Scalable Secure Remote Access Solutions - Rockwell Automation · Scalable Secure Remote Access...

Scalable Secure Remote Access Solutions

Jeffrey A. Shearer, CISSP, PMP Principal Security Consultant jashearer@ra.rockwell.com

Jason Dely, CISSP Principal Security Consultant jdely@ra.rockwell.com

Scott Friberg Solutions Architect Cisco Systems, Inc. sfriberg@cisco.com

Agenda and Topic List

What is Remote Access? What are the requirements? Secured remote Access Architectures DMZ Architectures Remote Desktop Protocol (RDP) Discussion &

Demonstrations Secured File Transfer & Reverse Web Proxy

Demonstrations

Reference Material

http://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf

Reference Material

http://www.cisco.com/en/US/docs/solutions/Verticals/CPwE/CPwE_chapter6.html

Reference Material • Publications

numbers 1783-in005_-en-p.pdf 1783-um003_-en-

Reference Material

Buy and read operating system reference materials Invest in yourself

What is remote access?

In order to answer this question you need to define the requirements What problems are you trying to solve and identify who has the

problem?

Requirements generation makes the designer consider Users / User Personas Problem Statements (i.e. what problem are we trying to solve?) Use Cases

OEM, System Integrator

Engineering

Users / User Personas Problem Statements Use Cases

Use Case : Remote Access from Hotel Room

An OEM, SI Engineer is in a hotel and must

help the customer troubleshoot a PLC or HMI

program. The engineer uses the hotel

internet connection and connects security to

the machine at the customer site and is able

to view PLC or HMI code.

Help Maintenance Troubleshoot

Remote Access Requirements (1)

Required to view a machine’s ControlLogix processor from a hotel room to help troubleshoot the system

OEM, SI, Engineer

Factory

Processing Filling Material Handling

Remote Access Requirements (2)

Required to transfer a file containing ControlLogix code from a laptop to a manufacturing workstation.

OEM, SI, Engineer

Factory

Remote Access Requirements (3) View manufacturing data from FactoryTalk VantagePoint to decision

makers who are located in the enterprise (office) zone

Data Center

FactoryTalk VantagePoint Server

Remote Access Challenges

Industrial Automation and Control System (IACS) applications are often managed by plant personnel, while enterprise-level remote access solutions such as VPNs are the responsibility of the IT organization.

Remote access can expose critical IACS applications to viruses, malware and other risks that may be present when using remote or partner computers, potentially impacting manufacturing

Limiting the accessibility to only functions that are appropriate for remote users

Demonstrations

√ √

Controlling Access to the Manufacturing Zone

No Direct Traffic Flow from Enterprise to Manufacturing Zone

Level 5

Level 4

Level 3

Level 2

Level 1

Level 0

Terminal Services Patch Management AV Server

Historian Mirror Web Services Operations Application Server

Router Enterprise Network

Site Business Planning and Logistics Network E-Mail, Intranet, etc.

FactoryTalk Application Server

FactoryTalk Directory

Engineering Workstation

Domain Controller

FactoryTalk Client

Operator Interface

FactoryTalk Client

Engineering Workstation

Operator Interface

Batch Control

Discrete Control Drive Control Continuous Process Control Safety

Control

Sensors Drives Actuators Robots

Enterprise Zone

Manufacturing Zone

Cell/Area Zone

Web E-Mail CIP

Firewall

Site Manufacturing Operations and Control

Area Supervisory Control

Basic Control

Process

High Level Architecture Review

Remote access involves cooperation between: Enterprise Zone

Information Technologies (IT) and infrastructure of the facility

Automation Demilitarized Zone (Automation DMZ) To design it requires

knowledge of data that must move from the plant to enterprise systems

Manufacturing Zone Cell and Area devices Industrial Protocols

Enterprise Zone Enterprise Zone

“Levels” 4 & 5 owned by Information Technologies (IT)

Traditionally some VLAN’s in place

Campus to Campus communications

IT knowledgeable with routing and firewalls

IT will provide VPN Services for remote access You need to work with the IT personnel to get access to the DMZ

Automation DMZ Automation DMZ

Shared ownership by IT and Manufacturing professionals

Designed to replicate services and data

Remote Access Services (Terminal Services) located here

“Typically” IT owns firewalls IT configures the switches on

behalf of Manufacturing professionals

Manufacturing professionals own DMZ terminal servers, application servers, patch management servers

Manufacturing Zone Divide plant into functional areas

for secured access ISA-SP99 “Zones and

Conduit” model

OEM’s / System Integrator / Engineering Participation Required IP Address VLAN ID’s Access layer to Distribution

layer cooperation

System design requires full cooperation of all asset owners

Demonstrations

√ √ √

Demilitarized Zone (DMZ)

Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network. The purpose of the DMZ is to add an additional layer of security to the trusted network

UNTRUSTED

TRUSTED

BROKER DMZ

Internet

Web Proxy

DMZ Topology

Firewall(s) Enterprise Interface DMZ Interface Manufacturing

Interface

Firewalls are used to block or allow access to devices on these interfaces based on a set of rules

There will be assets like switches and servers that are part of the DMZ

Demonstrations

√ √ √ √

Remote Desktop Technologies

Two options of Remote Desktop Technologies being discussed today Option 1 – Host a Remote Desktop Session from the Cisco Firewall Option 2 – Host a Remote Desktop Session from a Microsoft

Windows Server 2008 R2 Computer

Allows user to remotely view and control another computer. The user will see the remote computer’s screen while sending keystrokes and mouse movements to the remote computer .

Remote Desktop Client

Remote Desktop

Firewall: Secure RDP Session Host

Remote Desktop Client

Remote Desktop

MS 2008 R2 Secure RDP Session Host

Option 1 Option 2

Remote Desktop Protocol Via Cisco Firewall

• Remote Desktop Gateway functionality hosted from the Cisco ASA Firewall

• Same user experience as Microsoft Remote Desktop Gateway

• Configure Firewall to host the RDP session

• Come to AF Network & Security Booth to see how well this solution works.

• Connect to the outside of the Cisco firewall via a web browser (SSL) session by opening a web browser.

• Continue to inside assets via Remote Desktop Protocol

Remote Desktop Gateway Remote Desktop Gateway (RD Gateway), formerly

Terminal Services Gateway is a role service in the Remote Desktop Services server role included with Windows Server® 2008 R2. Enables authorized remote users to connect to

resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client.

RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote users and internal network resources

Remote Access via Remote Desktop Gateway (HTTPS)

Remote Desktop Session Host CALs Anyone who wants to connect to a Remote Desktop Session Host

(Terminal Server) must have a Client Access License (CAL)

Consult Microsoft to Validate your CAL questions

Remote Access Demo: Architecture

Remote Desktop Gateway Configuration Add Remote Desktop Role

Connection Authorization Policies (Users)

Resource Authorization Policies (Computers)

Export / Import Certificates

Remote Desktop Gateway Configuration

Remote Access Demo : Architecture

Remote Access Demo

Demonstrations

√ √ √ √

Secured File Transfer: Architecture

Secured Shell (SSH) • Secure Shell (SSH) is a network protocol for secure data communication,

remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network

• This demo is running OpenSSH server on Linux – You can use an SSH server on Windows as well

Secured File Transfer: Demo

Reverse Web Proxy Evolution

Web Server

Router

Web Server

Reverse Proxy

Pre 1996 Post 1996

• Website servers required protection from web users without depriving them of those services.

• In the summer of 1996, the Apache HTTP project wrote an add-on module in the Apache 1.1 web server

• Retrieves resources on behalf of a client from one or more servers. • Hide the existence and characteristics of the origin server(s).

Internet

Reverse Web Proxy

• During the early years of the Internet, website administrators recognized the need to prevent their servers from being accessible to web users without depriving them of those services. In the summer of 1996, the Apache HTTP project wrote an add-on module called mod_proxy in the Apache 1.1 web server that allowed it to act like a reverse proxy server.

• A reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though it originated from the reverse proxy itself.

• Reverse proxies can hide the existence and characteristics of the origin server(s).

Reverse Web Proxy: Architecture

Summary • Remote Access involves requirements generation

– Identifying users and support systems that require access from the enterprise to the manufacturing zone

– Identifying data flow, source and destination for firewall rule creation • Often times minimal remote access strategies involving visibility and file

transfer • DMZ’s for separation of enterprise and manufacturing zones

recommended • Security must be part of remote access design

www.rockwellautomation.com

Follow ROKAutomation on Facebook & Twitter. Connect with us on LinkedIn.

Rev 5058-CO900C 52

Please remember to tidy up your work area for the next session. We want your feedback! Please complete the session survey!

Thank you for participating!

Scalable Secure Remote Access Solutions - Rockwell Automation · Scalable Secure Remote Access...

Documents

Secure Remote Network Device Management

EMC Secure Remote Services 3.18 Technical Description · PDF fileEMC Secure Remote Services Technical Description 3 Preface Chapter 1 EMC Secure Remote Services Introduction ... 20

Secure Remote Access Draft - Cyber Security for Critical ... · PDF fileExecutive Summary Secure Remote Access September 2010 5 Executive summary Secure remote access to Critical Cyber

Secure and Scalable Optical Access Network using PLZT High …biblio.yamanaka.ics.keio.ac.jp/file/hpsr_2009_tokuhashi.pdf · 2009. 10. 15. · Secure and Scalable Optical Access Network

SV02 - Scalable Secure Remote Monitoring Solutions

Powerful, scalable & secure web hosting sydeny

Remote secure backups

A Scalable, Secure, and Energy-Efficient Image

Successful BYOD: Scalable, Secure Simple

Scalable Secure Remote Access Solutions for OEMs · 2020-03-18 · Scalable Secure Remote Access Solutions for OEMs Introduction Secure remote access to production assets, data, and

Understanding Secure Remote Access for Jabber Live 2013 Melbourne/Cisco Live... · Understanding Secure Remote Access for Jabber BRKUCC-2662 2. ... Secure remote access with Cisco

Secure Remote Services - Dell Technologies

Secure Remote Desktop

Cosy 131 Datasheet - EWONCosy 131 Datasheet The Ewon Cosy is an industrial remote access gateway that is designed to offer scalable and secure remote access to machines in the factory

Secure Remote Access Platform

Scalable Secure Remote Access Solutions for OEMs Remote Access for...design considerations that could impact the proper operation of the IACS and should be accounted for in the design

DELIVERING SECURE, SCALABLE, AND COMPLIANT CLOUD SERVICES€¦ · Delivering Secure, Scalable, and Compliant Cloud Services 2 ... of standards for security, availability, scalability,

How to Develop Scalable Remote Learning Plans

Phoenix contact, Secure Remote Access

SECURE SCALABLE