Preview only show first 10 pages with watermark. For full document please download

Secure Remote Access Solutions

   EMBED

Share

Transcript

Secure Remote Access Solutions Balancing security and remote access – Bob Hicks, Rockwell Automation Rev 5058-CO900C Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Agenda Control System Network Security Defence in Depth Secure Remote Access Examples Reference Material Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Industrial Network Security Trends Network Convergence  Enterprise (IT) Network Requirements  Internet Protocols  Wide Area Network (WAN)  High availability – redundant star topologies  Determinism, latency, jitter, etc.  Voice, video, data applications  IP Addressing - dynamic  Security - pervasive So, what are the similarities and differences?  Industrial Network Requirements  Industrial and internet protocols  Local Area Network (LAN) - packets are small: 100–200 bytes, but communicated very frequently (every 0.5 to 10s of ms)  Resiliency – ring topologies are prominent, redundant star topologies are emerging  Latency, jitter, etc.  Information, control, safety, time synchronization and motion  IP Addressing – static  Security – emerging: Open by Default, must be Closed by Configuration Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Access for Trusted Partners Secure Remote Access Requirements  Availability of global equipment, machines and services  Requires scalable services for ma users  Trusted Partners Machine Builder System Integrator Machine Builders, System Integrators, vendors, contractors  Reduces OEM cost pressures On-site commissioning reduction in resources and duration  Warranty support; dispatching of resources  Optimization services; partnership vs. supplier   IT-ready solutions Elimination of security back doors  Holistic industrial network infrastructure security solutions  Industrial Plantwide Systems Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Agenda Control System Network Security Defence in Depth Secure Remote Access Examples Reference Material Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Defense-in-Depth Security Policies and Procedures  Securing industrial assets requires:   A comprehensive network security model  Multi-layer security approach – Defense-in-Depth Procedural, physical and electronic measures  Alignment with applicable industry standards  Risk assessment: Current risk analysis Determination of acceptable risk Deployment of risk mitigation techniques Developed against a defined set of security policies  Policy - plan of action with procedures to protect company assets  Security policies are unique from company to company, although there are some common attributes and methodology to developing  Industrial security policy, unique from and in addition to enterprise security policy  Identify Domains of Trust and appropriately apply security to maintain policy Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Defense-in-Depth Multiple Layers to Protect the network and Defend the edge  Physical Security – limit physical access to authorized personnel: areas, control panels, devices, cabling, and control room – escort and track visitors  Network Security – infrastructure framework – e.g. firewalls with intrusion detection and intrusion prevention Physical Network systems (IDS/IPS), and integrated protection of Computer networking equipment such as switches and routers Application  Computer Hardening – patch management, antivirus Device software as well as removal of unused applications, protocols, and services  Application Security – authentication, authorization, Defense in Depth and audit software  Device Hardening – change management and restrictive access Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Defense-in-Depth Physical Security - Examples Physical Network Computer Application Device Defense in Depth Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Defense-in-Depth Network - Demilitarized Zone (DMZ)  All network traffic from either side of the DMZ terminates in the DMZ; network traffic does not directly traverse the DMZ  Application Data Mirror  No primary services are permanently housed in the DMZ  DMZ shall not permanently house data Disconnect Point Replicated Services DMZ  No control traffic into the DMZ - Automation and Control Data stays home  Be prepared to “turn-off” access via the firewall Enterprise Security Zone No Direct Traffic Disconnect Point Industrial Security Zone Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Defense-in-Depth Network Firewalls - Unified Threat Management (UTM) Firewall with Application Layer Security    Multi-layer packet and traffic analysis Advanced application and protocol inspection services Network application controls IPS and Anti-X Defenses     Real-time protection from application and OS level attacks Network-based worm and virus mitigation Spyware, adware, malware detection and control On-box event correlation and proactive response    Flexible user and network based access control services Stateful packet inspection Integration with popular authentication sources including Microsoft Active Directory, LDAP, Kerberos, and RSA SecurID SSL and IPSec Connectivity     Threat protected SSL and IPSec VPN services Zero-touch, automatically updateable IPSec remote access Flexible clientless and full tunneling client SSL VPN services QoS/routing-enabled site-to-site VPN Intelligent Networking Services    Low latency Diverse topologies Multicast support Access Control and Authentication    Services virtualization Network segmentation & partitioning Routing, resiliency, load-balancing  Modern Firewalls provide a range of security services Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Agenda Control System Network Security Defence in Depth Secure Remote Access Examples Reference Material Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Remote Access Example Offsite connection for SI/OEM  Required to view a machine’s PLC processor from a hotel room to help troubleshoot the system  Upload alarm datalog from site OEM, SI, Engineer Factory Processing Filling Material Handling Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Remote Access Example Secure connection from within organisation  View manufacturing data from Web Reporting Software for decision makers who are located in the enterprise (office) zone Data Center Web Reporting Server Processing Filling Material Handling Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Scalable Secure Remote Access Considerations – Direct vs. Indirect Access Direct Access Remote Site Industrial Plantwide Systems • Design Considerations – how will these be enforced? – Network and application authentication and authorization – Change management, version control, regulatory compliance, and software license management – Remote client health management – Alignment with established IACS security standards 14 Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Direct Connection Examples eg. 3G/HSDPA Modems  A potential benefit of 3G/HSDPA gateways for remote access is that they could avoid IT concerns with connecting automation equipment to company LAN and configuring a VPN to allow the remote OEM technician access to the IACS.  3G/HSDPA gateways aren’t an end in themselves, still requires a defense-indepth security approach.  ? Network and application authentication/authorization  ? Change management, version control, regulatory compliance, and software license management  ? Remote client health management  ? Alignment with established IACS security standards Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Scalable Secure Remote Access Considerations – Direct vs. Indirect Access Indirect Access Remote Site Remote Access Server (RAS) Industrial Plantwide Systems • Design Considerations – Greater network and application authentication and authorization – Simplified asset management – change management, version control, regulatory compliance, and software license management – Simplified remote client health management – Greater alignment with established IACS standards 16 Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Reference Architecture Cisco / Rockwell Validated Design http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Reference Architecture High Level Architecture Review  Remote access involves cooperation between:  Enterprise Zone   Automation Demilitarized Zone (Automation DMZ)   Information Technologies (IT) and infrastructure of the facility To design it requires knowledge of data that must move from the plant to enterprise systems Manufacturing Zone   Cell and Area devices Industrial Protocols Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Remote Desktop Technologies Options Recommended in Reference Architecture Allows user to remotely view and control another computer. The user will see the remote computer’s screen while sending keystrokes and mouse movements to the remote computer .  Two options of Remote Desktop Technologies being discussed today  Option 1 – Host a Remote Desktop Session from the Cisco Firewall  Option 2 – Host a Remote Desktop Session from a Microsoft Windows Server 2008 R2 Computer Option 1 Remote Remote Desktop Desktop Client Client Option 2 Firewall: MS 2008 R2 Secure RDP Session Secure RDP Session Host Host Remote Remote Desktop Desktop Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Remote Desktop Protocol Via Cisco ASA 5500 Firewall • Remote Desktop Gateway functionality hosted from the Cisco ASA Firewall • Same user experience as Microsoft Remote Desktop Gateway • Configure Firewall to host the RDP session Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Remote Desktop Protocol Via Cisco ASA 5500 Firewall Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 21 Remote Desktop Protocol Via Cisco ASA 5500 Firewall Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Remote Desktop Gateway via Windows Server Solution  Remote Desktop Gateway (RD Gateway), formerly Terminal Services Gateway is a role service in the Remote Desktop Services server role included with Windows Server® 2008 R2.  Enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client.  RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote users and internal network resources Copyright © 2012 Rockwell Automation, Inc. All rights reserved. HTTPS Remote Access via Remote Desktop Gateway Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Secure Remote Access Converged Ethernet (CPwE) RD Gateway Secure remote access for employees and trusted partners Meeting the security requirements of IT  Common IT Infrastructure  Following established Industrial Control System security standards IPSEC VPN Remote Engineer or Partner  Defense-in-depth  DMZ Enables remote asset management: monitoring, configuration and audit  Helps simplify change management, version control, regulatory compliance and software license management  Helps simplify remote client health management  One size does not fit all – need a scalable secure solutions Remote Desktop Protocol (RDP) over RCP/HTTPS Internet Enterprise Edge Firewall SSL VPN  Enterprise Data Center Generic VPN Client Enterprise Zone Levels 4 and 5 Enterprise Connected Engineer Enterprise WAN Enterprise Zone Levels 4 and 5  Patch Management Application Mirror AV Server Remote Gateway Services Demilitarized Zone (DMZ) Gbps Link Failover Detection Remote Desktop Protocol (RDP) Firewall (Standby) Firewall (Active) Demilitarized Zone (DMZ) FactoryTalk Application Servers • • • • View Historian AssetCentre Transaction Manager FactoryTalk Services Platform • Directory • Security/Audit Data Servers Catalyst 6500/4500 Remote Access Server • Remote Desktop Services • RSLogix 5000 • FactoryTalk View Studio Catalyst 3750 StackWise Switch Stack EtherNet/IP Industrial Zone Site Operations and Control Level 3 Cell/Area Zones Levels 0–225 Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Agenda Control System Network Security Defence in Depth Secure Remote Access Examples Reference Material Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Web Resources - Security www.rockwellautomation.com/security Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Reference Architecture Rockwell and CISCO Alliance http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Remote Access for End Users Whitepaper: enet-wp009 Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Remote Access for OEMs Whitepaper: enet-wp025 Copyright © 2012 Rockwell Automation, Inc. All rights reserved. Summary Security and Remote Access  Use industry best practice published guidelines for secure remote access solution  Remote connection into the Plant – indirect access  Additional Information:    Reference Architecture Education Series Webcast Whitepapers  Common IT network infrastructure  Follow emerging Industrial Automation and Control System security standards  Implement Defense-in-Depth approach: no single product, methodology, nor technology fully secures industrial networks  Establish an open dialog between Industrial and IT groups  Establish a Industrial security policy, unique from enterprise security policy  Establish a DMZ between the Enterprise and Industrial Zones Copyright © 2012 Rockwell Automation, Inc. All rights reserved.