Upload
rockwell-automation
View
266
Download
10
Tags:
Embed Size (px)
Citation preview
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
PUBLIC INFORMATION
Traversing the Industrial Demilitarized ZoneLecture
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Why Is This Important?Control and Information Convergence
5
Scalable, robust, secure and future-ready infrastructure:
Application
Software
Network
Internet of Things, Internet of Everything
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
What Are We Doing?CPwE Reference Architectures
6
Education, design considerations and guidance to help reduce network Latency and Jitter, to help increase the Availability, Integrity and Confidentiality of data, and to help design and deploy a Scalable, Robust, Secure and Future-Ready EtherNet/IP™ network infrastructure:
Single Industrial Network Technology
Robust Physical Layer
Segmentation / Structure (modular and scalable building blocks)
Prioritization - Quality of Service (QoS)
Redundant Path Topologies with Resiliency Protocols
Time Synchronization – PTP, CIP Sync, Integrated Motion on the EtherNet/IP network
Multicast Management
Convergence-ready Solutions
Security – Holistic Defense-in-Depth
Scalable Secure Remote Access
Wireless – 802.11
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Security – Holistic Defense-in-DepthCPwE Reference Architectures
4
EnterpriseWAN
Firewall(Active)
Firewall(Standby)
MCC
Enterprise Zone: Levels 4–5
CiscoASA 5500
Catalyst6500/4500
Soft Starter
I/O
Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror• Remote Desktop Gateway Server
Level 0 - ProcessLevel 1 - Controller
Level 3 – Site Operations:
Controller
Drive
Level 2 – Area Supervisory Control
FactoryTalk®
Client
Controller
Industrial Demilitarized Zone (IDMZ)
Industrial Zone: Levels 0–3
Authentication, Authorization and Accounting (AAA)
Catalyst 3750XStackWise
Switch Stack
Internet
External DMZ/ Firewall
LWAP
SSID
2.4 GHz
SSID
5 GHzWGB
I/O
Active
5500 Wireless
LAN Controller
(WLC)UCS
RADIUS
AAA Server
Standby
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Agenda
IDMZ Use Cases and Technologies
IDMZ Design Methodology
What is an IDMZ?
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Network Technology ConvergenceContinued Trend - Single Industrial Network Technology
6
Flat and Unstructured Network Infrastructure
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Physical or Virtualized Servers• FactoryTalk® Application Servers and Services
Platform• Network Services – for example, DNS, AD, DHCP,
AAA• Call Manager• Storage Array
Remote
AccessServer
Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror• Remote Desktop Gateway
Server
Catalyst 3750XStackWise
Switch Stack
Linkfor Failover Detection
Firewall(Active)
Firewall(Standby)
MCC
HMI
Cell/Area Zone - Levels 0-2Redundant Star Topology - Flex Links Resiliency
Unified Wireless LAN
Cell/Area Zone - Levels 0-2Linear/Bus/Star Topology
Autonomous Wireless LAN
IndustrialDemilitarized Zone
(IDMZ)
Enterprise ZoneLevels 4 and 5
Rockwell Automation®Stratix 5700™/Stratix 8000™
Layer 2 Access Switch
ASA 5500
Industrial ZoneLevels 0–3
Catalyst6500/4500
Phone
Controller
Camera
Safety Controller
Robot
Soft Starter
Cell/Area Zone - Levels 0-2Ring Topology - Resilient Ethernet Protocol
(REP)Unified Wireless LAN
I/O
Plant Firewalls• Inter-zone traffic segmentation• ACLs, IPS and IDS• VPN Services• Portal and Remote Desktop Services proxy
Wide Area Network (WAN)Physical or Virtualized Servers• ERP, Email• Active Directory (AD), AAA – Radius• Call Manager
Enterprise
SafetyI/O
ServoDrive
Instrumentation
Site OperationsLevel 3
Internet
HMI
Primary WLC
AP
SSID5 GHz
WGB
SafetyI/O
Controller
WGB
LWAP
SSID5 GHz
WGB
LWAP
Controller
LWAP
SSID2.4 GHz
Secondary WLC
5500 Wireless LAN Controller
(WLC)
UCS
Catalyst2960
UCS
Network Technology ConvergenceContinued Trend – Segmented Networks with IDMZ for Security
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Controlling Access to the Industrial ZoneContinued Trend - Industrial Network Security
8
Level 5
Level 4
Level 3
Level 2
Level 1
Level 0
Remote Gateway Services
Patch Management
AV Server
Application Mirror
Web Services Operations
ApplicationServer
Enterprise Network
Site Business Planning and Logistics NetworkEmail, Intranet, and so forth.
FactoryTalk®Application
Server
FactoryTalk® Directory
Engineering Workstation
Remote Access Server
FactoryTalk®Client
Operator Interface
FactoryTalk®Client
Engineering Workstation
Operator Interface
Batch Control
Discrete Control
Drive Control
ContinuousProcess Control
Safety Control
Sensors Drives Actuators Robots
EnterpriseSecurity Zone
IndustrialDMZ
IndustrialSecurity Zone
Cell/Area Zone
WebEmailCIP
Firewall
Firewall
Site Operationsand Control
Area Supervisory
Control
Basic Control
Process
Logical Model – Industrial Automation and Control System (IACS)Converged Multi-discipline Industrial Network
No Direct Traffic Flow between Enterprise and Industrial Zone
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
What Is an Industrial DMZ?
9
An IDMZ, or Industrial Demilitarized Zone, is a subnetwork that is placed between a trusted network
(industrial) and an untrusted network (enterprise). The IDMZ contains business facing assets that act
as brokers between the trusted and untrusted networks
Traffic never travels directly across the IDMZ
A properly designed IDMZ can be unplugged if compromised and still allow the industrial network to
operate without disruption
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Demilitarized Zone (DMZ)
10
Sometimes referred to a perimeter network that exposes an organizations external services to an
untrusted network. The purpose of the DMZ is to add an additional layer of security to
the trusted network
UNTRUSTED
TRUSTED
BROKER
Internet
Web Proxy
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Industrial Demilitarized Zone (IDMZ)Controlling Access to the Industrial Zone
11
Sometimes referred to a perimeter network that exposes an organizations external services to an
untrusted network. The purpose of the IDMZ is to add an additional layer of security to the trusted
network
TRUSTED? UNTRUSTED?
TRUSTED
BROKER
EnterpriseSecurity Zone
IndustrialDMZ
IndustrialSecurity Zone
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
IDMZ – Replicated Data and Services
Firewalls(Active/Standby)
MCC
Enterprise ZoneLevels 4–5
I/O
Level 3Site Operations
Drive
IndustrialDemilitarized Zone(IDMZ)
Industrial ZoneLevels 0-3
FactoryTalk® Client
WGB
WLC (Active)
ISE
WLC (Standby)
LWAP
PACPAC
PAC
Levels 0-2 Cell/Area Zone
Core switches
Distribution switch
Core switches
WLC (Enterprise)
ISE (Enterprise)
Physical or Virtualized Servers• FactoryTalk® Application Servers
and Services• Network Services – for example,
DNS, AD, DHCP, AAA• Call Manager• Storage Array
Remote Access Server
VantagePoint
Plant Manager
RemoteAccess
Untrusted
Untrusted
Block
Block
Permit
Remote Desktop Gateway
Permit
WebReports
Web Proxy
Firewall (Inspect Traffic)
Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror• Remote Desktop
Gateway Server
Wide Area Network (WAN)Physical or Virtualized Servers• ERP, Email• Active Directory (AD),
AAA – Radius• Call Manager
Firewall (Inspect Traffic)
Permit Secure
Remote Access
to Industrial
Assets
Permit Data
from the
Industrial Zone
to Enterprise
Stakeholders
Block Untrusted Access to
Industrial Zone
Block Untrusted Access to
Enterprise Zone
Engineer
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Industrial Demilitarized Zone (IDMZ)Design Tenants -Best Practices
13
All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly
traverse the IDMZ
Only path between zones
No common protocols in each logical firewall
No control traffic into the IDMZ, CIP stays home
No primary services are permanently
housed in the IDMZ
IDMZ shall not permanently house data
Application data mirror to move data into and out
of the Industrial Zone
Limit outbound connections from the IDMZ
Be prepared to “turn-off” access via the firewall
No Direct Traffic
EnterpriseSecurity
Zone
IndustrialSecurity
Zone
Disconnect Point
Disconnect Point
IDMZReplicated Services
Trusted? Untrusted?
Trusted
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Industrial Demilitarized Zone (IDMZ)Controlling Access to the Industrial Zone
14
Set up functional subzones in the
IDMZ to segment access to data
and services (for example,
Partner zone, Operations, IT)
If the IDMZ is compromised, it
will be the buffer between the
Enterprise and Industrial Zone
Most attacks will attempt to pivot
to other machines on the same
network
Use the Firewall, Intrusion
Detection and Intrusion
Prevention to stop the “pivot”
Disconnect Point
Disconnect Point
Terminal Services
Patch Management
Historian Mirror
Web Services Operations
Application Server
Multiple Functional Subzones
AV Server
IDMZ
No Direct Traffic
Enterprise Zone
Industrial Zone
Trusted? Untrusted?
Trusted
Block
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Controlling Access to the Industrial ZoneOne Size Does Not Fit All
15
Recommended – Depending on end-users standards, security policies and procedures, risk tolerance, and alignment with applicable IACS Security Standards
Not Recommended
Enterprise-wide Network
Plant-wide Network
Figure 1
Enterprise-wide Network
Plant-wide Network
Figure 2
Plant-wide Network
Enterprise-wide Network
Figure 3
Plant-wide Network
Enterprise-wide Network
SwitchWith VLANs
Figure 4
Plant-wide Network
Enterprise-wide Network
Firewall
GoldFigure 6
Plant-wide Network
Enterprise-wide Network
IDMZ
PlatinumFigure 7
Plant-wide Network
Enterprise-wide Network
Router(Zone Based FW)
SilverFigure 5
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Agenda
IDMZ Use Cases and Technologies
IDMZ Design Methodology
What is an IDMZ?
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Methodology
17
Develop a scientific method to develop repeatable, measurable
and maintainable solution(s)
Examine the problem “holistically” and drill down through the details
of each system
Don’t examine security from a “partial” perspective
You may not be able to secure “everything” right away
but be aware and have a vision for the entire security plan
I’m only interested in
Remote Access,
don’t worry about
the other stuff
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
IDMZ / Network Reconnaissance (Design Pre-work)
18
Identify AssetsOr
Asset Classes
Identify AssetOwners
Identify “types” of Assets in Industrial Zone and those that support Production
Document Assets by reviewing existing documentation, interviews and network scanning
ACTION
Identify “who” owns the hardware and software on the asset.
Document Asset Owners and Schedule Interviews
ACTION
RequirementsPhase
ArchitecturalPhase
Tech. DesignPhase
Implement Maintain
Design PhaseRecon Phase
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Classify Asset Types
19
Goal: Identify assets that support production processGoal: Identify if asset belongs in the Industrial or Enterprise Zone
IACS IACS
IndustrialSecurity Zone
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
IACS IACS
Diagram Data Sources Feeding Higher-Level Assets
20
IndustrialSecurity Zone These assets are not
likely to send data directly across the IDMZ. They most likely interact with assets that are in the Industrial Security Zone.
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Identify System Owners/Users
21
IndustrialSecurity Zone
IACS DC
IACS IACS
IACS
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
IDMZ / Network Design Methodology
22
RequirementsPhase
Architectural Phase
Technical Design Phase
Implementation Maintain
Requirements are a statement identifying a capability, physical characteristic or quality factor that bounds a product or process problem for which a solution will be pursued. (Source: IEEE Standard 1220–1994)
Interview all system owners to gather requirements for operations, configuration and maintenance.
ACTION
High-level architectural recommendations that are proposed to meet the customer requirements.
Produce high-level documentation and drawings to meet every requirement
ACTION
Detailed information that is usually written by the coder or implementer that describes how the system or product will be programmed, configured to meet the customer requirements and the high-level architecture.
Produce detailed documentation such as drawings, switch configurations, VLAN, IP Address, Firewall ACLs
ACTION
The system components are brought together and tested during this phase per the testing plan
Verify, “was the product that is built right” and Validate, “was the right product built” process
ACTION
System has been Verified and Validated and is maintained by Operations and Maintenance
Modify configurations and assets to fix anomalies or required operational changes.
ACTION
At the end of these phases, you have a roadmap
At the end of these phases, you working system(s)
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Interview Process Drives Requirements
23
Interview process identifies how the owners
and clients of the assets
Operate?
Configure?
Patch?
Upgrade?
Identifies where the data is produced and consumed
This process is used to gather requirementsHMI Server
OwnerIACS DC OwnerQC Server
OwnerEng. WS OwnerIACS Server
Owner
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Propose High-Level Architecture(s)Example Requirement – Remote Access to FactoryTalk® View SE Server for Configuration
24
Propose High-Level
Architecture
Place Assets in the Enterprise
or Industrial Security Zone
Place proposed Assets in IDMZ
Draw communication lines
between the assets and asset
owners to make sure that
requirements are met
EnterpriseWAN
Firewalls(Active/Standby)
MCC
Enterprise Zone: Levels 4–5
I/O
Level 3Site Operations
Drive
Industrial Demilitarized Zone (IDMZ)
Industrial Zone: Levels 0-3
FactoryTalk® Client
Internet
ExternalDMZ / Firewall
WGB
WLC (Active)
WLC (Standby)
LWAP
PACPAC
PACLevels 0-2 Cell/Area Zone
Distribution switch
Core switches
View SE Server
RSLinx® EnterpriseFactoryTalk® Live
Data
Remote Desktop Client
2
1
ISE
Core switches
WLC (Enterprise)
ISE (Enterprise)
View SE Client
Remote Desktop Gateway
Terminal Server
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
IACS IACS
How to Derive High-Level Architecture(s)?
25
Actor
Historian
ClientMES
No Control Protocols Through
the Firewall(s)
QC Systems
Order EntryEnterpriseSecurity Zone
IndustrialDMZ
IndustrialSecurity Zone
Start with what you know
Actors have to do perform
“what” to “which” systems
How are the systems
related?
Place the systems in their
respective zone diagram
communications
Does this proposed
architecture break any of
the security tenants?
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
IACS IACS
Move Assets To Minimize Cross Zone Traffic –Especially Control Protocols
26
Actor
Historian
ClientMES
QC Systems
Order Entry
Historian
Historian
Mirror
Data
Proxy
EnterpriseSecurity Zone
IndustrialDMZ
IndustrialSecurity Zone
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Agenda
IDMZ Use Cases and Technologies
IDMZ Design Methodology
What is an IDMZ?
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
“Typical” Systems We’ve Seen Involved in IDMZ Designs
28
Enterprise Zone: Levels 4–5
Industrial Demilitarized Zone (IDMZ)
Industrial Zone: Levels 0-3
Historian Domain
Controller
Web
Reports
Remote
Desktop
Client
O.S Patch
Anti-Virus
Virus
Update
Secure File
Transfer
User Wants
Historian Data
and ReportsUse Case
Firewall (Inspect)
Firewall (Inspect)
PI to PI
Connector
Domain
Controller
Reverse
Web Proxy
Remote
Desktop
Gateway
Anti-Virus
and WSUS
Server
Secure File
Transfer
Gateway
Historian Domain
Controller
Web
Servers
Terminal
Server
Servers,
Desktops,
Laptops
Ind. Zone
NTP
Server
File Server
12
Domain
Controller
Replication
User Wants Web
Reports
User Wants to
Send / Retrieve
Files
Configure,
Troubleshoot
Industrial Zone Asset
Update AV and
Install O.S
Patches
NTP
Master
Server
IDMZ NTP
Server
Synchronized
Time Across All
Zones
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
FactoryTalk® Historian Data Transfer
EnterpriseWAN
Firewalls(Active/Standby)
MCC
Enterprise Zone: Levels 4–5
I/O
Level 3Site Operations
Drive
Industrial Demilitarized Zone (IDMZ)
Industrial Zone: Levels 0-3
FactoryTalk® Client
Internet
ExternalDMZ / Firewall
WGB
WLC (Active)
WLC (Standby)
LWAP
PACPAC
PACLevels 0-2 Cell/Area Zone
Distribution switch
Core switches
Historian SERSLinx® Enterprise
FactoryTalk Live Data
PI to PI
Historian SE (Enterprise)
VantagePoint Server
Historian / VP Client Data Request
1
2
3
5
ISE
Core switches
WLC (Enterprise)
ISE (Enterprise)
FactoryTalk® Directory
1) Controller data is sent to Historian SE database via RSLinx® Enterprise2 & 3) Data is sent from the Industrial Zone Historian SE to the Enterprise Historian SE through the PI to PI connector 4) FactoryTalk® VantagePoint (VP) gathers preconfigured data from the Enterprise Historian SE to generate reports.5) A FactoryTalk ® VantagePoint client requests a web report that is based on the data that is collected from the Enterprise Historian SE data.
4
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Remote Desktop Gateway
Remote Desktop Gateway (RD Gateway), formerly Terminal Services Gateway (TS Gateway), is a role in the Remote Desktop Services server role included with Windows Server® 2008 R2 Enables authorized remote users to connect to
resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client.
RD Gateway transmits RDP traffic to port 443 by using an HTTP Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel.
RD Gateway takes advantage of this network design to provide remote access connectivity across multiple firewalls
http://technet.microsoft.com/en-us/library/cc731150.aspx
Active Directory ServerHistorian ServerApplication Server(s)
Window Server 2008 R2
Remote Desktop Gateway
HTTPS
RDP(3389)
Enterprise Zone
IDMZ
Industrial Zone
Remote Desktop Clients
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Remote Desktop Session Host CALs
Anyone who wants to connect to a Remote Desktop Session Host (Terminal Server) must have a Client Access License
(CAL)
Consult Microsoft to Validate your CAL questions
http://www.microsoft.com/licensing/about-licensing/client-access-license.aspx
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Remote Desktop Gateway: 1 of 2
32
Al AdminGroup = ProdAdmins
Ed EngineerGroup = Engineers
Actor = Matt MaintGroup = Maintenance
Joe OemoneGroup = OEM One
Bob OemtwoGroup = OEM Two
Remote
Desktop
GatewayFirewall (Inspect Traffic)
Firewall (Inspect Traffic)
Terminal
Server
Asset Group User
Direct-Access Via Remote Desktop Gateway
Access Via IACS Terminal Server
Studio 5000®Project: Open
Studio 5000®Tag: Force
Studio 5000®Firmware: Update
Terminal Server Operators Oscar Operator N/A
Maintenance Matt Maint x N/A x x
Engineers Ed Engineer x N/A x x x
ProdAdmins Al Admin x N/A x x x
OEM1 (Trusted Partner) Joe Oemone x N/A x
OEM2 (Trusted Partner) Bob Oemtwo x N/A x
IndustrialDemilitarized Zone
(IDMZ)
Enterprise ZoneLevels 4 and 5
Industrial ZoneLevels 0–3
Resource Authorization Policies (RAP) - Who can connect?
Connection Authorization Policies (CAP) – What can they connect to?
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Remote Desktop Gateway: 2 of 2
33
Al AdminGroup = ProdAdmins
Ed EngineerGroup = Engineers
Actor = Matt MaintGroup = Maintenance
Joe OemoneGroup = OEM One
Bob OemtwoGroup = OEM Two
Remote
Desktop
GatewayFirewall (Inspect Traffic)
Firewall (Inspect Traffic)
Terminal
Server
IndustrialDemilitarized Zone
(IDMZ)
Enterprise ZoneLevels 4 and 5
Industrial ZoneLevels 0–3
Asset Group User
Direct-Access Via Remote Desktop Gateway
Access Via IACS Terminal Server
Studio 5000®Project: Open
Studio 5000®Tag: Force
Studio 5000®Firmware: Update
Engineering Workstation Operators Oscar Operator
Maintenance Matt Maint x x x
Engineers Ed Engineer x x x x x
ProdAdmins Al Admin x x x x x
OEM1 (Trusted Partner) Joe Oemone x x
OEM2 (Trusted Partner) Bob Oemtwo x x
Engineering
Work Station
Resource Authorization Policies (RAP) - Who can connect?
Connection Authorization Policies (CAP) – What can they connect to?
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
FactoryTalk® View SE Via Remote Desktop Gateway
EnterpriseWAN
Firewalls(Active/Standby)
MCC
Enterprise Zone: Levels 4–5
I/O
Level 3Site Operations
Drive
Industrial Demilitarized Zone (IDMZ)
Industrial Zone: Levels 0-3
FactoryTalk® Client
Internet
ExternalDMZ / Firewall
WGB
WLC (Active)
WLC (Standby)
LWAP
PACPAC
PACLevels 0-2 Cell/Area Zone
Distribution switch
Core switches
View SE Server
RSLinx® EnterpriseFactoryTalk® Live
Data
Remote Desktop Client
4
2
ISE
Core switches
WLC (Enterprise)
ISE (Enterprise)
View SE Client
Remote Desktop Gateway
Terminal Server
FactoryTalk® Directory
1) VPN Session that is established with customer site2) Remote Desktop Connection application is launched from remote user’s computer. User enters Industrial Zone Remote Session Host’s address as the target desktop and starts the session3) The Remote Desktop Gateway server in the IDMZ validates the SSL certificate and the User Name and Password.4) The Remote Session Host’s desktop is now presented to the remote desktop user
1
2
3
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
FactoryTalk® View SE Via Cisco ASA RDP Plug-in
EnterpriseWAN
Firewalls(Active/Standby)
MCC
Enterprise Zone: Levels 4–5
I/O
Level 3Site Operations
Drive
Industrial Demilitarized Zone (IDMZ)
Industrial Zone: Levels 0-3
FactoryTalk® Client
Internet
ExternalDMZ / Firewall
WGB
WLC (Active)
WLC (Standby)
LWAP
PACPAC
PACLevels 0-2 Cell/Area Zone
Distribution switch
Core switches
View SE Server
RSLinx® EnterpriseFactoryTalk® Live
Data
4
3
ISE
Core switches
WLC (Enterprise)
ISE (Enterprise)
Cisco ASA RDP Plug-in
Remote Client
View SE Client
Terminal ServerFactoryTalk® Directory
1) VPN Session that is established with customer site2) User enter ASA Firewall URL in internet browser and is authenticated to ASA Firewall3) The ASA portal presents the pre-configured URLs to the Industrial Zone Terminal Server.4) The Remote Session Host’s desktop is now presented to the remote desktop user
2
1
2
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Web Proxies
Application Server(s)
Reverse web Proxy
Forward webProxy
Internet
RequestingClients
Forward Proxies
“Hide” the Clients
Reverse Proxies
“Hide” the Servers
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Reverse Web Proxy in the IDMZ
FactoryTalk® Metrics
Server
Reverse web Proxy
RequestingClients
Same concept, Reverse Web Proxy
“Hide” the FactoryTalk® web servers
VantagePoint Server
FactoryTalk®
ViewPoint Server
Enterprise Zone IDMZ Industrial Zone
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Reverse Web Proxy Operation
Enterprise
Enterprise Zone
Industrial Demilitarized Zone (IDMZ)
Industrial Zone
HTTPSto Proxy URL
Web Application Server(s)
(ProdWebServer)
Reverse Web Proxy(ProdWebServerProx)
HTTP/HTTPSto Server URL
1
2
3
4
5
6 1) Enterprise client requests Web Report from
https:\\ProdWebServerProx\Main.html - Reverse Web Proxy
2) Reverse Web Proxy rewrites the URL to
https:\\ProdWebServer\Main.html
3) Sends request to ProdWebServer for main.html
4) ProdWebServer receives request and sends Main.html
web page to ProdWebServerProx.
5) ProdWebServerProx receives Main.html web page and
forwards the web page content but rewrites the URL to
https:\\ProdWebServerProx\Main.html
6) Enterprise client displays the content of Main.html and the
URL reads http:\\ProdWebServerProx\Main.html
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Cisco ASA Web Proxy Operation
Enterprise
Enterprise Zone
Industrial Demilitarized Zone (IDMZ)
Industrial Zone
SSL VPNto ASA Portal
HTTP/HTTPSto Server URL
Cisco ASA Firewall
1) Enterprise client authenticates to the ASA
2) Enterprise client is presented with preconfigured URL
requests in the ASA por. In this example, the URL
is requesting a Web Report from
https:\\ProdWebServerProx\Main.html
3) The ASA proxy rewrites the URL to
https:\\ProdWebServer\Main.html and sends the request
to ProdWebServer for main.html
4) ProdWebServer receives request and sends Main.html
web page to ASA
5) ASA receives Main.html web page and forwards the
web page content but rewrites the URL to
https:\\ProdWebServerProx\Main.html
6) Enterprise client displays the content of Main.html and
the URL reads http:\\ProdWebServerProx\Main.html
1
3
Web Application Server(s)
(ProdWebServer)
Reverse Web Proxy(ProdWebServerProx)
2
4
5
6
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Secure File Transfer
EnterpriseWAN
Firewalls(Active/Standby)
MCC
Enterprise Zone: Levels 4–5
I/O
Level 3Site Operations
Drive
Industrial Demilitarized Zone (IDMZ)
Industrial Zone: Levels 0-3
FactoryTalk® Client
Internet
ExternalDMZ / Firewall
WGB
WLC (Active)
WLC (Standby)
LWAP
PACPAC
PACLevels 0-2 Cell/Area Zone
Distribution switch
Core switches
Secure FileTransfer Gateway
1
3
ISE
Core switches
WLC (Enterprise)
ISE (Enterprise)
Manual File Transfer
Manual File Transfer
4
6
1) A manual file transfer is initiated from the
Industrial Zone.
2) The user is authenticated on the Secured
File Transfer Gateway and file is transferred,
inspected and saved
3) The Enterprise user logs on to the Secure
File Transfer Gateway and retrieves the file
4) The Enterprise user wants to transfer a
file to the Industrial Zone. The Enterprise
user initiates a manual file transfer
5) The user is authenticated on the Secured
File Transfer Gateway and file is transferred,
inspected and saved
6) The Industrial Zone user logs on to the
Secure File Transfer Gateway and retrieves
the file
2 5
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Network Time Protocol(NTP)
EnterpriseWAN
Firewalls(Active/Standby)
MCC
Enterprise Zone: Levels 4–5
I/O
Level 3Site Operations
Drive
Industrial Demilitarized Zone (IDMZ)
Industrial Zone: Levels 0-3
FactoryTalk® Client
Internet
ExternalDMZ / Firewall
WGB
WLC (Active)
ISE
WLC (Standby)
LWAP
PACPAC
PACLevels 0-2 Cell/Area Zone
Core switches
Distribution switch
Core switches
WLC (Enterprise)
ISE (Enterprise)
Corporate Master NTP Server
IDMZ NTP Server
Industrial Zone NTP Server
1
2
1) The Corporate Master NTP Server
sends NTP time to the IDMZ
NTP Server
2) The Corporate Master NTP Server
sends NTP time to the Industrial Zone
NTP Server
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Domain Controller – Bi-directional Replication
EnterpriseWAN
Firewalls(Active/Standby)
Enterprise Zone: Levels 4–5
I/O
Level 3Site Operations
Drive
Industrial Demilitarized Zone (IDMZ)
Industrial Zone: Levels 0-3
FactoryTalk® Client
Internet
ExternalDMZ / Firewall
WGB
WLC (Active)
ISE
WLC (Standby)
LWAP
PACPAC
PACLevels 0-2 Cell/Area Zone
Core switches
Distribution switch
Core switches
WLC (Enterprise)
ISE (Enterprise)
Enterprise ZoneDomain Controller
Industrial ZoneDomain Controller
1
2
1) The Enterprise Domain Controller
replicates any changes to the
Industrial Zone Domain Controller
2) The Industrial Domain Controller
replicates any changes to the
Enterprise Zone Domain Controller
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
ISE Overview
NETWORK / USER CONTEXT
How
WhatWho
WhereWhen
DEVICE PROFILING FEED SERVICE
REDUCE NETWORK UNKNOWNS AND APPLY THE RIGHT LEVEL OF SECURE ACCESS CONSISTENTLY ACROSS WIRED, WIRELESS and VPN
EmployeeAccess
Contractor +Vendor
GuestAccess
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
ISE Personas/Roles
44
Policy Administration Node (PAN)
Interface to configure policies
Monitoring and Troubleshooting Node (MnT) Interface for logging, reporting, and troubleshooting
Policy Service Node (PSN) Engine that makes policy decisions
This is the workhorse of the personas.
Responsible for AAA, profiling, posture, Guest
ISEPolicy ServiceMonitoringAdmin
Persona—one or more of:• Administration• Monitoring• Policy service
Single ISE node (appliance or VM)
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Distributed ISE Setup
45
EnterpriseWAN
Firewalls(Active/Standby)
Enterprise Zone: Levels 4–5
I/O
Level 3Site Operations
Drive
Industrial Demilitarized Zone (IDMZ)
Industrial Zone: Levels 0-3
FactoryTalk® Client
Internet
ExternalDMZ / Firewall
WGB
WLC (Active)
WLC (Standby)
LWAP
PACPAC
PACLevels 0-2 Cell/Area Zone
Core switches
Distribution switch
Core switches
WLC (Enterprise)
ISE MnT
1) The Enterprise ISE PAN/PSN
synchronizes its policy configurations
with the Industrial ISE PSN
2) The Enterprise and Industrial ISE
PSNs send detailed logs to the
Enterprise ISE MnT
ISE PAN/PSN
ISE PSN
2
1
2
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
ISE Use Cases – Wired Client to RAS
4646
EnterpriseWAN
Firewalls(Active/Standby)
Enterprise Zone: Levels 4–5
I/O
Level 3Site Operations
Drive
Industrial Demilitarized Zone (IDMZ)
Industrial Zone: Levels 0-3
FactoryTalk® Client
Internet
ExternalDMZ / Firewall
WGB
WLC (Active)
WLC (Standby)
LWAP
PACPAC
PACLevels 0-2 Cell/Area Zone
Core switches
Distribution switch
Core switches
WLC (Enterprise)
ISE MnT
1) Wired client logs in and sends 802.1x
authentication request.
2) Switch forwards RADIUS authentication
request on behalf of client to ISE PSN
3) ISE PSN checks Active Directory for
user. If found, it approves the request with
a RADIUS response that carries info on
VLAN assignment and ACL to be applied
at the switch, which helps ensure that
client can only access the RAS
4) Client connects via Remote Desktop to
RAS and uses same login as before.
FactoryTalk® Security enforces
permissions for client
ISE PAN/PSN
ISE PSN
4
Laptop Client1
2Remote Access Server (RAS)
3
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
ISE Use Cases – Wireless (Corporate) Client to RAS
4747
EnterpriseWAN
Firewalls(Active/Standby)
Enterprise Zone: Levels 4–5
I/O
Level 3Site Operations
Drive
Industrial Demilitarized Zone (IDMZ)
Industrial Zone: Levels 0-3
FactoryTalk® Client
Internet
ExternalDMZ / Firewall
WGB
WLC (Active)
WLC (Standby)
LWAP
PACPAC
PACLevels 0-2 Cell/Area Zone
Core switches
Distribution switch
Core switches
WLC (Enterprise)
ISE MnT
1) Wireless client connects to Corporate SSID,
logs in, and sends 802.1x authentication
request, which gets tunneled to the local WLC
2) WLC forwards RADIUS authentication
request on behalf of client to ISE PSN
3) ISE PSN checks Active Directory for user. If
found, it approves the request with a RADIUS
response that carries info on ACL to be
applied at the Enterprise WLC, which helps
ensure that client can only access the RAS
4) Client traffic is now tunneled to the
Enterprise WLC, and the client connects via
the Remote Desktop Gateway to RAS using
the same login as before. FactoryTalk®
Security enforces permissions for client
ISE PAN/PSN
ISE PSN
4
Laptop Client
Remote Access Server (RAS)
Remote Desktop Gateway (RDG)
1
23
4
4
4
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Additional MaterialCPwE Reference Architectures
48
Websites Reference Architectures
Design Guides Converged Plantwide Ethernet (CPwE)
Deploying the Resilient Ethernet Protocol (REP) in a
Converged Plantwide Ethernet Architecture
Deploying 802.11 Wireless LAN Technology within a
Converged Plantwide Ethernet Architecture
Application Guides Fiber-optic Infrastructure Application Guide
Whitepapers Top 10 Recommendations for Plant-wide EtherNet/IP Deployments
Securing Manufacturing Computer and Controller Assets
Achieving Secure Remote Access to plant-floor Applications and Data
Design Considerations for Securing Industrial Automation and Control System Networks
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Additional MaterialTraining and Certifications
49
Cisco Industrial Networking Specialist Training and
Certification
E-learning modules (pre-learning courses)
Control Systems Fundamentals for Industrial
Networking (ICINS)
Networking Fundamentals for Industrial
Control Systems (INICS)
Classroom training
Managing Industrial Networks with Cisco
Networking Technologies (IMINS)
Exam
600–601 IMINS
CCNA for Industrial Applications - Training and
Certification
Training - TBD
Exam - TBD
Industrial IP Advantage
E-learning modules
CPwE Design Considerations and Best
Practices
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Industrial IP Advantage
50
A ‘go-to’ resource for educational information
about industrial network communication and
using standard Internet Protocol (IP) for
industrial applications
Community of like-minded companies –
Cisco®, Panduit®, and Rockwell
Automation®
Receive monthly e-newsletters with
articles and videos on the latest trends Network Design eLearning course available for TechEd Attendee promotional price!
Sign up today at www.industrial–ip.org
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
Additional MaterialTraining and Certifications
51
http://www.cisco.com/web/learning/training-index.html
ICND1
ICND2
Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED
PUBLIC INFORMATION
www.rockwellautomationteched.com
Traversing the Industrial Demilitarized ZoneLecture
Cisco is a trademark of Cisco Systems, Inc. Microsoft and Windows Server are trademarks of the Microsoft Corporation. Panduit is a trademark of the Panduit Corporation. EtherNet/IP is a trademark of the ODVA.