DMZ.pdf
-
Upload
droncanciom -
Category
Documents
-
view
6 -
download
0
Transcript of DMZ.pdf
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
PUBLIC INFORMATION
Industrial Demilitarized Zone Design Principles
Jason J. Dely, CISSP, CISM
Principal Security Consultant, Network & Security Services
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
Course Description
There are many organizations and standards bodies that recommend separating the
enterprise zone from the industrial zones by utilizing an industrial demilitarized zone
(iDMZ).
This session will describe the basic principals and strategies of designing an iDMZ to
separate these two zones.
A prior understanding of general Ethernet concepts, or attendance of the Fundamentals
of EtherNet/IP session is recommended.
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. 3
Agenda
Methodology
What is a DMZ?
Network Segmentation
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
Industrial Network Convergence Continuing Trend
4
EtherNet/IP - Enabling/Driving Convergence of Control and Information
Converged Plantwide EtherNet/IP Industrial Network Model
Corporate Network
Sensors and other Input/Output Devices
Motors, Drives Actuators
Supervisory Control
Robotics
Back-Office Mainframes and Servers (ERP, MES, etc.)
Office Applications, Internetworking, Data Servers, Storage
Human Machine Interface (HMI)
Safety Controller
Traditional 3 Tier Industrial Network Model
Corporate Network
Sensors and other Input/Output Devices
Controller
Motors, Drives Actuators
Robotics
Back-Office Mainframes and Servers (ERP, MES, etc.)
Office Applications, Internetworking, Data Servers, Storage
Control Network Gateway
Human Machine Interface (HMI)
Supervisory Control
Camera
Phone
Industrial Network Industrial Network
Safety I/O
I/O
Controller
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
Industrial Network Convergence Continued Trend Demilitarized Zone (DMZ)
5
Converged Plantwide EtherNet/IP Industrial Network Model
Corporate Network
Sensors and other Input/Output Devices
Motors, Drives Actuators
Supervisory Control
Robotics
Back-Office Mainframes and Servers (ERP, MES, etc.)
Office Applications, Internetworking, Data Servers, Storage
Human Machine Interface (HMI)
Safety Controller
Camera
Phone
Industrial Network
Safety I/O
I/O
Controller
DMZ Standby Active
Link for
Failover
Firewalls for separation
Unified Threat Management
Authentication & Authorization
Application & Data Sharing via
replication or terminal services
Patch Management
Remote Access Services
Application Mirrors
Anti-Virus Servers
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
Demilitarized Zone (DMZ)
Sometimes referred to a perimeter network that exposes an
organizations external services to an untrusted network. The purpose of
the DMZ is to add an additional layer of security to the trusted network
UNTRUSTED
TRUSTED
BROKER DMZ
Internet
Web Proxy
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
Controlling Access to the Manufacturing Zone
No Direct Traffic Flow from Enterprise to Manufacturing Zone
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Terminal Services Patch Management AV Server
Historian Mirror Web Services Operations Application Server
Router Enterprise Network
Site Business Planning and Logistics Network E-Mail, Intranet, etc.
FactoryTalk Application Server
FactoryTalk Directory
Engineering Workstation
Domain Controller
FactoryTalk Client
Operator Interface
FactoryTalk Client
Engineering Workstation
Operator Interface
Batch Control Discrete Control Drive Control Continuous Process Control Safety
Control
Sensors Drives Actuators Robots
Enterprise Zone
DMZ
Manufacturing Zone
Cell/Area Zone
Web E-Mail CIP
Firewall
Firewall
Site Manufacturing Operations and Control
Area Supervisory Control
Basic Control
Process
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. 8
Agenda
Methodology
What is a DMZ?
Network Segmentation
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
Methodology
9
Develop a scientific method to develop repeatable, measureable and
maintainable solution(s)
Look at the problem holistically and drill down to each system
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
DMZ / Network Reconnaissance (Design Pre-work)
10
Identify Assets
Or
Asset Classes
Identify Asset
Owners
Identify types of Assets in Manufacturing Zone and those that support Manufacturing
Document Assets by documentation, interviews and network scanning
ACTION
Identify who owns the hardware and software on the asset.
Document Asset Owners and Schedule Interviews
ACTION
Requirements
Phase Architectural
Phase
Tech. Design
Phase Implement Maintain
Design Phase Recon Phase
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
Classify Asset Types
11
Goal: Identify assets that support manufacturing process. Goal: Identify if asset belongs in the Mfg. or Enterprise Zone.
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
Diagram Data Sources Feeding Higher Level Assets
12
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
Identify System Owners / Users
13
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
Interview Process
14
Interview process identifies
how the owners and
clients of the assets
Operate
Configure
Patch
Upgrade
Identifies where the data is
produced and consumed
This process is used to
gather requirements
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
DMZ / Network Design Methodology
15
Requirements
Phase
Architectural
Phase
Technical Design
Phase Implementation Maintain
Requirements are a statement identifying a capability, physical characteristic or quality factor that bounds a product or process problem for which a solution will be pursued. (Source: IEEE Standard 1220-1994)
Interview all system owners to gather requirements for operations, configuration and maintenance.
ACTION
High level architectural recommendations that are proposed to meet the customer requirements.
Produce high level documentation and drawings to meet every requirement
ACTION
Detailed information usually written by the coder or implementer that describes how the system or product will be programmed, configured to meet the customer requirements and the high level architecture.
Produce detailed documentation such as drawings, switch configurations, VLAN, IP Address, Firewall ACLs
ACTION
The system components are brought together and tested during this phase per the testing plan
Verify, was the product built right and Validate, was the right product built process
ACTION
System has been Verified and Validated and is maintained by Operations and Maintenance
Modify configurations and assets to fix anomalies or required operational changes.
ACTION
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
High Level Architecture
16
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
How to Derive High Level Architecture
17
Enterprise
Manufacturing
Actor
Historian
Client MES
No Control Protocols Through the Firewall(s)
Industrial DMZ
QC Systems
Order Entry
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
Move the Assets Around To Minimize Cross Zone Traffic Especially Control Protocols
18
Enterprise
Manufacturing
Actor
Historian
Client MES
Industrial DMZ
QC Systems
Order Entry
Historian
Historian
Mirror
Data
Proxy
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
High Level Architecture Review All Use Cases and Meet All Requirements
19
Remote Desktop Gateway
Use Case Configure
Historian from
Enterprise
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
High Level Architecture Review Use Cases
20
Historian Mirror
Use Case Move
Data From
Manufacturing
Historian to Enterprise
Historian
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
DMZ / Network Design Methodology
21
Requirements
Phase
Architectural
Phase
Technical Design
Phase Implementation Maintain
Requirements are a statement identifying a capability, physical characteristic or quality factor that bounds a product or process problem for which a solution will be pursued. (Source: IEEE Standard 1220-1994)
Interview all system owners to gather requirements for operations, configuration and maintenance.
ACTION
High level architectural recommendations that are proposed to meet the customer requirements.
Produce high level documentation and drawings to meet every requirement
ACTION
Detailed information usually written by the coder or implementer that describes how the system or product will be programmed, configured to meet the customer requirements and the high level architecture.
Produce detailed documentation such as drawings, switch configurations, VLAN, IP Address, Firewall ACLs
ACTION
The system components are brought together and tested during this phase per the testing plan
Verify, was the product built right and Validate, was the right product built process
ACTION
System has been Verified and Validated and is maintained by Operations and Maintenance
Modify configurations and assets to fix anomalies or required operational changes.
ACTION
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved. 22
Agenda
Methodology
What is a DMZ?
Network Segmentation
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
Manufacturing Zone Architecture to support DMZ
Division of plant into functional areas for secured access
ISA-SP99 Zones and Conduit model
OEMs Participation
IP Address
VLAN IDs
Access layer to Distribution layer cooperation
System design requires full cooperation of all System Integrators, OEMs, IT and Engineering
Copyright 2011 Rockwell Automation, Inc. All rights reserved.
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
Catalyst 3750 StackWise
Switch Stack
FactoryTalk Application Servers View Historian AssetCentre Transaction Manager
FactoryTalk Services Platform Directory Security/Audit
Data Servers
Gbps Link for Failover Detection
Firewall (Active)
Firewall (Standby)
I/O
Levels 02
HMI
Cell/Area Zones
Demilitarized Zone (DMZ)
Demilitarized Zone (DMZ)
Enterprise Zone Levels 4 and 5
Rockwell Automation Stratix 8000
Layer 2 Access Switch
Cisco ASA 5500
Cisco Catalyst Switch
Industrial Zone Site Operations and Control
Level 3
Remote Access Server
Catalyst 6500/4500
Patch Management Terminal Services Application Mirror AV Server
ERP, Email, Wide Area Network (WAN)
Network Services DNS, DHCP, syslog server Network and security mgmt
Drive
Controller
HMI
Controller
Drive
Controller
Drive
HMI
I/O I/O
VLAN 102
VLAN 101
VLAN 103 VLAN 104
VLAN 105
VLAN 42
VLAN 43 VLAN 44
VLAN 41
Cell/Area #1 Cell/Area #2 Cell/Area #3
Layer 2 Access Link
Layer 2 Interswitch Link/ 802.1Q Trunk
Layer 3 Link
Security
Availability
Data Link / Network Layers
Security
Availability
Control Systems are
Designed
with Availability
Requirement First!
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
Structure and Hierarchy Network Segmentation: Building Block for Availability
The Cell/Area zone is a Layer 2 network for a functional area of the plant floor. Key network considerations include:
Structure and hierarchy using smaller Layer 2 building blocks
Logical segmentation for traffic management and policy enforcement to accommodate time-sensitive applications
Levels 02
Level 1 Controller
Layer 3 Distribution Switch
Drive
Controller
HMI I/O
Cell/Area Zones
Rockwell Automation Stratix 8000
Layer 2 Access Switch
Catalyst 3750 StackWise
Switch Stack
Level 0 Drive
Level 2 HMI Layer 2 Access Switch
Media & Connectors
Cell/Area Zone #1 Redundant Star Topology Flex Links Resiliency
Cell/Area Zone #2 Ring Topology Resilient Ethernet Protocol (REP)
Cell/Area Zone #3 Bus/Star Topology
I/O
I/O
Drive
Drive
Controller
Controller
HMI HMI
Layer 2 Building Block
Layer 2 Building Block
Layer 2 Building Block
Layer 3 Building Block
Security
Availability
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
Machine Types Building Blocks for Security Specifications
26
Security
Availability
Drive
Controller
HMI
HMI
I/O
HMI
Cell/Area Zones Levels 0-2
Rockwell Automation Stratix 8000
Layer 2 Access Switch
Catalyst 3750 StackWise
Switch Stack
Cell/Area Zone #1 Redundant Star Topology Flex Links Resiliency
Cell/Area Zone #2 Ring Topology Resilient Ethernet Protocol (REP)
Cell/Area Zone #3 Bus/Star Topology
I/O
I/O I/O
Controller
Controller
Drive Drive
Availability Requirements
Networking, Routing
Information Requirements
Interfaces
Controller data structure
Security Requirements (C,I,A)
Machine or
Cell Level
Interfaces
Historian
OS Patch
AV Server
Workstations
Remote Session Hosts
HMI Servers
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
We care what you think!
On the mobile app:
1. Locate session using
Schedule or Agenda Builder
2. Click on the thumbs up icon on
the lower right corner of the
session detail
3. Complete survey
4. Click the Submit Form button
27
Please take a couple minutes to complete a quick session survey to tell us how were doing.
2
3
4
1
Thank you!!
-
Copyright 2014 Rockwell Automation, Inc. All Rights Reserved.
www.rsteched.com
Follow RSTechED on Facebook & Twitter. Connect with us on LinkedIn.
PUBLIC INFORMATION
Questions?