View
217
Download
4
Category
Preview:
Citation preview
Network Security
Tampere Seminarp
23rd October 2008
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 11
Contents
Overview
Switch Securityy
Firewalls
Conclusion
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 22
Contents
Overview
Switch Securityy
Firewalls
Conclusion
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 33
Information Security
Definition :
“A collection of measures adopted to prevent unauthorized use, p p ,malicious use, denial of use, or modification of information, facts, data, or resources....”
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 44
The Threats
• Components in a plant environment are more and more
interconnectedinterconnected
• Plant environments are increasingly open to external influences
Att k i l t i ti t i t d d t l hi h• Attacks are simple to instigate using standard tools, which are
always up to date
• Protocols (TCP/IP) and networks (Ethernet) are vulnerable
• Attacks are difficult to trace
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 55
Attacks
• Attacks have different purposes :
– System intrusion (hacking)System intrusion (hacking)
– Destruction / sabotage / terrorism
– FraudFraud
– Theft of information
Web site attack– Web site attack
– Revenge
Accidental manipulation– Accidental manipulation
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 66
Forms of Attack
• Denial of Service (DOS)
– Virus / Trojan Horse / WormsVirus / Trojan Horse / Worms
– Network saturation (TCP SYN, ICMP, …)
– System weaknesses TCP/IPSystem weaknesses, TCP/IP
• Access Attacks
– Social engineering physical access– Social engineering, physical access
– Password breaking
Impersonation spoofing– Impersonation, spoofing
• Collection of information / probing
C t i S iffi– Capturing, Sniffing
– Probing TCP, ICMP
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 77
Business Strategy Survey
What percentage of network security attacks do you believe originateWhat percentage of network security attacks do you believe originate from inside or outside of your company?
13%
4%
13%
Inside
Outside
Don't knowDon t know
83%
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 88
Source:AT&T/Economist Intelligence Unit Networking and Business Strategy Survey, March-April 2004
Nessus
Nessus is the world's most popular vulnerability scanner
Used in over 75 000 organizations world-wide
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 99
Used in over 75,000 organizations world wide.
SCADA Plug-in
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 1010
CERN SCADA Testing –SwitzerlandSwitzerland
Netwox – Denial of Service Attack Nessus – Vulnerability Attack
Results of 51 different TOCSSiC* tests on networked i d t i l t l d i i l PLC i N t d
y
industrial control devices - mainly PLCs - using Netwox andNessus
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 1111
Source: The Industrial Ethernet Book, November 2006
* Test stand On Control System Security program in CERN
Contents
Overview
Switch Securityy
Firewalls
Conclusion
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 1212
Physical Access
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 1313
Physical Access – M12 ConnectorsConnectors
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 1414
Unused Ports
Unused ports can be switched off
No access possible to network
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 1515
Port Security
Network access via a port can be limited to a specific device
MAC address
IP address
Access violation
Warning message to Management Station
Port can be automaticallyautomatically switched off
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 1616
802.1X Authentification –RADIUSRADIUS
1
RADIUS Client
User requests authentication
2Switch requests proof of identity f li tfrom client
3Client gives switch proof of identity
4Switch forwards proof of identity to RADIUSto RADIUS
5RADIUS requests challenge from client
6RADIUS request is forwardedfrom switch to client
7Client gives challenge to switch
8Switch forwards challenge to RADIUSRADIUS
10 RADIUS response is forwarded from switch to client activation of
9RADIUS checks challenge and sends response
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 1717
from switch to client, activation of controlled port
sends response
Physical LAN
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 1818
Virtual LANs
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 1919
Multiple VLANs per Switch
HIRSCHMANN HIRSCHMANN
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 2020
Management VLAN
HIRSCHMANN HIRSCHMANN
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 2121
Access To Network DevicesDevices
• SNMPv1 SNMPv2 SNMPv3
• Telnet SSH
• Web Interface
Acronyms:
SNMP – Simple Network . .M M t P t l
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 2222
M Management Protocol
SSH – Secure Shell
Contents
Overview
Switch Securityy
Firewalls
Conclusion
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 2323
What is a Firewall?
A firewall is a system or group of systems that enforces an access control policy between two networks.
ExternalFirewall
DMZDMZ
InternalInternetInternet
Firewall
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 2424
Private NetworkPrivate Network
Functions
Basic
Protects against attacks from insecure networksg
Hides the internal network structure
Advanced
Access control: when and how may computers may communicate with each other
User control: which users can access which services
P t l d S i t l hi h t l d iProtocol and Services control: which protocols and services can run over which ports
Data control: which data can be transmitted and receivedData control: which data can be transmitted and received
Logging, Accounting, and Auditing
Alarming during attacks and failures
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 2525
Alarming during attacks and failures
Limitations
A firewall offers limited or no protection against:
Internal attacks
Social engineering attacks
Attacks over permitted connections
Malware such as Trojans, Viruses, Spyware, Phishing, or damaging active components (ActiveX, Java Applets, JavaScript)
Passive attacks (Sniffing the LAN, traffic analysis, etc.)
Improper use of mobile computers
Removable media
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 2626
Dual-homed Firewall
Firewall with 2 Ethernet ports
one for the secure network
one for the insecure network
InternetInternet
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 2727
Private NetworkPrivate Network
Multi-homed Firewall with DMZDMZ
Firewall with 3 or more ports
one for the secure network
one for the insecure network
one for the DeMilitarised Zone
DMZDMZ
InternetInternet
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 2828Private NetworkPrivate Network
Screened Subnet
Deployment of two firewalls, one either side of the DMZ
ExternalFirewall
DMZDMZ
InternalInternetInternet
Firewall
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 2929
Private NetworkPrivate Network
High Security Firewall SystemSystem
Deployment of three firewalls
Recommended by the BSI (German Federal Office for Information y (Security)
PacketFilter
DMZDMZ
Packet InternetInternet
Filter
ApplicationFilter
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 3030
Private NetworkPrivate Network
Firewalls and the OSI ModelModel
Application Proxies
Session
Presentation
Transport Stateful Inspection
Network Packet Filter
Physical
Data link
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 3131
Stateful Inspection
Communication is analyzed at Layer 4 (Transport)
The firewall maintains a table of which devices are communicatingg
Data is only allowed through the firewall from the insecure network if it has been requested from the secure network.
Advantages
The status of the connection is checked
Cheaper and faster than Application Layer Firewalls
Disadvantage
Th d t i id th k t i t h k dThe data inside the packet is not checked
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 3232
Stateful Inspection
Insecure Secure
RequestResponse
XRequest
Response
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 3333
XRequestResponse
Packet Filter
Packets are analyzed and filtered at the Layer 3 (Network) level.
Source IP address
Source port
Destination IP address
Destination port
Protocol
Access Rules define which communication is allowed.
Two alternative principles:
“Deny all“ (all traffic which is not explicitly permitted is denied)
“Laissez faire“ (all traffic which is not explicitly denied is allowed)
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 3434
Packet Filter
Special considerations
Only the header of the packet is checked – not the enclosed data y p(payload)
Each individual packet is checked, but not the data stream itself
Often implemented in a router (Access Control Lists)
Advantages
Fast to implement
Disadvantages
Neither the connection nor the data is checked
L b f lLarge number of rules
Easy to make a mistake
Maintenance after network changes
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 3535
Maintenance after network changes
Packet Filtering
Insecure Secure
HTTP
FTP
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 3636
Application Layer Firewalls (Proxies)Firewalls (Proxies)
There is no direct communication between a Client on the secure network and a Server on the insecure network.
ProxyInternetInternet
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 3737
Private NetworkPrivate Network
Application Layer Firewalls (Proxies)Firewalls (Proxies)
Advantages
The payload of the packet is examinedp y p
Much more detailed log files
Extremely high security
Disadvantages
Slower than Stateful Inspection Firewalls
More expensive
Fact of life
The more security you want, the worse the performance of your network (and vice versa)
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 3838
NAT / PAT
Network Address Translation 1 to n / Port Address Translation
All internal IP address are mapped to a single external IP addresspp g
Hides the protected network‘s addressing scheme
Reduces cost by sharing a single valid Internet address
Network Address Translation 1 to 1
Individual internal addresses are mapped to individual external addresses
Hides the network addressing while allowing incoming connections
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 3939
Network Address Translation – 1:nTranslation – 1:n
Maps multiple internal addresses to a single external address
Source
10.10.10.44
Source
81.65.129.31
Source
10.10.10.55
Source
81.65.129.31
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 4040
Network Address Translation – 1:1Translation – 1:1
Maps internal and external addresses 1 to 1.
Source
10.10.10.44
Source
81.65.129.44
Source
10.10.10.55
Source
81.65.129.55
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 4141
Multiple Identical Cells
10 10 10 123
Automation Cell
10.10.10.123
192 168 23 0
10.10.10.010.10.10.234
192.168.23.0
Core Network
10 10 10 0
Automation
10.10.10.0
10.10.10.123192.168.54.0
Cell
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 424210.10.10.234
Firewall Techniques
Hard Perimeter
OfficeNet ork
Hard Perimeter
Network
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 4343
Firewall Techniques
Defence in
OfficeNet ork
Defence in Depth
Network
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 4444
Adding Security
In a perfect world, you design the network security when you design the network.
What if you want to add security to an existing network?
M t fi ll tMost firewalls are routers.
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 4545
Transparent (Bridging) FirewallsFirewalls
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 4646
Symbols Used In Presentation DiagramsPresentation Diagrams
HIRSCHMANN
Industrial firewall and/or VPN Client/Server
Corporate firewall and/or VPN Client/Server
Corporate networkCorporate Network
Industrial network Internet
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 4747
Basic Industrial FirewallingFirewalling
HIRSCHMANN
HIRSCHMANN
Corporate NetworkHIRSCHMANN Network
Office Network
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 4848Automation Network
Access for Specific DevicesDevices
HIRSCHMANN
HIRSCHMANN
Corporate Network
Management Station
HIRSCHMANN
Management Station
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 4949Automation Network
Access for Specific DevicesDevices
HIRSCHMANN
HIRSCHMANN
Corporate Network
Maintenance
HIRSCHMANN Network
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 5050Automation Network
Employee from an External CompanyExternal Company
HIRSCHMANN
HIRSCHMANN
Corporate NetworkHIRSCHMANN Network
Service EngineerHIRSCHMANN
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 5151DHCP
Contents
Overview
Switch Securityy
Firewalls
Conclusion
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 5252
Conclusion
Security should be designed into a network right from the start
Managed switches provide a range of security features
A control network should only be connected to another network via a firewall
Successful protection requires a range of techniques
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 5353
Contents
Overview
Switch Securityy
Firewalls
Conclusion
Comments or Questions?
© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 5454
Recommended