We will begin in just a few minutes as more people come on ... · We will begin in just a few...
Transcript of We will begin in just a few minutes as more people come on ... · We will begin in just a few...
Thanks for joining!
We will begin in just a few minutes as more people come on line.
IoT Security Talks –Industrial FirewallDeployment Models2016 August 25
Robert Albach – Product Line Manager IoT Security
Sunil Maryala – Technical Marketing Engineer IoT Security
Agenda
:00
Welcome to Tech Talks
:03
Industrial FW
Deployments
@ :45
Question and Answer
Mechanics of Tech TalksStandards & Verticals
Review
Industrial FW Attributes
Configuration
Considerations
Deployment Scenarios
Tech Talk MechanicsHow these events will operate
• With many people on-line we will mute all but the presenters
• We will try to answer questions at the end
• Please use the “Question and Answer” feature for questions
• If we don’t get to your question, we will try to answer them off-line
• The presentation and recording will be placed on the Community support site:
https://supportforums.cisco.com/
Who This Presentation is For:
• Cisco customers, partners, employees
• Assumption:
• Your background is primarily in classic IT environments
• OR
• You are an OT practitioner with security responsibility
• You have SOME amount of firewall basic understanding
• You are likely to have some responsibility in OT in the future or do so already.
Standards / Regulations / Guidelines
ISA 95 / 99
Evolve to Security: Phased Security ArchitectureFirst Phase –
Secured Connectivity
Second Phase –
Secured Visibility &
Control
Third Phase –
Converged Security &
Depth
Level 5
Level 4
Level 3
Level 2
Level 1
Enterprise Network
Site Business Planning & Logistics Network
Enterprise Zone
DMZ
Manufacturing Zone
Cell/Area Zone
Site Manufacturing Operationsand Control
Area Supervisory Control
Basic Control
ProcessSensors Drives Actuators Robots
FactoryTalk
ClientHMI Magelis
HMI
Engineering
Workstation
Operator
Interface
Batch
Control
Discrete
Control
Drive
Control
Continuous
Process
Control
Safety
Control
FactoryTalk
App Server
FactoryTalk
Directory
Engineering
Workstation
Domain
Controller
Terminal Server RDP Server App Server Patch Mgmt.
E-Mail, Intranet, etc.
Zone Segmentation
Controlled Conduits
ISA – 95,99 / IEC 62443
NERC / NIST /
Application Control
Threat Control
ISA – 95,99 / IEC 62443
NERC / NIST /
Policy Driven Response
Deeper Vision / Control
ISO / IEC 27001:2013
Level 0
v v
Use Case Themes
• Secure Connectivity
• Threat Control
• Safe Environment
• Secure Remote Access
• What can connect
• What can talk to what
• What is vulnerable
• Protect the vulnerable
• Network protection
• Device protections
• How to secure access
• What are the controls for access
Cisco / Rockwell Validated Designs
Utilities – Sub-Station Deployment• In-Line
• Between Sub-Station router and “cell” switch boundary
• Transparent or Routed Operation
• Normally an HA pair
• Cisco Validated Designs
• OT operation configurations
• Multi-Function Role
• Operation Control
• Threat Control
• VPN Access
Cisco ValidatedDesigns:SubstationSecurity
Cisco IoT System Security in ActionProtect Critical Infrastructure – Through Network Segmentation
Cisco Connected PipelinesCisco combines its own expertise in oil and gas systems with entities such as Schneider Electric for deployment services.
• An end-to-end smart connected solution based on industry best practices for pipeline infrastructures and network architectures.
• Flexible, modular, approach from assessment, design, and test to deploy install and support.
• Collaborative expertise and service from the leaders in SCADA, network connectivity, and security resulting in cost savings and optimized operations.
Commonality: Segmentation
• Zones / Conduits
• Sub-Nets
• Cells
• Stations
• Distinct Functionality
Registration - Survey Results• Just Below PLC
• 6%
• Between PLC and Zone Switch
• 21%
• On Span Zone Switch
• 7%
• Between Zone and Agg Switch
• 36%
• On Span at Aggregation Switch
• 6%
• Upstream of Aggregation Switch
• 23%
Industrial FireWall Options
ISA 3000
ASA 5506H
ASA 5525X
Configured for OT Configured for IT
ISA 3000 – Hardware Features
RJ Console
Power Input A,
5.0 mm Centers
Reset
Front Serial
Label
Mini USB
Console with
Hazloc Covers
Dual USB-A
With Hazloc
Covers
Power Input B,
5.0 mm Centers
Alarm Connector,
3.81 mm Centers
Chassis Ground
Connection
RJ Management Port
Dual Ethernet Ports
Dual Ethernet Ports
(Copper Bypass)
SD Card Slot
Industrial
Security
Appliance
Features that drive deployment considerations
• Hardware Bypass
• Software Bypass
• Rule Options
• Latency Controls
• Hitless Updates*
• High Availability
• NAT
• VPN
• RDP Access
ISA 3000 – SW Architecture
Industrial
Security
Appliance
ASA Firewall
Access Control – Device / User
VPN
Quality of Service
NAT
FirePower Services
Application FW
Threat Control
Device ID
Behavior Control
ASDM – OnBox Managment
• Interface configurationISA-3000 Default Config (Cont’d)
interface GigabitEthernet1/1
bridge-group 1
nameif outside1
no shutdown
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside1
security-level 100
no shutdown
!
interface GigabitEthernet1/3
bridge-group 1
nameif outside2
no shutdown
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside2
security-level 100
no shutdown
interface BVI 1
no ip address
Management
Computer
ASA Mgmt IP=192.168.1.1/24
FirePOWER Mgmt IP=192.168.1.45/24
Interface Management 1/1
Connecting ISA3000
Interface Gigabit 1/1
Interface Gigabit 1/2
Interface Gigabit 1/3
Interface Gigabit 1/4
Public 1/Outside 1 NetworkPrivate 1/Inside 1 Network
Public 2/Outside 2 Network
Private 2/Inside 2 Network
• By default provide bridge mode transparency with “connectivity over security” paradigm.
ISA-3000 Default Configuration
Firewall Operation Mode
firewall transparent
Traffic flow between Firewall & IPS
Inline
Mode
Passive (monitor-only) Mode
ISA3000 Default
ISA-3000 Default Config – Firewall - ACL
access-list allowAll extended permit ip any any
access-list sfrAccessList extended permit ip any any
!
access-group allowAll in interface outside1
access-group allowAll in interface outside2
!
same-security-traffic permit inter-interface
• FirePower (SFR) Traffic re-direct
ISA-3000 Default Config – Firewall
class-map sfrclass
match access-list sfrAccessList
!
policy-map global_policy
class sfrclass
sfr fail-open monitor-only
!
service-policy global_policy global
ASA Modular Policy Frameworkclass-map sfr
match access-list sfr-access-list
Policy-map sfrpolicy
class sfr
sfr fail-close monitor-only
ciscoasa(config)# show service-policy sfr
Global policy:
Service-policy: global_policy
Class-map: match_all
SFR: card status Up, mode fail-open
packet input 71505, packet output 71563, drop
56, reset-drop 0
• Historically these terms have been used conversely and thus caused confusion
• For Firewall use:
• “Open” means – like an electric switch – no signal
• “Closed” means – electric switch / signal can go through
• For IPS use:
• “Open” means – like a door– signal / packets goes through
• “Closed” means – door is closed – no signal / packets
Fail Open / Fail Close Firewall vs. IPS
Firewalls – deny all unless it matches a rule
IPS – ignore all unless it matches a rule
More OT Centric
• Hardware bypass is useful to maintain connectivity when system loses power. It is available on copper interfaces, and only in transparent mode
Hardware Bypass Overview
Regular data path
(PHY/ MAC/CPU)
Interface
G1/1Interface
G1/2
HW
bypass
enabled
HW
bypass
disabled
Bypass works at layer 1, supported by hardware relay devices
Bypass works on interface pairs
On ISA3000-2C2F, G1/1 and G1/2
On ISA3000-4C, G1/1 and G1/2, G1/3 and G1/4
• Hardware bypass
ISA-3000 Default Config (Cont’d)
no hardware-bypass boot-delay module-up sfr
!
hardware-bypass Gigabit Ethernet 1/1-1/2
hardware-bypass Gigabit Ethernet 1/3-1/4
• Enable bypass at next powerdown
• ciscoasa(config)# hardware-bypass gigabitEthernet 1/1-1/2
• Enable bypass at next powerdown AND powerup
• ciscoasa(config)# hardware-bypass gigabitEthernet 1/1-1/2 sticky
• Disable bypass at next powerdown AND powerup
• ciscoasa(config)# no hardware-bypass gigabitEthernet 1/1-1/2
• Disable bypass only after module sfr is ready
• ciscoasa(config)# hardware-bypass boot-delay module-up sfr
• Manually enable/disable bypass
• ciscoasa# hardware-bypass manual gigabitEthernet 1/1-1/2
• ciscoasa# no hardware-bypass manual gigabitEthernet 1/1-1/2
HW Bypass Configuration Commands
HA (Active / Passive) Configuration Requirements
Be in the same firewall mode
(routed or transparent).
Have the same major and
minor software version. .
Visibility Options: Packet Capture / NetFlow
• Available broad visibility options:
• NetFlow capture
• Packet capture
• (separate from rule driven packet capture)
Know Your Rules – Impact of Inspection Process
Modbus IPS rule options Writing a Modbus rule
Operations Control for UptimeOT Pre-processors – command inspection -Modbus
Latency Controls OptionsPacket and Rule Handling
Deployment Scenarios
Span
• Span off switch
• No “touch” of traffic
• Only see copies
• TCP reset possible
• Visibility only / no traffic control
• Some possible diffs from on-port traffic
• Use Cases:
• Passive ID of devices
• Passive ID of applications
• Passive ID of activity
• Good for transient visibility
• Impossible to detect
• Testing of Rules
Machine #2Machine #1
Catalyst 2960
HMIServer
Catalyst3750-X
Stratix5700
Stratix5900
Stratix5900
Line Controller
ISA3000
Single Up-Stream / Down-Stream Path
Direct in-line Deployment
Can be passive or in-line mode
Bypass should work normally
Can be an HA pair
Possible termination point for VPN (secured comms)
NAT
Remote Desktop Jump Point
Higher potential to impact traffic
Zone / Cell Firewall:Boundary Protection Above Switch
AggegationLayer Firewall
Machine #2Machine #1
Catalyst 2960
HMIServer
Catalyst3750-X
Stratix5700
Stratix5900
Stratix5900
Line Controller
ISA3000 ISA3000
ISA3000Firewall above Aggregation level.
Direct in-line Deployment
Can be passive or in-line mode
High Availability
Broader Visibility
Broader potential impact.
Less Detailed view
VPN termination point
secured comms less close to
equipment
Zone / Cell Firewall:Control Within the Zone
Machine #2Machine #1
Catalyst 2960
HMIServer
Catalyst3750-X
Stratix5700
Stratix5900
Stratix5900
Line Controller
IP enabled devices connect directly to the Firewall and then up to switch
Direct in-line Deployment
Can be passive or in-line mode
Possibly limited bypass capabilities due to port pairings
Highest visibility
NAT capable
VPN termination point (secured comms very close to equipment)
Highest potential for impact.
ISA3000
Zone / Cell Firewall:Control Within the Zone
Firewall participates in ring.
Direct in-line Deployment
Can be passive or in-line mode
Possibly limited bypass capabilities due to port pairings
Highest visibility
NAT capable
VPN termination point (secured comms very close to equipment)
Highest potential for impact.
ISA3000
Phased Deployments of Industrial Firewalls
FirstIT / OT DMZ:
Immediate Control and Visibility
SecondBroad Visibility – Span at Aggregation Levels
NetFlow
Some application level identification
ThirdDetailed Visibility – Span at Cell / Zone Levels
NetFlow / Packet Captures
Application ID / Command levels
Test Rules
FourthIn-Line Passive Visibility – Cell / Zone + Aggregation Levels
FifthIn-Line Control – Cell / Zone + Aggregation Levels
Before the Q&A Session
• Thanks for attending.
• Let us know:
• Was this session worth while to you?
• What future topics would you like to see?
• How might we improve these events?
• Send an email to:
• Sunil Maryala
• Robert Albach
Q&APlease use the Question and Answer section of WebEx
THANKS!