VPN tunnel over fiber optic line

zach_zachary1@yahoo

Member
Z
Join Date
Feb 2015
Location
NC
Posts
18
I have a fiber optic line that goes to my sludge handling facility. Its a 4 strand fiber that is a self healing redundant ring. We use 1 gig Hirschman switches.
Currently that network carries the SCADA network and the PLC network.

We have a business network that my operators want access to in the sludge building. The business network is in the Admin building 3000' from the sludge facility. For security reasons we have an air gap between the SCADA/PLC network and our business network. Is there a way to utilize the existing network and install a VPN tunnel that would maintain this air gap?

So far the only solution we have come up with is pulling 3000' of fiber optic line, to the sludge building.
 
There are plenty of ways to route the networks together, but i can't think of any viable methods that would maintain the security of the air gap.
 
Question is what the heck you were thinking running 4 strand fiber when you were going to use all of them? :) 🍺

A lot of field busses are running 100 MBit and not 1 gigabit. IT is likely running gigabit.

Also you might end up with latency problems and bandwidth problems even though maybe bandwidth and perhaps latency could be controlled with traffic shaping on firewall.

If it's older fiber it is also likely multi-mode fiber while newer installations would use single-mode.

You also have to consider the engineering time setting up VPNs firewall/routers and making it all run, without causing problems. While running fiber and the fiber itself costs it would not cause any trouble anywhere else.

Maybe you are better of running new fiber.

Anyway I think if you would run both networks inside each own VPN and have separate firewalls/vpn routers on each side you might get away with it from a security point of view.

In the end your air-gap will probably disappear and get replaced with a firewall. That is my experience. Usually it's stuff like IT integration, anti-virus updates, windows patching, windows activation and stuff like that that messes with the air-gap. It's becoming harder and harder to run a network without some kind of internet connection somewhere.


.
 
Last edited:
Air gap is no longer best practice, as you then get john sticking his laptop onto your network, people downloading updates etc on their phone and then plugging that into the SCADA PC, etc.

If you insist on an air gap, then running a cable is probably the best option. There is definitely no way to use the same fibre cables and maintain an air gap.

If you insist on VPN's etc, it is time to properly design your SCADA network, taking into account network monitoring, patching, automated backups etc. Fun project for your team!

Please post back when you decide what method you chose and why.
 
AustralIan said:
Air gap is no longer best practice, as you then get john sticking his laptop onto your network, people downloading updates etc on their phone and then plugging that into the SCADA PC, etc.
Click to expand...

There are different ways to combat that, for instance running thin clients or remote screen and keyboard over fiber, having the computers in a locked cabinet, having locking ports in the switches and also using limit tcp/udp ports in the switches and placing them in locked cabinets. You can also lock down a lot of rights on the computers when they are part of a domain.

All of the above are things I have encountered in the field. And probably more things I have forgotten.

Anyway problem are not the users but the engineers. That's how stuxnet virus and others could reach isolated networks with "air-gap".
 
The way I see it, you have 3 options. Listed from most to least expensive.
1. Pull more fibre.
2. Point to point radios.
3. Implement VLANS on the network.
 
What about CWDM? This is where you multiplex different "colors" of light no the same fiber. The receiver at the other end only "sees" its color, and doesn't know the other colors. This requires that you use the right transceivers and a special splitter/combiner at each end, but it might be an option. I think you need to have Singlemode fiber for this to work.

Another idea, simpler to keep track of- use the single fiber transceivers that let you put both signals on a single fiber, now you can have 4 totally separate links on a 4-strand.
 
Thanks for the comment. I was unfamiliar with those options. I'll forward it to my network guy and see if he thinks it is an option.

Has anyone pulled 3000' of 12 strand fiber optic cable. I've pulled plenty of wire but never anything that long and Ive never pulled fiber.

Any suggestions?
 
zach_zachary1@yahoo said:
Thanks for the comment. I was unfamiliar with those options. I'll forward it to my network guy and see if he thinks it is an option.

Has anyone pulled 3000' of 12 strand fiber optic cable. I've pulled plenty of wire but never anything that long and Ive never pulled fiber.

Any suggestions?
Click to expand...

Think about the future, think fiber infrastructure.

Do you have somewhere along those 3000 ft where it would be logical to maybe run some other fiber in the future? Maybe a building or something?

In that case you could run a fiber to that place and set up a patch panel there. Then you run the another fiber from the patch panel out to where you want to be.

It's much easier having logical places where you can patch fiber along the way if you have to extend the fiber network. Also better if a fiber is cut of somewhere because you don't need to replace the entire length.

.
 
Last edited:
zach_zachary1@yahoo said:
Thanks for the comment. I was unfamiliar with those options. I'll forward it to my network guy and see if he thinks it is an option.

Has anyone pulled 3000' of 12 strand fiber optic cable. I've pulled plenty of wire but never anything that long and Ive never pulled fiber.

Any suggestions?
Click to expand...

I've done pulls of fiber that long and longer in my previous life. My first, best, and last suggestion would be to contract the job out to someone that has done it before, and has the correct equipment for the job. Working with fiber is more complicated than tying the rope to the trailer hitch, pouring the soap in as fast as you can, and hoping for the best. You need someone that knows that there are pull force limitations, and knows how to manage them correctly.


Will.
 

Similar Topics

K
OpenVpn tunnel or IpSec vpn tunnel ?
Our project requires a vpn tunnel communication, between a Scada system and some remote Plc's. So we are trying to understand the following...
Replies
6
Views
2,914
lfe
L
A
Remote vpn router setup
I am trying to use setup a remote vpn router for external OEM connection. The thing I cannot wrap my head around is the gateway. We use the...
Replies
3
Views
275
lfe
L
H
Using prepaid SIM card for cell modem/VPN router
Have anyone done this? I don't see why this wouldn't work but I may be missing something too. Getting any recurring account opened is a pain...
Replies
6
Views
1,052
harryting
H
N
Connecting to PLC(S7-1200) via VPN
Hello all. When I try to connect to a S7-1200 PLC (Tia Portal v17) which has a CP 1243-1 module that is connected to my clients network I get...
Replies
7
Views
1,494
NoName
N
A
Upload from Siemens PLC via VPN
Hi, We are trying to access a remote PLC for debug, the PLC is networked in with a PC that we can access through TeamViewer. Is there a way we...
Replies
9
Views
2,051
JesperMP
JesperMP
Back
Top Bottom