enterprise Zone Levels 4 & 5 owned by Information Technologies (IT) Traditionally some VLAN s in place Campus to Campus communications IT knowledgeable with routing and firewalls IT will provide VPN Services for remote access You need to work with the IT personnel to get access to the DMZ

Automation DMZ Automation DMZ Shared ownership by IT and Manufacturing professionals Designed to replicate services and data Remote Access Services (Terminal Services) located here Typically IT owns firewalls IT configures the switches on behalf of Manufacturing professionals Manufacturing professionals own DMZ terminal servers, application servers, patch management servers Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Manufacturing Zone Divide plant into functional areas for secured access ISA-SP99 Zones and Conduit model OEM s / System Integrator / Engineering Participation Required IP Address VLAN ID s Access layer to Distribution layer cooperation System design requires full cooperation of all asset owners

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Agenda and Topic List What is Remote Access? What are the requirements? Secured remote Access Architectures DMZ Architectures Remote Desktop Protocol (RDP) Discussion & Demonstrations Secured File Transfer & Reverse Web Proxy Demonstrations

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Demilitarized Zone (DMZ) Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network. The purpose of the DMZ is to add an additional layer of security to the trusted network Internet UNTRUSTED Web Proxy BROKER DMZ TRUSTED

DMZ Topology Firewall(s) Enterprise Interface DMZ Interface Manufacturing Interface Firewalls are used to block or allow access to devices on these interfaces based on a set of rules There will be assets like switches and servers that are part of the DMZ Copyright 2012 Rockwell Automation, Inc. All rights reserved. Copy 20

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Agenda and Topic List What is Remote Access? What are the requirements? Secured remote Access Architectures DMZ Architectures Remote Desktop Protocol (RDP) Discussion & Demonstrations Secured File Transfer & Reverse Web Proxy Demonstrations

22 Copyright 2012 Rockwell Automation, Inc. All rights reserved. Remote Desktop Technologies Allows user to remotely view and control another computer. The user will see the remote computer s screen while sending keystrokes and mouse movements to the remote computer. Two options of Remote Desktop Technologies being discussed today Option 1 Host a Remote Desktop Session from the Cisco Firewall Option 2 Host a Remote Desktop Session from a Microsoft Windows Server 2008 R2 Computer Option 1 Remote Desktop Client Remote Desktop Client Option 2 Firewall: Secure RDP Session Host MS 2008 R2 Secure RDP Session Host Remote Desktop Remote Desktop

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Remote Desktop Protocol Via Cisco Firewall Remote Desktop Gateway functionality hosted from the Cisco ASA Firewall Same user experience as Microsoft Remote Desktop Gateway Configure Firewall to host the RDP session Come to AF Network & Security Booth to see how well this solution works.

Remote Desktop Protocol Via Cisco Firewall Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Remote Desktop Protocol Via Cisco Firewall Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Remote Desktop Protocol Via Cisco Firewall Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Remote Desktop Protocol Via Cisco Firewall Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Remote Desktop Protocol Via Cisco Firewall Copyright 2011 Rockwell Automation, Inc. All rights reserved. Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Remote Desktop Protocol Via Cisco Firewall Connect to the outside of the Cisco firewall via a web browser (SSL) session by opening a web browser. Continue to inside assets via Remote Desktop Protocol

Remote Desktop Protocol Via Cisco Firewall Copyright 2012 Rockwell Automation, Inc. All rights reserved. 30

Remote Desktop Protocol Via Cisco Firewall Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Remote Desktop Gateway Remote Desktop Gateway (RD Gateway), formerly Terminal Services Gateway is a role service in the Remote Desktop Services server role included with Windows Server 2008 R2. Enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote users and internal network resources

Remote Access via Remote Desktop Gateway (HTTPS) Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Remote Desktop Session Host CALs Anyone who wants to connect to a Remote Desktop Session Host (Terminal Server) must have a Client Access License (CAL) Consult Microsoft to Validate your CAL questions

Remote Access Demo: Architecture Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Remote Desktop Gateway Configuration Add Remote Desktop Role Connection Authorization Policies (Users) Resource Authorization Policies (Computers) Export / Import Certificates

Remote Desktop Gateway Configuration Copyright 2012 Rockwell Automation, Inc. All rights reserved. 37

Remote Desktop Gateway Configuration Copyright 2012 Rockwell Automation, Inc. All rights reserved. 38

Remote Access Demo : Architecture Copyright 2012 Rockwell Automation, Inc. All rights reserved. 39

Remote Access Demo Copyright 2012 Rockwell Automation, Inc. All rights reserved. 40

Copyright 2012 Rockwell Automation, Inc. All rights reserved. Agenda and Topic List What is Remote Access? What are the requirements? Secured remote Access Architectures DMZ Architectures Remote Desktop Protocol (RDP) Discussion & Demonstrations Secured File Transfer & Reverse Web Proxy Demonstrations

Secured File Transfer: Architecture Copyright 2012 Rockwell Automation, Inc. All rights reserved.

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 43 Secured Shell (SSH) Secure Shell (SSH) is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network This demo is running OpenSSH server on Linux You can use an SSH server on Windows as well

Secured File Transfer: Demo Copyright 2012 Rockwell Automation, Inc. All rights reserved. 44

Secured File Transfer: Demo Copyright 2012 Rockwell Automation, Inc. All rights reserved. 45

Secured File Transfer: Demo Copyright 2012 Rockwell Automation, Inc. All rights reserved. 46

Secured File Transfer: Demo Copyright 2012 Rockwell Automation, Inc. All rights reserved. 47

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 48 Reverse Web Proxy Evolution Website servers required protection from web users without depriving them of those services. In the summer of 1996, the Apache HTTP project wrote an add-on module in the Apache 1.1 web server Retrieves resources on behalf of a client from one or more servers. Hide the existence and characteristics of the origin server(s). Internet Pre 1996 Post 1996 Reverse Router Proxy Web Server Web Server

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 49 Reverse Web Proxy During the early years of the Internet, website administrators recognized the need to prevent their servers from being accessible to web users without depriving them of those services. In the summer of 1996, the Apache HTTP project wrote an add-on module called mod_proxy in the Apache 1.1 web server that allowed it to act like a reverse proxy server. A reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though it originated from the reverse proxy itself. Reverse proxies can hide the existence and characteristics of the origin server(s).

Reverse Web Proxy: Architecture Copyright 2012 Rockwell Automation, Inc. All rights reserved. 50

Copyright 2012 Rockwell Automation, Inc. All rights reserved. 51 Summary Remote Access involves requirements generation Identifying users and support systems that require access from the enterprise to the manufacturing zone Identifying data flow, source and destination for firewall rule creation Often times minimal remote access strategies involving visibility and file transfer DMZ s for separation of enterprise and manufacturing zones recommended Security must be part of remote access design

Thank you for participating! Please remember to tidy up your work area for the next session. We want your feedback! Please complete the session survey! Follow ROKAutomation on Facebook & Twitter. Connect with us on LinkedIn. www.rockwellautomation.com Rev 5058-CO900C Copyright 2012 Rockwell Automation, 52 Inc. All rights reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information