NW07 - Traversing the Industrial Demilitarized Zone

Copyright © 2015 Rockwell Automation, Inc. All rights reserved.Rockwell Automation TechED 2015 @ROKTechED #ROKTechED

PUBLIC INFORMATION

Traversing the Industrial Demilitarized ZoneLecture


Why Is This Important?Control and Information Convergence

5

Scalable, robust, secure and future-ready infrastructure:

Application

Software

Network

Internet of Things, Internet of Everything


What Are We Doing?CPwE Reference Architectures

6

Education, design considerations and guidance to help reduce network Latency and Jitter, to help increase the Availability, Integrity and Confidentiality of data, and to help design and deploy a Scalable, Robust, Secure and Future-Ready EtherNet/IP™ network infrastructure:

Single Industrial Network Technology

Robust Physical Layer

Segmentation / Structure (modular and scalable building blocks)

Prioritization - Quality of Service (QoS)

Redundant Path Topologies with Resiliency Protocols

Time Synchronization – PTP, CIP Sync, Integrated Motion on the EtherNet/IP network

Multicast Management

Convergence-ready Solutions

Security – Holistic Defense-in-Depth

Scalable Secure Remote Access

Wireless – 802.11


Security – Holistic Defense-in-DepthCPwE Reference Architectures

4

EnterpriseWAN

Firewall(Active)

Firewall(Standby)

MCC

Enterprise Zone: Levels 4–5

CiscoASA 5500

Catalyst6500/4500

Soft Starter

I/O

Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror• Remote Desktop Gateway Server

Level 0 - ProcessLevel 1 - Controller

Level 3 – Site Operations:

Controller

Drive

Level 2 – Area Supervisory Control

FactoryTalk®

Client

Controller

Industrial Demilitarized Zone (IDMZ)

Industrial Zone: Levels 0–3

Authentication, Authorization and Accounting (AAA)

Catalyst 3750XStackWise

Switch Stack

Internet

External DMZ/ Firewall

LWAP

SSID

2.4 GHz

SSID

5 GHzWGB

I/O

Active

5500 Wireless

LAN Controller

(WLC)UCS

RADIUS

AAA Server

Standby


Agenda

IDMZ Use Cases and Technologies

IDMZ Design Methodology

What is an IDMZ?


Network Technology ConvergenceContinued Trend - Single Industrial Network Technology

6

Flat and Unstructured Network Infrastructure


Physical or Virtualized Servers• FactoryTalk® Application Servers and Services

Platform• Network Services – for example, DNS, AD, DHCP,

AAA• Call Manager• Storage Array

Remote

AccessServer

Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror• Remote Desktop Gateway

Server

Catalyst 3750XStackWise

Switch Stack

Linkfor Failover Detection

Firewall(Active)

Firewall(Standby)

MCC

HMI

Cell/Area Zone - Levels 0-2Redundant Star Topology - Flex Links Resiliency

Unified Wireless LAN

Cell/Area Zone - Levels 0-2Linear/Bus/Star Topology

Autonomous Wireless LAN

IndustrialDemilitarized Zone

(IDMZ)

Enterprise ZoneLevels 4 and 5

Rockwell Automation®Stratix 5700™/Stratix 8000™

Layer 2 Access Switch

ASA 5500

Industrial ZoneLevels 0–3

Catalyst6500/4500

Phone

Controller

Camera

Safety Controller

Robot

Soft Starter

Cell/Area Zone - Levels 0-2Ring Topology - Resilient Ethernet Protocol

(REP)Unified Wireless LAN

I/O

Plant Firewalls• Inter-zone traffic segmentation• ACLs, IPS and IDS• VPN Services• Portal and Remote Desktop Services proxy

Wide Area Network (WAN)Physical or Virtualized Servers• ERP, Email• Active Directory (AD), AAA – Radius• Call Manager

Enterprise

SafetyI/O

ServoDrive

Instrumentation

Site OperationsLevel 3

Internet

HMI

Primary WLC

AP

SSID5 GHz

WGB

SafetyI/O

Controller

WGB

LWAP

SSID5 GHz

WGB

LWAP

Controller

LWAP

SSID2.4 GHz

Secondary WLC

5500 Wireless LAN Controller

(WLC)

UCS

Catalyst2960

UCS

Network Technology ConvergenceContinued Trend – Segmented Networks with IDMZ for Security


Controlling Access to the Industrial ZoneContinued Trend - Industrial Network Security

8

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Remote Gateway Services

Patch Management

AV Server

Application Mirror

Web Services Operations

ApplicationServer

Enterprise Network

Site Business Planning and Logistics NetworkEmail, Intranet, and so forth.

FactoryTalk®Application

Server

FactoryTalk® Directory

Engineering Workstation

Remote Access Server

FactoryTalk®Client

Operator Interface

FactoryTalk®Client

Engineering Workstation

Operator Interface

Batch Control

Discrete Control

Drive Control

ContinuousProcess Control

Safety Control

Sensors Drives Actuators Robots

EnterpriseSecurity Zone

IndustrialDMZ

IndustrialSecurity Zone

Cell/Area Zone

WebEmailCIP

Firewall

Firewall

Site Operationsand Control

Area Supervisory

Control

Basic Control

Process

Logical Model – Industrial Automation and Control System (IACS)Converged Multi-discipline Industrial Network

No Direct Traffic Flow between Enterprise and Industrial Zone

http://images.google.com/imgres?imgurl=http://upload.wikimedia.org/wikipedia/commons/thumb/4/4c/US_Department_of_Homeland_Security_Seal.svg/360px-US_Department_of_Homeland_Security_Seal.svg.png&imgrefurl=http://commons.wikimedia.org/wiki/Image:US_Department_of_Homeland_Security_Seal.svg&h=359&w=360&sz=82&hl=en&start=1&usg=__g68ZxZ1Czwnbm-C8k0D2deynJXk=&tbnid=fqr03iu-bFLMmM:&tbnh=121&tbnw=121&prev=/images?q=department+of+homeland+security&gbv=2&hl=en

http://images.google.com/imgres?imgurl=http://upload.wikimedia.org/wikipedia/commons/thumb/4/4c/US_Department_of_Homeland_Security_Seal.svg/360px-US_Department_of_Homeland_Security_Seal.svg.png&imgrefurl=http://commons.wikimedia.org/wiki/Image:US_Department_of_Homeland_Security_Seal.svg&h=359&w=360&sz=82&hl=en&start=1&usg=__g68ZxZ1Czwnbm-C8k0D2deynJXk=&tbnid=fqr03iu-bFLMmM:&tbnh=121&tbnw=121&prev=/images?q=department+of+homeland+security&gbv=2&hl=en


What Is an Industrial DMZ?

9

An IDMZ, or Industrial Demilitarized Zone, is a subnetwork that is placed between a trusted network

(industrial) and an untrusted network (enterprise). The IDMZ contains business facing assets that act

as brokers between the trusted and untrusted networks

Traffic never travels directly across the IDMZ

A properly designed IDMZ can be unplugged if compromised and still allow the industrial network to

operate without disruption


Demilitarized Zone (DMZ)

10

Sometimes referred to a perimeter network that exposes an organizations external services to an

untrusted network. The purpose of the DMZ is to add an additional layer of security to

the trusted network

UNTRUSTED

TRUSTED

BROKER

Internet

Web Proxy


Industrial Demilitarized Zone (IDMZ)Controlling Access to the Industrial Zone

11

Sometimes referred to a perimeter network that exposes an organizations external services to an

untrusted network. The purpose of the IDMZ is to add an additional layer of security to the trusted

network

TRUSTED? UNTRUSTED?

TRUSTED

BROKER


IndustrialDMZ



IDMZ – Replicated Data and Services

Firewalls(Active/Standby)

MCC

Enterprise ZoneLevels 4–5

I/O

Level 3Site Operations

Drive

IndustrialDemilitarized Zone(IDMZ)

Industrial ZoneLevels 0-3

FactoryTalk® Client

WGB

WLC (Active)

ISE

WLC (Standby)

LWAP

PACPAC

PAC

Levels 0-2 Cell/Area Zone

Core switches

Distribution switch

Core switches

WLC (Enterprise)

ISE (Enterprise)

Physical or Virtualized Servers• FactoryTalk® Application Servers

and Services• Network Services – for example,

DNS, AD, DHCP, AAA• Call Manager• Storage Array

Remote Access Server

VantagePoint

Plant Manager

RemoteAccess

Untrusted

Untrusted

Block

Block

Permit

Remote Desktop Gateway

Permit

WebReports

Web Proxy

Firewall (Inspect Traffic)

Physical or Virtualized Servers• Patch Management• AV Server• Application Mirror• Remote Desktop

Gateway Server

Wide Area Network (WAN)Physical or Virtualized Servers• ERP, Email• Active Directory (AD),

AAA – Radius• Call Manager


Permit Secure

Remote Access

to Industrial

Assets

Permit Data

from the

Industrial Zone

to Enterprise

Stakeholders

Block Untrusted Access to

Industrial Zone

Block Untrusted Access to

Enterprise Zone

Engineer


Industrial Demilitarized Zone (IDMZ)Design Tenants -Best Practices

13

All network traffic from either side of the IDMZ terminates in the IDMZ; network traffic does not directly

traverse the IDMZ

Only path between zones

No common protocols in each logical firewall

No control traffic into the IDMZ, CIP stays home

No primary services are permanently

housed in the IDMZ

IDMZ shall not permanently house data

Application data mirror to move data into and out

of the Industrial Zone

Limit outbound connections from the IDMZ

Be prepared to “turn-off” access via the firewall

No Direct Traffic

EnterpriseSecurity

Zone

IndustrialSecurity

Zone

Disconnect Point

Disconnect Point

IDMZReplicated Services

Trusted? Untrusted?

Trusted


Industrial Demilitarized Zone (IDMZ)Controlling Access to the Industrial Zone

14

Set up functional subzones in the

IDMZ to segment access to data

and services (for example,

Partner zone, Operations, IT)

If the IDMZ is compromised, it

will be the buffer between the

Enterprise and Industrial Zone

Most attacks will attempt to pivot

to other machines on the same

network

Use the Firewall, Intrusion

Detection and Intrusion

Prevention to stop the “pivot”

Disconnect Point

Disconnect Point

Terminal Services

Patch Management

Historian Mirror

Web Services Operations

Application Server

Multiple Functional Subzones

AV Server

IDMZ

No Direct Traffic

Enterprise Zone

Industrial Zone

Trusted? Untrusted?

Trusted

Block


Controlling Access to the Industrial ZoneOne Size Does Not Fit All

15

Recommended – Depending on end-users standards, security policies and procedures, risk tolerance, and alignment with applicable IACS Security Standards

Not Recommended

Enterprise-wide Network

Plant-wide Network

Figure 1


Plant-wide Network

Figure 2

Plant-wide Network


Figure 3

Plant-wide Network


SwitchWith VLANs

Figure 4

Plant-wide Network


Firewall

GoldFigure 6

Plant-wide Network


IDMZ

PlatinumFigure 7

Plant-wide Network


Router(Zone Based FW)

SilverFigure 5


Agenda



What is an IDMZ?


Methodology

17

Develop a scientific method to develop repeatable, measurable

and maintainable solution(s)

Examine the problem “holistically” and drill down through the details

of each system

Don’t examine security from a “partial” perspective

You may not be able to secure “everything” right away

but be aware and have a vision for the entire security plan

I’m only interested in

Remote Access,

don’t worry about

the other stuff


IDMZ / Network Reconnaissance (Design Pre-work)

18

Identify AssetsOr

Asset Classes

Identify AssetOwners

Identify “types” of Assets in Industrial Zone and those that support Production

Document Assets by reviewing existing documentation, interviews and network scanning

ACTION

Identify “who” owns the hardware and software on the asset.

Document Asset Owners and Schedule Interviews

ACTION

RequirementsPhase

ArchitecturalPhase

Tech. DesignPhase

Implement Maintain

Design PhaseRecon Phase


Classify Asset Types

19

Goal: Identify assets that support production processGoal: Identify if asset belongs in the Industrial or Enterprise Zone

IACS IACS



IACS IACS

Diagram Data Sources Feeding Higher-Level Assets

20

IndustrialSecurity Zone These assets are not

likely to send data directly across the IDMZ. They most likely interact with assets that are in the Industrial Security Zone.


Identify System Owners/Users

21


IACS DC

IACS IACS

IACS


IDMZ / Network Design Methodology

22

RequirementsPhase

Architectural Phase

Technical Design Phase

Implementation Maintain

Requirements are a statement identifying a capability, physical characteristic or quality factor that bounds a product or process problem for which a solution will be pursued. (Source: IEEE Standard 1220–1994)

Interview all system owners to gather requirements for operations, configuration and maintenance.

ACTION

High-level architectural recommendations that are proposed to meet the customer requirements.

Produce high-level documentation and drawings to meet every requirement

ACTION

Detailed information that is usually written by the coder or implementer that describes how the system or product will be programmed, configured to meet the customer requirements and the high-level architecture.

Produce detailed documentation such as drawings, switch configurations, VLAN, IP Address, Firewall ACLs

ACTION

The system components are brought together and tested during this phase per the testing plan

Verify, “was the product that is built right” and Validate, “was the right product built” process

ACTION

System has been Verified and Validated and is maintained by Operations and Maintenance

Modify configurations and assets to fix anomalies or required operational changes.

ACTION

At the end of these phases, you have a roadmap

At the end of these phases, you working system(s)


Interview Process Drives Requirements

23

Interview process identifies how the owners

and clients of the assets

Operate?

Configure?

Patch?

Upgrade?

Identifies where the data is produced and consumed

This process is used to gather requirementsHMI Server

OwnerIACS DC OwnerQC Server

OwnerEng. WS OwnerIACS Server

Owner


Propose High-Level Architecture(s)Example Requirement – Remote Access to FactoryTalk® View SE Server for Configuration

24

Propose High-Level

Architecture

Place Assets in the Enterprise

or Industrial Security Zone

Place proposed Assets in IDMZ

Draw communication lines

between the assets and asset

owners to make sure that

requirements are met

EnterpriseWAN


MCC


I/O


Drive


Industrial Zone: Levels 0-3


Internet

ExternalDMZ / Firewall

WGB

WLC (Active)

WLC (Standby)

LWAP

PACPAC

PACLevels 0-2 Cell/Area Zone

Distribution switch

Core switches

View SE Server

RSLinx® EnterpriseFactoryTalk® Live

Data

Remote Desktop Client

2

1

ISE

Core switches

WLC (Enterprise)

ISE (Enterprise)

View SE Client


Terminal Server


IACS IACS

How to Derive High-Level Architecture(s)?

25

Actor

Historian

ClientMES

No Control Protocols Through

the Firewall(s)

QC Systems

Order EntryEnterpriseSecurity Zone

IndustrialDMZ


Start with what you know

Actors have to do perform

“what” to “which” systems

How are the systems

related?

Place the systems in their

respective zone diagram

communications

Does this proposed

architecture break any of

the security tenants?


IACS IACS

Move Assets To Minimize Cross Zone Traffic –Especially Control Protocols

26

Actor

Historian

ClientMES

QC Systems

Order Entry

Historian

Historian

Mirror

Data

Proxy


IndustrialDMZ



Agenda



What is an IDMZ?


“Typical” Systems We’ve Seen Involved in IDMZ Designs

28




Historian Domain

Controller

Web

Reports

Remote

Desktop

Client

O.S Patch

Anti-Virus

Virus

Update

Secure File

Transfer

User Wants

Historian Data

and ReportsUse Case

Firewall (Inspect)

Firewall (Inspect)

PI to PI

Connector

Domain

Controller

Reverse

Web Proxy

Remote

Desktop

Gateway

Anti-Virus

and WSUS

Server

Secure File

Transfer

Gateway

Historian Domain

Controller

Web

Servers

Terminal

Server

Servers,

Desktops,

Laptops

Ind. Zone

NTP

Server

File Server

12

Domain

Controller

Replication

User Wants Web

Reports

User Wants to

Send / Retrieve

Files

Configure,

Troubleshoot

Industrial Zone Asset

Update AV and

Install O.S

Patches

NTP

Master

Server

IDMZ NTP

Server

Synchronized

Time Across All

Zones


FactoryTalk® Historian Data Transfer

EnterpriseWAN


MCC


I/O


Drive




Internet


WGB

WLC (Active)

WLC (Standby)

LWAP

PACPAC


Distribution switch

Core switches

Historian SERSLinx® Enterprise

FactoryTalk Live Data

PI to PI

Historian SE (Enterprise)

VantagePoint Server

Historian / VP Client Data Request

1

2

3

5

ISE

Core switches

WLC (Enterprise)

ISE (Enterprise)


1) Controller data is sent to Historian SE database via RSLinx® Enterprise2 & 3) Data is sent from the Industrial Zone Historian SE to the Enterprise Historian SE through the PI to PI connector 4) FactoryTalk® VantagePoint (VP) gathers preconfigured data from the Enterprise Historian SE to generate reports.5) A FactoryTalk ® VantagePoint client requests a web report that is based on the data that is collected from the Enterprise Historian SE data.

4



Remote Desktop Gateway (RD Gateway), formerly Terminal Services Gateway (TS Gateway), is a role in the Remote Desktop Services server role included with Windows Server® 2008 R2 Enables authorized remote users to connect to

resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client.

RD Gateway transmits RDP traffic to port 443 by using an HTTP Secure Sockets Layer/Transport Layer Security (SSL/TLS) tunnel.

RD Gateway takes advantage of this network design to provide remote access connectivity across multiple firewalls

http://technet.microsoft.com/en-us/library/cc731150.aspx

Active Directory ServerHistorian ServerApplication Server(s)

Window Server 2008 R2


HTTPS

RDP(3389)

Enterprise Zone

IDMZ

Industrial Zone

Remote Desktop Clients

http://technet.microsoft.com/en-us/library/cc731150.aspx


Remote Desktop Session Host CALs

Anyone who wants to connect to a Remote Desktop Session Host (Terminal Server) must have a Client Access License

(CAL)

Consult Microsoft to Validate your CAL questions

http://www.microsoft.com/licensing/about-licensing/client-access-license.aspx


Remote Desktop Gateway: 1 of 2

32

Al AdminGroup = ProdAdmins

Ed EngineerGroup = Engineers

Actor = Matt MaintGroup = Maintenance

Joe OemoneGroup = OEM One

Bob OemtwoGroup = OEM Two

Remote

Desktop

GatewayFirewall (Inspect Traffic)


Terminal

Server

Asset Group User

Direct-Access Via Remote Desktop Gateway

Access Via IACS Terminal Server

Studio 5000®Project: Open

Studio 5000®Tag: Force

Studio 5000®Firmware: Update

Terminal Server Operators Oscar Operator N/A

Maintenance Matt Maint x N/A x x

Engineers Ed Engineer x N/A x x x

ProdAdmins Al Admin x N/A x x x

OEM1 (Trusted Partner) Joe Oemone x N/A x

OEM2 (Trusted Partner) Bob Oemtwo x N/A x


(IDMZ)



Resource Authorization Policies (RAP) - Who can connect?

Connection Authorization Policies (CAP) – What can they connect to?


Remote Desktop Gateway: 2 of 2

33

Al AdminGroup = ProdAdmins

Ed EngineerGroup = Engineers

Actor = Matt MaintGroup = Maintenance

Joe OemoneGroup = OEM One

Bob OemtwoGroup = OEM Two

Remote

Desktop

GatewayFirewall (Inspect Traffic)


Terminal

Server


(IDMZ)



Asset Group User

Direct-Access Via Remote Desktop Gateway

Access Via IACS Terminal Server

Studio 5000®Project: Open

Studio 5000®Tag: Force

Studio 5000®Firmware: Update

Engineering Workstation Operators Oscar Operator

Maintenance Matt Maint x x x

Engineers Ed Engineer x x x x x

ProdAdmins Al Admin x x x x x

OEM1 (Trusted Partner) Joe Oemone x x

OEM2 (Trusted Partner) Bob Oemtwo x x

Engineering

Work Station

Resource Authorization Policies (RAP) - Who can connect?

Connection Authorization Policies (CAP) – What can they connect to?


FactoryTalk® View SE Via Remote Desktop Gateway

EnterpriseWAN


MCC


I/O


Drive




Internet


WGB

WLC (Active)

WLC (Standby)

LWAP

PACPAC


Distribution switch

Core switches

View SE Server


Data

Remote Desktop Client

4

2

ISE

Core switches

WLC (Enterprise)

ISE (Enterprise)

View SE Client


Terminal Server


1) VPN Session that is established with customer site2) Remote Desktop Connection application is launched from remote user’s computer. User enters Industrial Zone Remote Session Host’s address as the target desktop and starts the session3) The Remote Desktop Gateway server in the IDMZ validates the SSL certificate and the User Name and Password.4) The Remote Session Host’s desktop is now presented to the remote desktop user

1

2

3


FactoryTalk® View SE Via Cisco ASA RDP Plug-in

EnterpriseWAN


MCC


I/O


Drive




Internet


WGB

WLC (Active)

WLC (Standby)

LWAP

PACPAC


Distribution switch

Core switches

View SE Server


Data

4

3

ISE

Core switches

WLC (Enterprise)

ISE (Enterprise)

Cisco ASA RDP Plug-in

Remote Client

View SE Client

Terminal ServerFactoryTalk® Directory

1) VPN Session that is established with customer site2) User enter ASA Firewall URL in internet browser and is authenticated to ASA Firewall3) The ASA portal presents the pre-configured URLs to the Industrial Zone Terminal Server.4) The Remote Session Host’s desktop is now presented to the remote desktop user

2

1

2


Web Proxies

Application Server(s)

Reverse web Proxy

Forward webProxy

Internet

RequestingClients

Forward Proxies

“Hide” the Clients

Reverse Proxies

“Hide” the Servers


Reverse Web Proxy in the IDMZ

FactoryTalk® Metrics

Server

Reverse web Proxy

RequestingClients

Same concept, Reverse Web Proxy

“Hide” the FactoryTalk® web servers

VantagePoint Server

FactoryTalk®

ViewPoint Server

Enterprise Zone IDMZ Industrial Zone


Reverse Web Proxy Operation

Enterprise

Enterprise Zone


Industrial Zone

HTTPSto Proxy URL

Web Application Server(s)

(ProdWebServer)

Reverse Web Proxy(ProdWebServerProx)

HTTP/HTTPSto Server URL

1

2

3

4

5

6 1) Enterprise client requests Web Report from

https:\\ProdWebServerProx\Main.html - Reverse Web Proxy

2) Reverse Web Proxy rewrites the URL to

https:\\ProdWebServer\Main.html

3) Sends request to ProdWebServer for main.html

4) ProdWebServer receives request and sends Main.html

web page to ProdWebServerProx.

5) ProdWebServerProx receives Main.html web page and

forwards the web page content but rewrites the URL to

https:\\ProdWebServerProx\Main.html

6) Enterprise client displays the content of Main.html and the

URL reads http:\\ProdWebServerProx\Main.html


Cisco ASA Web Proxy Operation

Enterprise

Enterprise Zone


Industrial Zone

SSL VPNto ASA Portal

HTTP/HTTPSto Server URL

Cisco ASA Firewall

1) Enterprise client authenticates to the ASA

2) Enterprise client is presented with preconfigured URL

requests in the ASA por. In this example, the URL

is requesting a Web Report from


3) The ASA proxy rewrites the URL to

https:\\ProdWebServer\Main.html and sends the request

to ProdWebServer for main.html

4) ProdWebServer receives request and sends Main.html

web page to ASA

5) ASA receives Main.html web page and forwards the

web page content but rewrites the URL to


6) Enterprise client displays the content of Main.html and

the URL reads http:\\ProdWebServerProx\Main.html

1

3

Web Application Server(s)

(ProdWebServer)

Reverse Web Proxy(ProdWebServerProx)

2

4

5

6


Secure File Transfer

EnterpriseWAN


MCC


I/O


Drive




Internet


WGB

WLC (Active)

WLC (Standby)

LWAP

PACPAC


Distribution switch

Core switches

Secure FileTransfer Gateway

1

3

ISE

Core switches

WLC (Enterprise)

ISE (Enterprise)

Manual File Transfer

Manual File Transfer

4

6

1) A manual file transfer is initiated from the

Industrial Zone.

2) The user is authenticated on the Secured

File Transfer Gateway and file is transferred,

inspected and saved

3) The Enterprise user logs on to the Secure

File Transfer Gateway and retrieves the file

4) The Enterprise user wants to transfer a

file to the Industrial Zone. The Enterprise

user initiates a manual file transfer

5) The user is authenticated on the Secured

File Transfer Gateway and file is transferred,

inspected and saved

6) The Industrial Zone user logs on to the

Secure File Transfer Gateway and retrieves

the file

2 5


Network Time Protocol(NTP)

EnterpriseWAN


MCC


I/O


Drive




Internet


WGB

WLC (Active)

ISE

WLC (Standby)

LWAP

PACPAC


Core switches

Distribution switch

Core switches

WLC (Enterprise)

ISE (Enterprise)

Corporate Master NTP Server

IDMZ NTP Server

Industrial Zone NTP Server

1

2

1) The Corporate Master NTP Server

sends NTP time to the IDMZ

NTP Server

2) The Corporate Master NTP Server

sends NTP time to the Industrial Zone

NTP Server


Domain Controller – Bi-directional Replication

EnterpriseWAN



I/O


Drive




Internet


WGB

WLC (Active)

ISE

WLC (Standby)

LWAP

PACPAC


Core switches

Distribution switch

Core switches

WLC (Enterprise)

ISE (Enterprise)

Enterprise ZoneDomain Controller

Industrial ZoneDomain Controller

1

2

1) The Enterprise Domain Controller

replicates any changes to the

Industrial Zone Domain Controller

2) The Industrial Domain Controller

replicates any changes to the

Enterprise Zone Domain Controller


ISE Overview

NETWORK / USER CONTEXT

How

WhatWho

WhereWhen

DEVICE PROFILING FEED SERVICE

REDUCE NETWORK UNKNOWNS AND APPLY THE RIGHT LEVEL OF SECURE ACCESS CONSISTENTLY ACROSS WIRED, WIRELESS and VPN

EmployeeAccess

Contractor +Vendor

GuestAccess


ISE Personas/Roles

44

Policy Administration Node (PAN)

Interface to configure policies

Monitoring and Troubleshooting Node (MnT) Interface for logging, reporting, and troubleshooting

Policy Service Node (PSN) Engine that makes policy decisions

This is the workhorse of the personas.

Responsible for AAA, profiling, posture, Guest

ISEPolicy ServiceMonitoringAdmin

Persona—one or more of:• Administration• Monitoring• Policy service

Single ISE node (appliance or VM)


Distributed ISE Setup

45

EnterpriseWAN



I/O


Drive




Internet


WGB

WLC (Active)

WLC (Standby)

LWAP

PACPAC


Core switches

Distribution switch

Core switches

WLC (Enterprise)

ISE MnT

1) The Enterprise ISE PAN/PSN

synchronizes its policy configurations

with the Industrial ISE PSN

2) The Enterprise and Industrial ISE

PSNs send detailed logs to the

Enterprise ISE MnT

ISE PAN/PSN

ISE PSN

2

1

2


ISE Use Cases – Wired Client to RAS

4646

EnterpriseWAN



I/O


Drive




Internet


WGB

WLC (Active)

WLC (Standby)

LWAP

PACPAC


Core switches

Distribution switch

Core switches

WLC (Enterprise)

ISE MnT

1) Wired client logs in and sends 802.1x

authentication request.

2) Switch forwards RADIUS authentication

request on behalf of client to ISE PSN

3) ISE PSN checks Active Directory for

user. If found, it approves the request with

a RADIUS response that carries info on

VLAN assignment and ACL to be applied

at the switch, which helps ensure that

client can only access the RAS

4) Client connects via Remote Desktop to

RAS and uses same login as before.

FactoryTalk® Security enforces

permissions for client

ISE PAN/PSN

ISE PSN

4

Laptop Client1

2Remote Access Server (RAS)

3


ISE Use Cases – Wireless (Corporate) Client to RAS

4747

EnterpriseWAN



I/O


Drive




Internet


WGB

WLC (Active)

WLC (Standby)

LWAP

PACPAC


Core switches

Distribution switch

Core switches

WLC (Enterprise)

ISE MnT

1) Wireless client connects to Corporate SSID,

logs in, and sends 802.1x authentication

request, which gets tunneled to the local WLC

2) WLC forwards RADIUS authentication

request on behalf of client to ISE PSN

3) ISE PSN checks Active Directory for user. If

found, it approves the request with a RADIUS

response that carries info on ACL to be

applied at the Enterprise WLC, which helps

ensure that client can only access the RAS

4) Client traffic is now tunneled to the

Enterprise WLC, and the client connects via

the Remote Desktop Gateway to RAS using

the same login as before. FactoryTalk®

Security enforces permissions for client

ISE PAN/PSN

ISE PSN

4

Laptop Client

Remote Access Server (RAS)

Remote Desktop Gateway (RDG)

1

23

4

4

4


Additional MaterialCPwE Reference Architectures

48

Websites Reference Architectures

Design Guides Converged Plantwide Ethernet (CPwE)

Deploying the Resilient Ethernet Protocol (REP) in a

Converged Plantwide Ethernet Architecture

Deploying 802.11 Wireless LAN Technology within a

Converged Plantwide Ethernet Architecture

Application Guides Fiber-optic Infrastructure Application Guide

Whitepapers Top 10 Recommendations for Plant-wide EtherNet/IP Deployments

Securing Manufacturing Computer and Controller Assets

Achieving Secure Remote Access to plant-floor Applications and Data

Design Considerations for Securing Industrial Automation and Control System Networks

http://www.rockwellautomation.com/rockwellautomation/products-technologies/network-technology/architectures.page?

http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf



http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td003_-en-e.pdf

http://literature.rockwellautomation.com/idc/groups/literature/documents/wp/enet-wp022_-en-e.pdf





Additional MaterialTraining and Certifications

49

Cisco Industrial Networking Specialist Training and

Certification

E-learning modules (pre-learning courses)

Control Systems Fundamentals for Industrial

Networking (ICINS)

Networking Fundamentals for Industrial

Control Systems (INICS)

Classroom training

Managing Industrial Networks with Cisco

Networking Technologies (IMINS)

Exam

600–601 IMINS

CCNA for Industrial Applications - Training and

Certification

Training - TBD

Exam - TBD

Industrial IP Advantage

E-learning modules

CPwE Design Considerations and Best

Practices

https://learningnetworkstore.cisco.com/industrial-networking/control-systems-fundamentals-for-icins-elt-icins-v1-0-021145?utm_source=Certs_industrial-networking&utm_content=ICINS&utm_campaign=CLNStore-Products

https://learningnetworkstore.cisco.com/internet-of-things-iot/networking-fundamentals-for-industrial-control-systems-inics-elt-inics-v1-0-021144?utm_source=Certs_industrial-networking&utm_content=INICS&utm_campaign=CLNStore-Products

http://tools.cisco.com/GlobalLearningLocator/courseDetails.do?actionType=executeCourseDetail&courseID=6030

https://learningnetwork.cisco.com/community/certifications/iot/industrial-networking/imins-exam

http://www.industrial-ip.org/en/community/blog/experience-the-power-of-industrial-ip-at-automation-fair

http://www.industrial-ip.org/en/community/blog/experience-the-power-of-industrial-ip-at-automation-fair


Industrial IP Advantage

50

A ‘go-to’ resource for educational information

about industrial network communication and

using standard Internet Protocol (IP) for

industrial applications

Community of like-minded companies –

Cisco®, Panduit®, and Rockwell

Automation®

Receive monthly e-newsletters with

articles and videos on the latest trends Network Design eLearning course available for TechEd Attendee promotional price!

Sign up today at www.industrial–ip.org


Additional MaterialTraining and Certifications

51

http://www.cisco.com/web/learning/training-index.html

ICND1

ICND2

http://www.cisco.com/web/learning/training-index.html


PUBLIC INFORMATION

www.rockwellautomationteched.com

Traversing the Industrial Demilitarized ZoneLecture

Cisco is a trademark of Cisco Systems, Inc. Microsoft and Windows Server are trademarks of the Microsoft Corporation. Panduit is a trademark of the Panduit Corporation. EtherNet/IP is a trademark of the ODVA.