ENBT with 2 ethernet port (for 2 LAN setup)

[mk42]

Most firewall can do NAT translation so maybe that is what you meant?

That may be what I meant.

I assume SPI is stateful packet inspection; why are these useless? I usually hear them listed as a best practice, at least at the plant floor level. I'm sure Internet connectivity has different requirements (deep packet inspection, etc).

We manage around 400 switches on this site and have no issues doing so? What's so hard about it?

I have to disagree. VLAN tagging and priority is quite simple if you know what you are doing.

I'm not saying that VLAN management is difficult, for people who know how to do it. I think the crux of the issue is that my customers refuse to learn. I have the same problem with networking as with programming: everything must be dumbed down for the lowest common denominator, or it won't be successful.

I've had multiple installations where they had issues with priority because every managed switch was left at the default settings, which effectively stripped out all the priority/vlan tags.

 

[Phil Buchanan]

That may be what I meant.

I assume SPI is stateful packet inspection; why are these useless? I usually hear them listed as a best practice, at least at the plant floor level. I'm sure Internet connectivity has different requirements (deep packet inspection, etc).

Without writing a book the basics are that and SPI firewall just looks at the packet header and connection info like port, origin IP, etc. and some of the cheaper SPI implementations or older SPI firewalls only look at inbound traffic and not outbound.

Also many hardware devices say they have an SPI firewall but all they are really doing is a symetric NAT /PAT.

A DPI firewall can do what an SPI does but it can open the packet and look inside to determine what the payload really is not just where it came from and where it's going and what ports it wants to use.

I can send your customers an email about my website with Carhartt clothing for 90% of retail price and when they open the email in the background it will deploy code that will use UDP hole punching which is how E.W.O.N and other devices work and it will set up a link going over port 80 that looks like standard browser traffic and dial home and connect to me then I am on your network and then i can dig in from there.

 

[Phil Buchanan]

Continued...

But if you had an DPI firewall it would inspect that traffic on a deeper level and possibly block me. The SPI firewall would just keep smiling and saying everything is ok boss

 

[mk42]

Without writing a book the basics are that and SPI firewall just looks at the packet header and connection info like port, origin IP, etc. and some of the cheaper SPI implementations or older SPI firewalls only look at inbound traffic and not outbound.

Also many hardware devices say they have an SPI firewall but all they are really doing is a symetric NAT /PAT.

A DPI firewall can do what an SPI does but it can open the packet and look inside to determine what the payload really is not just where it came from and where it's going and what ports it wants to use.

I can send your customers an email about my website with Carhartt clothing for 90% of retail price and when they open the email in the background it will deploy code that will use UDP hole punching which is how E.W.O.N and other devices work and it will set up a link going over port 80 that looks like standard browser traffic and dial home and connect to me then I am on your network and then i can dig in from there.

Like I said, I can definitely see where that capability is useful to separate the internet from the intranet. Do companies also deploy these to separate their local machine cell networks from their large plant networks?

I just don't see the use case where it makes sense. Code injection type attacks are effective in the PC space, but in an automation system there are so many obvious holes that it almost seems silly. When anyone with the right programming software can simply go online with the PLC and put it into stop or download new code, stopping more subtle attacks seems like overkill. Unless the DPI systems are actually smart enough to decide what PLC code is OK and what isn't?

 

[Phil Buchanan]

There are DPI firewalls made specific for packet inspection of industrial protocols like Ethernet IP and Modbus TCP and on.

Yes people do deploy these to separate machine cell networks from larger plant networks.

This goes back to core network security principles that access should be limited to only what's needed.

Every corporate PC does not need to be able to go online with the PLC's just Engineering PC's for example and that's the only traffic that should be allowed.

If line 1 has no reason to talk to line 2 then it should not have that capability and this makes sure that if there is a problem /breach it is contained.

Better to lose 1 line than your entire plant right?

Also I don't need PLC programming software to control what a PLC does. There are many ways to cause problems without the programming software.

The right malware can change the PLC code enough to cause an issue. Think about how low level 3rd party HMI drivers work? They can modify the bit table and that is all you need to do.

From my example earlier if I get a connection to the corporate LAN and there is no Inside DPI protection what keeps me off the factory floor systems? Nothing.

What about the script kiddie down the street than parks in the lot across from your plant and breaks your WIFI password using Amazon Ec2 in about 2 minutes and pays a couple bucks to do so. He makes a connection and your corporate WIFI is bonded to the LAN because it makes it easier to manage for IT and it's easier for managers to collaborate.

Then script kiddies is on your LAN and you have no DPI between the corporate LAN and the factory LAN right? The script kiddie deploys some tools and finds so PLC's on the network. He knows what they are by their MAC ID or he can look up up in a few seconds on Google.

Downloads him some free PLC software (it's out there on the dark web if you know where to look) and he can have a great time messing things up.

What if your plant is the city water authority? A refinery? Sounding like real damage and real money?

He says why not deploy cryptolocker across the entire network? Does the company have up to date no incremental full backups offsite with network isolation? if they don't and most don't they are screwed or they pay the ransome it's that simple. Almost everyone pays because the have no choice.

 

[Phil Buchanan]

I just don't see the use case where it makes sense. Code injection type attacks are effective in the PC space, but in an automation system there are so many obvious holes that it almost seems silly. When anyone with the right programming software can simply go online with the PLC and put it into stop or download new code, stopping more subtle attacks seems like overkill. Unless the DPI systems are actually smart enough to decide what PLC code is OK and what isn't?

Yes DPI can be set to determine what kind of packets there are from specific programming software and where it should and should not be coming from. DPI knows the devices the PLC normally talks to and what types of packets it exchanges and the sizes and payloads. When programming packets come from ports / links / MAC ID's they normally don't come from it says no way drop packets.

This is why PLC vendors are making comms modules that make a VPN connection between you laptop and the module to program the PLC code and the PLC's can be setup to only allow programming and run control from specific modules.

 

[Phil Buchanan]

It's really a riot to meet with a company and their IT guy says our manufacturing floor is safe because we have a 1995 check point firewall after our internet connection.

You get them to agree to and pay for a Pen test then put some nice comments in their PLC for their engineers to discover when you present your discovery to them.

When all the engineering stations are locked and the IT guy can't get them unlocked. When his AD credentials no longer work. When comms drop on all the equipment and everything stops.

Many IT people are looking for a new job after discovery day.

 

[drbig]

Upload what code from the ENBT?
I have a crowded rack like that, just added a 4 slot rack, with power supply, and two old ENBT's laying around to handle the transition from corporate to machine network.
No, you do not need a processor in a rack.

Hi,
Upload PLC code. I am trying to connect via 1 Corporate ENBT to multiple Local ENBTs..
Will RSLinx Classic lite work or I need Rslinx Gateway?
Let me know, thanks

 

[Peter Laing]

Another option is to add a ControlLogix rack to serve as a bridge. A rack, power supply and two ENBT cards will do the trick. Address one ENBT to your corporate subnet, the other to the machine subnet. RSLinx will do the bridging; no processor is required. You could add other comm cards such as ControlNet or DHRIO if required.

 

[drbig]

Another option is to add a ControlLogix rack to serve as a bridge. A rack, power supply and two ENBT cards will do the trick. Address one ENBT to your corporate subnet, the other to the machine subnet. RSLinx will do the bridging; no processor is required. You could add other comm cards such as ControlNet or DHRIO if required.

Hi Peter,
NAT maybe a cheaper as I found, but can the NAT (9300-ENA or 1782-NATR) can be used to go online with PLC from public network? I have RSlogic5000 and Rslinx on public network..

 

[Phil Buchanan]

Hi Peter,
NAT maybe a cheaper as I found, but can the NAT (9300-ENA or 1782-NATR) can be used to go online with PLC from public network? I have RSlogic5000 and Rslinx on public network..

What are you calling Public network? If you are making reference to the Rockwell terminology then yes. There are 2 sides of a NAT they call it Public and private you could call it A and B for that matter.

If your public network is 192.168.1.xxx range and your machine is 10.10.15.xxx range all the NAT does is setup a table that say traffic coming from 192.168.1.1 goes to 10.10.15.1 or you could setup the table so that 192.168.1.1 goes to 10.10.15.10 and 192.168.1.2 goes to 10.10.15.11

The way you set the table is up to you.

NAT works like this in a simple manner. When amazon gets product into their distribution center such as Phillip Buchanan's latest book the warehouse guy does not know where to put it based on the info on the box.

He has to look at a chart or table (likely in a computer program) to know my new book is supposed to be setup in warehouse B Aisle 24 and slot T.

If my book gets sold and returned because a customer did not like it the returns person looks at that same table to find out where to restock it and if they really don't sell and they decide to send them back to me they once again look at that table to go get them to send back to me.

Hope this helps.

 

[drbig]

Thanks for all your response.. really helps!