Network Security

ghettofreeryder

Member
G
Join Date
Aug 2005
Location
Alberta
Posts
237
I am currently trying to harden our control network. Right now, everything is on one network. I am proposing to use to seperate VLANS, with only the server having access to both networks. THe server sends the data to the 3 hmis, and remote users via SSL. Do I need the 2nd firewall, and is this a good security model?


 
Not a network administrator, they are the best personel to talk to on security however the DMZ firewall I don't see a purpose for that one usually you firefall all incoming traffic from internet or local area network PC's. certainly wouldn't hurt having the extra protection. If your plant has an IT dept with network administrators they are the ones yuo will need to coordinate with.
 
mordred said:
Not a network administrator, they are the best personel to talk to on security however the DMZ firewall I don't see a purpose for that one usually you firefall all incoming traffic from internet or local area network PC's. certainly wouldn't hurt having the extra protection. If your plant has an IT dept with network administrators they are the ones yuo will need to coordinate with.
Click to expand...

Well there need to be more ports open on the office side of the firewall, so another firewall in between with less ports open would be more secure. Also, the firewall we are using is transparent, so it has no ip address. To hackers, it is completely transparent, which is pretty sweet. Enclosed is a drawing of the final network diagram. Please comment. The DMZ is for access remotely via VPN.

 
Last edited:
For a "true DMZ" you would want firewalls in both directions - I'm referring to on each side of the HMI Server (connecting to VLAN1 and VLAN2). A software firewall should suffice since you only have the one machine residing there - it should have the granularity to open up only the appropriate ports for each interface, which are probably different between the Office and HMI sides.
 
Security

Ok I know I'm getting old here. First the DMZ is just that, a Demilitarized Zone. In the olden days before VPN etc we would install, on large Novell networks, a server, outside the protection of the firewall. This was for Hackers to play with and they would ignore the firewall. The server had a company IP and IP subnet. This was a way to deflect intruders from the real company network. DMZ now means a completely unprotected port or server. Vlan2 is now open to all hackers. The HMI server is all you need for connectivity, the DMZ connection cannot be unprotected. The firewall between the two Vlan2 segments is not required and should not be there. That’s my 2 cents…
 
Well, we arent using the DMZ port for a true DMZ, everything is blocked from DMZ to VLAN-2, unless you are VPNd into the router. This way, VLAN-1 and VLAN-2 are behind the firewall, and there is the Tofino for the control network. We might put the HMI machhines inside the Tofino, and just run WSUS for updates, but thatd be opeing another port. Nathan, what is your comments on the Tofino, does it work well?
 
Bruce - Clarification on some details from your post. A DMZ is still a valid computing concept in a single or dual firewall configuration. What you described (host on internal network with all ports forwarded) is what home routers call a DMZ Host, which is useful, but really has little to do with the DMZ concept that we're discussing.

The machine that you can set up for hackers to play with is called a Honeypot or Bastion host. VPN access has little to do with this, but you're right, the concentrator is often installed inside the DMZ.

I agree about the two VLAN 2 segments - in general you shouldn't put a firewall between to segments of the same VLAN. Your firewall should guard the entry point of the VLAN, IMO should be the interface to the HMI server. However, the Tofino Device is probably relevant there. If you do want to put the PLCs on a separate VLAN, VLAN 3, you would probably still need an interface on the HMI Server on that network.

Bruce99 said:
Ok I know I'm getting old here. First the DMZ is just that, a Demilitarized Zone. In the olden days before VPN etc we would install, on large Novell networks, a server, outside the protection of the firewall. This was for Hackers to play with and they would ignore the firewall. The server had a company IP and IP subnet. This was a way to deflect intruders from the real company network. DMZ now means a completely unprotected port or server. Vlan2 is now open to all hackers. The HMI server is all you need for connectivity, the DMZ connection cannot be unprotected. The firewall between the two Vlan2 segments is not required and should not be there. That’s my 2 cents…
Click to expand...
 
network fun

surferb said:
A DMZ is still a valid computing concept in a single or dual firewall configuration.
Click to expand...

Very much so,
The dual firewall configuration I call the public segment. It has filtering but very Basic security for general public access. The second firewall would be tight. I found speed an issue so I only use it for Windows Servers. Novell has no need for this extra hardware.

surferb said:
home routers call a DMZ Host
Click to expand...
To me, the DMZ Host or Zone is the segment "outside " the first line of defence. Concept is the same, at least in my Dlink routers.

surferb said:
The machine that you can set up for hackers to play with is called a Honeypot or Bastion host.
Click to expand...

LOL .. this is correct.

surferb said:
I agree about the two VLAN 2 segments - in general you shouldn't put a firewall between to segments of the same VLAN. Your firewall should guard the entry point of the VLAN, IMO should be the interface to the HMI server.
Click to expand...

I agree. I would use a software product like Squid. It can run on the same machine. If outside access is wanted I would put a View node (no control) on VLan 1. It should have only a few screens, one or two from each HMI. I tried this last year and had no issues. I still like to keep all the PLC and HMI machines on the same segment. I would put the DMZ port on the first firewall (if really needed) into another network card in the HMI server. Most software firewalls can be set up for this. I would rather use the view node on VLan 1 and remove the DMZ port on the first firewall. Thats my 2 cent opinion.
 

Similar Topics

TConnolly
Primer on automation network security
Does anyone have any good resource suggestion on automation network (enet) security? Website links or book suggestions?
Replies
2
Views
2,139
jdbrandt
J
D
Network Security
Hi All, I am in the middle of connecting some machinery to our compnay LAN for data acquisiton via Factorytalk Historian. I am running into some...
Replies
11
Views
2,806
jdbrandt
J
C
PLC network security
This might be a little off-topic, but i figure if anyone knows the answer, this forum will. Currently I have 4 DH+ networks in my plant, which...
Replies
6
Views
3,500
Ken Roach
Ken Roach
A
Network switch recommendations
Hello, I have a A.B Compact logix communicating with two fanuc robots via ethernet. The plc also communicates to an automation direct hmi screen...
Replies
1
Views
50
james13
J
M
SCADA network extension to remote sites
So I'm pretty new around here but I come looking for advice or suggestions to research. Im the plant electrician/SCADA guy for a warer department...
Replies
5
Views
128
mburtis
M
Back
Top Bottom