• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Scalable Secure Remote Access Solutions, RSTechED 2012, Session NIS03
 

Scalable Secure Remote Access Solutions, RSTechED 2012, Session NIS03

on

  • 944 views

Enable remote support groups and partners to monitor, manage and configure plantwide automation equipment and machinery via secure remote access. This lecture and demonstration will highlight a range ...

Enable remote support groups and partners to monitor, manage and configure plantwide automation equipment and machinery via secure remote access. This lecture and demonstration will highlight a range of solutions recommended by Rockwell Automation and Cisco for scalable secure remote access, detailing best practices to balance the remote access needs of industrial applications with the secure access requirements of IT.

Statistics

Views

Total Views
944
Views on SlideShare
944
Embed Views
0

Actions

Likes
0
Downloads
29
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Scalable Secure Remote Access Solutions, RSTechED 2012, Session NIS03 Scalable Secure Remote Access Solutions, RSTechED 2012, Session NIS03 Presentation Transcript

    • NIS03 - Scalable Secure Remote Access SolutionsJeffrey A. Shearer, PMP Jason Dely, CISSP Scott FribergPrincipal Security Consultant Principal Security Consultant Solutions Architectjashearer@ra.rockwell.com jdely@ra.rockwell.com Cisco Systems, Inc. sfriberg@cisco.com Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
    • Agenda What is remote access? What are the requirements? Secured remote access architectures DMZ architecture Remote Desktop Protocol (RDP) Discussion & Demonstrations Secured File Transfer & Reverse Web Proxy Demonstrations Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 3
    • Reference Materialhttp://literature.rockwellautomation.com/idc/groups/literature/documents/td/enet-td001_-en-p.pdf Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
    • Reference Materialhttp://www.cisco.com/en/US/docs/solutions/Verticals/CPwE/CPwE_chapter6.html Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 5
    • Reference Material• Publications numbers  1783-in005_-en-p.pdf  1783-um003_-en-e.pdf Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 6
    • Reference Material Buy and read operating system reference materials  Invest in yourself Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 7
    • Agenda What is remote access? What are the requirements? Secured remote access architectures DMZ architecture Remote Desktop Protocol (RDP) Discussion & Demonstrations Secured File Transfer & Reverse Web Proxy Demonstrations Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 8
    • What is remote access? In order to answer this question you need to define the requirements  What problems are you trying to solve and identify who has the problem? Requirements generation makes the designer consider  Users / User Personas  Use Cases  Problem Statements (i.e. what problem are we trying to solve?) Users / User Personas Problem Statements Use Cases OEM, Use Case : Remote Access from Hotel Room System Integrator An OEM, SI Engineer is in a hotel and must help the customer troubleshoot a PLC or HMI Maintenance program. The engineer uses the hotel internet connection and connects security to Engineering the machine at the customer site and is able to view PLC or HMI code. Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
    • NIS03 Remote Access Requirements (1) Required to view a machine’s ControlLogix processor from a hotel room to help troubleshoot the system OEM, SI, Engineer Factory Processing Filling Material Handling Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 10
    • NIS03 Remote Access Requirements (2) Required to transfer a file containing ControlLogix code from a laptop to a manufacturing workstation. OEM, SI, Engineer Factory Processing Filling Material Handling Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 11
    • NIS03 Remote Access Requirements (3) Send manufacturing data from FactoryTalk VantagePoint to decision makers who are located in the enterprise (office) zone Data Center FactoryTalk VantagePoint Server Processing Filling Material Handling Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
    • Remote Access Challenges Industrial Automation Control System (IACS) applications are often managed by plant personnel, while enterprise-level remote access solutions such as VPNs are the responsibility of the IT organization. Remote access can expose critical IACS applications to viruses and malware that may be present on a remote or partner machine, potentially impacting manufacturing Limiting the capabilities of the remote user to those functions that are appropriate for remote users Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 13
    • Agenda What is remote access? What are the requirements? Secured remote access architectures DMZ architecture Remote Desktop Protocol (RDP) Discussion & Demonstrations Secured File Transfer & Reverse Web Proxy Demonstrations Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 14
    • Controlling Access to the ManufacturingZone Level 5 Router Enterprise Network Enterprise Zone Level 4 E-Mail, Intranet, etc. Site Business Planning and Logistics Network Firewall Terminal Services Patch Management AV Server Web E-Mail DMZ CIP Historian Mirror Web Services Operations Application Server FactoryTalk Firewall FactoryTalk Engineering Domain Controller Application Directory Workstation Manufacturing Level 3 Server Site Manufacturing Operations and Zone Control Area Supervisory FactoryTalk FactoryTalk Control Client Client Level 2 Operator Engineering Operator Interface Workstation Interface Cell/Area Basic Control Continuous Zone Level 1 Batch Discrete Control Drive Control Process Control Safety Control Control Level 0 Sensors Drives Actuators Robots Process No Direct Traffic Flow from Enterprise to Manufacturing Zone Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
    • High Level Architecture Review Remote access involves cooperation between:  Enterprise Zone  Information Technologies (IT) and infrastructure of the facility  Automation Demilitarized Zone (Automation DMZ)  To design it requires knowledge of data that must move from the plant to enterprise systems  Manufacturing Zone  Cell and Area devices  Industrial Protocols Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
    • Enterprise Zone Enterprise Zone  “Levels” 4 & 5 owned by Information Technologies (IT)  Traditionally some VLAN’s in place  Campus to Campus communications  IT knowledgeable with routing and firewalls IT will provide VPN Servicesfor remote access You need to work with the ITpersonnel to get access to theDMZ Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
    • Automation DMZ Automation DMZ  Shared ownership by IT and Manufacturing professionals  Designed to replicate services and data  Remote Access Services (Terminal Services) located here “Typically”  IT owns firewalls  IT configures the switches on behalf of Manufacturing professionals  Manufacturing professionals own DMZ terminal servers, application servers, patch management servers Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
    • Manufacturing Zone Divide plant into functional areas for secured access  ISA-SP99 “Zones and Conduit” model OEM’s / System Integrator / Engineering Participation Required  IP Address  VLAN ID’s  Access layer to Distribution layer cooperation System design requires full cooperation of all asset owners Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 19
    • Agenda What is remote access? What are the requirements? Secured remote access architectures DMZ architecture Remote Desktop Protocol (RDP) Discussion & Demonstrations Secured File Transfer & Reverse Web Proxy Demonstrations Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 20
    • Demilitarized Zone (DMZ) Sometimes referred to a perimeter network that exposes an organizations external services to an untrusted network. The purpose of the DMZ is to add an additional layer of security to the trusted network Internet UNTRUSTED Web Proxy BROKER DMZ TRUSTED Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
    • DMZ Topology Firewall(s)  Enterprise Interface  DMZ Interface  Manufacturing Interface Firewalls are used to block or allow access to devices on these interfaces based on a set of rules There will be assets like switches and servers that are part of the DMZ Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 22
    • Agenda What is remote access? What are the requirements? Secured remote access architectures DMZ architecture Remote Desktop Protocol (RDP) Discussion & Demonstrations Secured File Transfer & Reverse Web Proxy Demonstrations Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 23
    • Remote Desktop Technologies Allows user to remotely view and control another computer. The user will see the remote computer’s screen while sending keystrokes and mouse movements to the remote computer . Two options of Remote Desktop Technologies being discussed today  Option 1 – Host a Remote Desktop Session from the Cisco Firewall  Option 2 – Host a Remote Desktop Session from a Microsoft Windows Server 2008 R2 Computer Remote Remote Option 2 Option 1 Desktop Desktop Client Client Firewall: MS 2008 R2 Secure RDP Session Secure RDP Session Host Host Remote Remote Desktop Desktop Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 24
    • Remote Desktop Protocol ViaCisco Firewall • Remote Desktop Gateway functionality hosted from the Cisco ASA Firewall • Same user experience as Microsoft Remote Desktop Gateway • Configure Firewall to host the RDP session • Come to AF Network & Security Booth to see how well this solution works. Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 25
    • Remote Desktop Protocol ViaCisco Firewall Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 26
    • Remote Desktop Protocol ViaCisco Firewall Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 27
    • Remote Desktop Protocol ViaCisco Firewall Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 28
    • Remote Desktop Protocol ViaCisco Firewall Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 29
    • Remote Desktop Protocol ViaCisco Firewall Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 30
    • Remote Desktop Protocol ViaCisco Firewall • Connect to the outside of the Cisco firewall via a web browser (SSL) session by opening a web browser. • Continue to inside assets via Remote Desktop Protocol Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 31
    • Remote Desktop Gateway Remote Desktop Gateway (RD Gateway), formerly Terminal Services Gateway is a role service in the Remote Desktop Services server role included with Windows Server® 2008 R2.  Enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client. RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote users and internal network resources Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
    • Remote Access via Remote DesktopGateway (HTTPS) Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
    • Remote Desktop Session Host CALs  Anyone who wants to connect to a Remote Desktop Session Host (Terminal Server) must have a Client Access License (CAL)Consult Microsoft to Validate your CAL questions Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
    • Remote Access Demo : Architecture Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
    • Remote Desktop Gateway ConfigurationAdd Remote Desktop Role Connection Authorization Policies (Users) Resource Authorization Policies (Computers) Export / Import Certificates Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
    • Remote Access Demo : Architecture Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 37
    • Remote Access Demo : Architecture Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 38
    • Remote Access Demo : Architecture Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 39
    • Remote Access Demo Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 40
    • Agenda What is remote access? What are the requirements? Secured remote access architectures DMZ architecture Remote Desktop Protocol (RDP) Discussion & Demonstrations Secured File Transfer & Reverse Web Proxy Demonstrations Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 41
    • Secured File Transfer: Architecture Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
    • Secured Shell (SSH) • Secure Shell (SSH) is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network • This demo is running OpenSSH server on Linux – You can use an SSH server on Windows as well Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 43
    • Secured File Transfer: Demo Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 44
    • Reverse Web Proxy • During the early years of the Internet, website administrators recognized the need to prevent their servers from being accessible to web users without depriving them of those services. In the summer of 1996, the Apache HTTP project wrote an add-on module called mod_proxy in the Apache 1.1 web server that allowed it to act like a reverse proxy server. • A reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though it originated from the reverse proxy itself. • Reverse proxies can hide the existence and characteristics of the origin server(s). Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 45
    • Reverses Web Proxy: Architecture Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 46
    • Summary• Remote Access involves requirements generation – identifying users and support systems that require access from the enterprise to the manufacturing zone – identifying data flow, source and destination for firewall rule creation• Often times minimal remote access strategies involving visibility and file transfer• DMZ’s for separation of enterprise and manufacturing zones recommended• Security must be part of remote access design Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 47
    • Thank you for participating! Please remember to tidy up your work area for the next session. We want your feedback! Please complete the session survey!Follow ROKAutomation on Facebook & Twitter.Connect with us on LinkedIn.www.rockwellautomation.com 48 Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
    • Questions? Copyright © 2012 Rockwell Automation, Inc. All rights reserved.