SlideShare a Scribd company logo
Redundant and Resilient Networks with Microsegmentation
Overview
 Team Introduction
 Who is Westermo 2021
 Industrial Cybersecurity At the Edge
 Defining Microsegmentation
 Implementing Cyber Secure Concepts
3
Team Introduction
John Pavlos
Managing Director
john.pavlos@westermo.com
847-453-3898
Benjamin Campbell
Technical Support Engineer
benjamin.campbell@westermo.com
847.453.3896
Dakota Diehl
Technical Director
dakota.diehl@westermo.com
847.453.3896
4
Who is Westermo 2021
 Founded in 1975
 No. of employees: 250
 14% R&D
 Extensive IPR portfolio for key
technologies
 Recent Aquistions:
 Neratec Solutions AG – June 2019
 Virtual Access – November 2019
 Eltec – April 2021
 Flexible production with state of the
art process control
 Sales and support units in 12
countries, distributors in another 36
 Member of the Beijer Electronics
Group
www.westermo.us
Industrial Cybersecurity at the
Edge
6
Edge Networks are a Threatened Environment
 The largest number of
vulnerabilities affect Industrial
Control Systems:
 Energy Sector (178)
 Manufacturing (164)
 Water Supply (97)
 Transportation (74)
Employee errors, unintentional
actions and disgruntled employees
were responsible for 52% of
incidents affecting Operation
Technology (OT) and Industrial
Control Systems (ICS) networks in
the past year. Source: KL ICS CERT Report FY2017 H2
Source: computerweekly.com
7
 Cybersecurity becomes less effective when it is an
afterthought.
 Design the strategy as part of the system from the start.
 Understand the threat and the threat level.
 Cybersecurity is top-down AND a bottom-up process.
 Cybersecurity is not set and forget, it requires
maintenance.
 80% of the protection comes from 20% of the setup.
 Vendor sourcing is an avenue of attack, so trust with
partners is imperative.
Cyber Secure Concepts
Defining Microsegmentation
9
What is Microsegmentation?
 The first rule of Cyber Security is to assume the attack will
happen eventually. Reducing the surface area of the attack
will limit the impact.
 Micro-segementation is about reducing the surface area of
an attack to the smallest possible zone – so an attack on
one server will not propagate to another server’s functions.
 By implementing security policies to individual work zones,
it becomes harder for malicious traffic to move between
the network, limiting the aforementioned surface area.
10
Applying Microsegmentation to a Network
 Starting from a flat, solid network.
 No VLANs or Subnets are configured, so everything in the
network can see any other node.
 0 Cybersecurity in place, and no segmentation.
11
Applying Microsegmentation to a Network
 By dividing the network into VLANs and using subnets, we
are adding the first layer of segmentation.
VLAN 10
VLAN 20
10.10.0.0/16
192.168.2.0/24
12
Applying Microsegmentation to a Network
 We can add further VLANs to the network and divide those
VLANS with Firewalls to limit all communications to strictly
necessary traffic.
VLAN 10
VLAN 20
10.10.0.0/16
192.168.2.0/24
VLAN 11
VLAN 12
13
Applying Microsegmentation to a Network
 We can also add data conduits in the form of a VPN to
networks, preventing data from being accessed while it is
on route to a destination.
VLAN 10
VLAN 20
10.10.0.0/16
192.168.2.0/24
VLAN 11
VLAN 12
14
 IEC-62443 has updated with terminology known as “Data Conduits”
 Such as links between zones i.e., Fiber backbone between different processes or buildings.
 Direct connections over a large distance can be prohibitively expensive. In this case, a VPN
can be considered a “Data Conduit.”
 VPNs can secure traffic through unsecure media (such as the Internet).
 They can secure traffic over long-distance media links that are susceptible to interception.
 Can connect two remote networks together regardless of distance.
 Allow access to devices behind an NAT interface.
IEC-62443
A Note on Data Conduits
15
Applying Microsegmentation to a Network
 Adding further VLANs and VPNs brings the network to
being completely microsegmented. Traffic cannot travel
from one zone to another without going through a firewall.
VLAN 20
VLAN 10
10.10.0.0/16
192.168.2.0/24
VLAN 11
VLAN 12
VLAN 13
Applying Cyber Secure Concepts
17
Beyond Microsegmentation
 Just because a network is completely
microsegmented, does not make it cyber
secure.
 Microsegementation is about reducing
attack surface area, mitigating damage
done.
 Consider other ways to increase cyber
security such as adding redundancy and
authentication.
VLAN 10
10.10.0.0/16
192.168.2.0/24
VLAN 11
VLAN 12
VLAN 13
18
Beyond Microsegmentation
 An example of a
microsegmented
network.
 Each end device is
segmented, and
firewalls provide
Data Conduits.
 Only defined traffic
can travel around
the ring.
 The backhaul ring
offers further
redundancy.
Backhaul
L2 ring topology 20-30ms
re-convergence time
L3 routing and FW at each
node creates a Zone
Dynamic routing protocol (OSPF) used to advertise
location of subnets only, not used for re-convergence
19
Some Layer 2 and Layer 3 Protocols
How Do You Add Redundancy?
 RSTP is a common Layer 2 Protocol to
add redundancy.
 You cannot have Layer 2 devices
connected in a ring without a
redundancy protocol, would cause a data
storm.
 Protocols such as RSTP or FRNT detect
redundant links and shut them off until
they are needed.
 Usually require some additional
bandwidth to maintain the “heartbeat”.
 VRRP stands for Virtual Router
Redundancy Protocol, a Layer 3 protocol.
 Two or more routers become one
“Virtual” router, and that virtual router is
the Default Gateway for one or more
hosts.
 If the current Primary/Active router fails
or cannot be reached, a secondary router
takes over.
 Limited to one virtual router per subnet.
20
Beyond Microsegmentation
 We can add redundant links
within the ring via a VPN
 The VPN adds security to
connection, and redundant
links decrease chances of
communication loss.
 Efficient routing means that
all communications only
enter and leave the
backbone once and are
filtered through a firewall.
Backhaul
X
Backup Primary
VRRP
SSL VPN
Primary
routes via
VPN
Backup
routes via
VPN
21
Beyond Microsegmentation
 By adding an Authentication
server such as RADIUS or
TACACS+ one can get control of
the assets.
 Instead of using default
user/pass to access the network,
or maintaining a large user
database on each device, one
central server manages it.
 Password management is key in
cybersecurity.
Authentication
server
22
Beyond Microsegmentation
 Cybersecurity is not a “Fire and Forget” implementation.
 New threats must be evaluated, and the system must be reviewed.
 Patches and updates must be maintained across the network.
 By building a secure network from the outset, much of the work is done later.
 Microsegmentation is only one tool in a cyber secure network.
Further Learning
24
 Introduction to IP
 Introduction to WeOS
 Certified Engineer Switching
 Certified Engineer Routing
 Also Available Customer Tailored Training
https://www.westermo.us/support/academy
25
Future Webinars
 Accessing The Last Mile
 Presentation this September
 Accessing remote networks through remote media such as
cellular or VPNs.
 Zero Touch Deployment and other tools to make remote setup
possible.
 We look forward to seeing you there!
26

More Related Content

What's hot

Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Honeywell
 
The Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeThe Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and Lancope
Cisco Enterprise Networks
 
VMware vShield - Overview
VMware vShield - OverviewVMware vShield - Overview
VMware vShield - Overview
Irsandi Hasan
 
Cdi federal 2019
Cdi federal 2019Cdi federal 2019
Cdi federal 2019
Communications Devices Inc.
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS Summit
Shah Sheikh
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles
Cisco Canada
 
How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...
Community Protection Forum
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Honeywell
 
Study Wireless Security Deployment - PKL
Study Wireless Security Deployment  - PKLStudy Wireless Security Deployment  - PKL
Study Wireless Security Deployment - PKL
Aaron ND Sawmadal
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
Narinrit Prem-apiwathanokul
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
Chris Sistrunk
 
Industrial Control System Security Overview
Industrial Control System Security OverviewIndustrial Control System Security Overview
Industrial Control System Security Overview
pgmaynard
 
[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin Rodillas[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin Rodillas
TI Safe
 
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018   stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018   stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco Canada
 
Remote Access Security
Remote Access SecurityRemote Access Security
Remote Access Security
syrinxtech
 
BSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS securityBSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS security
Chris Sistrunk
 
Checkpoint Overview
Checkpoint OverviewCheckpoint Overview
Checkpoint Overview
Leonardo Antichi
 
Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions   Overview Q1 2012Waterfall Security Solutions   Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012
henkpieper
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
mohannadalhanahnah
 
CCNA Security - Chapter 8
CCNA Security - Chapter 8CCNA Security - Chapter 8
CCNA Security - Chapter 8
Irsandi Hasan
 

What's hot (20)

Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
The Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and LancopeThe Network as a Sensor, Cisco and Lancope
The Network as a Sensor, Cisco and Lancope
 
VMware vShield - Overview
VMware vShield - OverviewVMware vShield - Overview
VMware vShield - Overview
 
Cdi federal 2019
Cdi federal 2019Cdi federal 2019
Cdi federal 2019
 
VIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS SummitVIPER Labs - VOIP Security - SANS Summit
VIPER Labs - VOIP Security - SANS Summit
 
Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles Ot ics cyberattaques dans les organisations industrielles
Ot ics cyberattaques dans les organisations industrielles
 
How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...How Security can be stronger than a Firewall: 13 different ways breaking thro...
How Security can be stronger than a Firewall: 13 different ways breaking thro...
 
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...
 
Study Wireless Security Deployment - PKL
Study Wireless Security Deployment  - PKLStudy Wireless Security Deployment  - PKL
Study Wireless Security Deployment - PKL
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
 
Industrial Control System Security Overview
Industrial Control System Security OverviewIndustrial Control System Security Overview
Industrial Control System Security Overview
 
[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin Rodillas[CLASS 2014] Palestra Técnica - Delfin Rodillas
[CLASS 2014] Palestra Técnica - Delfin Rodillas
 
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018   stealthwatch whiteboard session and cisco secur...Cisco connect winnipeg 2018   stealthwatch whiteboard session and cisco secur...
Cisco connect winnipeg 2018 stealthwatch whiteboard session and cisco secur...
 
Remote Access Security
Remote Access SecurityRemote Access Security
Remote Access Security
 
BSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS securityBSidesAugusta 2015 - How to get into ICS security
BSidesAugusta 2015 - How to get into ICS security
 
Checkpoint Overview
Checkpoint OverviewCheckpoint Overview
Checkpoint Overview
 
Waterfall Security Solutions Overview Q1 2012
Waterfall Security Solutions   Overview Q1 2012Waterfall Security Solutions   Overview Q1 2012
Waterfall Security Solutions Overview Q1 2012
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
 
CCNA Security - Chapter 8
CCNA Security - Chapter 8CCNA Security - Chapter 8
CCNA Security - Chapter 8
 

Similar to Build Redundant and Resilient Networks with Micro-Segmentation

Final report firewall reconciliation
Final report   firewall reconciliationFinal report   firewall reconciliation
Final report firewall reconciliation
Gurjan Oberoi
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation?
PECB
 
VMworld 2014: Virtualize your Network with VMware NSX
VMworld 2014: Virtualize your Network with VMware NSXVMworld 2014: Virtualize your Network with VMware NSX
VMworld 2014: Virtualize your Network with VMware NSX
VMworld
 
IRJET- SDN Simulation in Mininet to Provide Security Via Firewall
IRJET- SDN Simulation in Mininet to Provide Security Via FirewallIRJET- SDN Simulation in Mininet to Provide Security Via Firewall
IRJET- SDN Simulation in Mininet to Provide Security Via Firewall
IRJET Journal
 
Accessing remote networks
Accessing remote networksAccessing remote networks
Accessing remote networks
Westermo Network Technologies
 
Sdn primer pdf
Sdn primer pdfSdn primer pdf
Sdn primer pdf
Pooja Patel
 
Ip tunneling and vpns
Ip tunneling and vpnsIp tunneling and vpns
Ip tunneling and vpns
DAVID RAUDALES
 
VMware NSX @ VMUG.IT 20150529
VMware NSX @ VMUG.IT 20150529VMware NSX @ VMUG.IT 20150529
VMware NSX @ VMUG.IT 20150529
VMUG IT
 
VMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use casesVMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use cases
Angel Villar Garea
 
Unified Security Plugin for Opendaylight Controller
Unified Security Plugin for Opendaylight ControllerUnified Security Plugin for Opendaylight Controller
Unified Security Plugin for Opendaylight Controller
Saikat Chaudhuri
 
Cisco1000v Net Optics Solution Brief
Cisco1000v Net Optics Solution BriefCisco1000v Net Optics Solution Brief
Cisco1000v Net Optics Solution Brief
LiveAction Next Generation Network Management Software
 
Ip tunnelling and_vpn
Ip tunnelling and_vpnIp tunnelling and_vpn
Ip tunnelling and_vpn
Rajesh Porwal
 
nsx overview with use cases 1.0
nsx overview with use cases 1.0nsx overview with use cases 1.0
nsx overview with use cases 1.0
Ploynatcha Akkaraputtipat
 
IRJET - Implementation of Firewall in a Cooperate Environment
IRJET - Implementation of Firewall in a Cooperate EnvironmentIRJET - Implementation of Firewall in a Cooperate Environment
IRJET - Implementation of Firewall in a Cooperate Environment
IRJET Journal
 
Wireless deployment strategies in WNS-is
Wireless deployment strategies in WNS-isWireless deployment strategies in WNS-is
Wireless deployment strategies in WNS-is
ssuser5b84591
 
Lan Virtual Networks
Lan Virtual NetworksLan Virtual Networks
Lan Virtual Networks
Nicole Gomez
 
Virtual private network
Virtual private network Virtual private network
Virtual private network
Parth Akbari
 
Network Virtualization
Network VirtualizationNetwork Virtualization
Network Virtualization
Kingston Smiler
 
Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...
Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...
Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...
Cohesive Networks
 
Wireless Lan Security
Wireless Lan SecurityWireless Lan Security
Wireless Lan Security
SANDEEPONSLIDESHARE
 

Similar to Build Redundant and Resilient Networks with Micro-Segmentation (20)

Final report firewall reconciliation
Final report   firewall reconciliationFinal report   firewall reconciliation
Final report firewall reconciliation
 
How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation? How to minimize threats in your information system using network segregation?
How to minimize threats in your information system using network segregation?
 
VMworld 2014: Virtualize your Network with VMware NSX
VMworld 2014: Virtualize your Network with VMware NSXVMworld 2014: Virtualize your Network with VMware NSX
VMworld 2014: Virtualize your Network with VMware NSX
 
IRJET- SDN Simulation in Mininet to Provide Security Via Firewall
IRJET- SDN Simulation in Mininet to Provide Security Via FirewallIRJET- SDN Simulation in Mininet to Provide Security Via Firewall
IRJET- SDN Simulation in Mininet to Provide Security Via Firewall
 
Accessing remote networks
Accessing remote networksAccessing remote networks
Accessing remote networks
 
Sdn primer pdf
Sdn primer pdfSdn primer pdf
Sdn primer pdf
 
Ip tunneling and vpns
Ip tunneling and vpnsIp tunneling and vpns
Ip tunneling and vpns
 
VMware NSX @ VMUG.IT 20150529
VMware NSX @ VMUG.IT 20150529VMware NSX @ VMUG.IT 20150529
VMware NSX @ VMUG.IT 20150529
 
VMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use casesVMware NSX for vSphere - Intro and use cases
VMware NSX for vSphere - Intro and use cases
 
Unified Security Plugin for Opendaylight Controller
Unified Security Plugin for Opendaylight ControllerUnified Security Plugin for Opendaylight Controller
Unified Security Plugin for Opendaylight Controller
 
Cisco1000v Net Optics Solution Brief
Cisco1000v Net Optics Solution BriefCisco1000v Net Optics Solution Brief
Cisco1000v Net Optics Solution Brief
 
Ip tunnelling and_vpn
Ip tunnelling and_vpnIp tunnelling and_vpn
Ip tunnelling and_vpn
 
nsx overview with use cases 1.0
nsx overview with use cases 1.0nsx overview with use cases 1.0
nsx overview with use cases 1.0
 
IRJET - Implementation of Firewall in a Cooperate Environment
IRJET - Implementation of Firewall in a Cooperate EnvironmentIRJET - Implementation of Firewall in a Cooperate Environment
IRJET - Implementation of Firewall in a Cooperate Environment
 
Wireless deployment strategies in WNS-is
Wireless deployment strategies in WNS-isWireless deployment strategies in WNS-is
Wireless deployment strategies in WNS-is
 
Lan Virtual Networks
Lan Virtual NetworksLan Virtual Networks
Lan Virtual Networks
 
Virtual private network
Virtual private network Virtual private network
Virtual private network
 
Network Virtualization
Network VirtualizationNetwork Virtualization
Network Virtualization
 
Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...
Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...
Chris Purrington's talk from CLOUDSEC 2016 "Defense in depth: practical steps...
 
Wireless Lan Security
Wireless Lan SecurityWireless Lan Security
Wireless Lan Security
 

More from Westermo Network Technologies

Westermo Technologie Webinar WeOS4 und WeOS5
Westermo Technologie Webinar WeOS4 und WeOS5Westermo Technologie Webinar WeOS4 und WeOS5
Westermo Technologie Webinar WeOS4 und WeOS5
Westermo Network Technologies
 
Westermo Webinar - Geroutete Redundanzen
Westermo Webinar - Geroutete RedundanzenWestermo Webinar - Geroutete Redundanzen
Westermo Webinar - Geroutete Redundanzen
Westermo Network Technologies
 
Webinar - WeOS 4.33.0 und WeConfig 1.19.0.pdf
Webinar - WeOS 4.33.0 und WeConfig 1.19.0.pdfWebinar - WeOS 4.33.0 und WeConfig 1.19.0.pdf
Webinar - WeOS 4.33.0 und WeConfig 1.19.0.pdf
Westermo Network Technologies
 
Webinar WeConfig - State of the Art NCM
Webinar WeConfig - State of the Art NCMWebinar WeConfig - State of the Art NCM
Webinar WeConfig - State of the Art NCM
Westermo Network Technologies
 
Webinar Serial-over-IP
Webinar Serial-over-IPWebinar Serial-over-IP
Webinar Serial-over-IP
Westermo Network Technologies
 
Webinar - Protokollkonvertierung
Webinar - ProtokollkonvertierungWebinar - Protokollkonvertierung
Webinar - Protokollkonvertierung
Westermo Network Technologies
 
OpenWRT - Überblick
OpenWRT - ÜberblickOpenWRT - Überblick
OpenWRT - Überblick
Westermo Network Technologies
 
DHCP
DHCPDHCP
Switchkonfiguration
SwitchkonfigurationSwitchkonfiguration
Switchkonfiguration
Westermo Network Technologies
 
PoE & Lösungen.pdf
PoE & Lösungen.pdfPoE & Lösungen.pdf
PoE & Lösungen.pdf
Westermo Network Technologies
 
VPN&Verschlüsselung
VPN&VerschlüsselungVPN&Verschlüsselung
VPN&Verschlüsselung
Westermo Network Technologies
 
Mobilfunkanbindungen
MobilfunkanbindungenMobilfunkanbindungen
Mobilfunkanbindungen
Westermo Network Technologies
 
450 MHz – Das neue Medium in OT-Netzwerken der Energiewirtschaft
450 MHz – Das neue Medium in OT-Netzwerken der Energiewirtschaft450 MHz – Das neue Medium in OT-Netzwerken der Energiewirtschaft
450 MHz – Das neue Medium in OT-Netzwerken der Energiewirtschaft
Westermo Network Technologies
 
Netzwerkmonitoring.pdf
Netzwerkmonitoring.pdfNetzwerkmonitoring.pdf
Netzwerkmonitoring.pdf
Westermo Network Technologies
 
Firewall.pdf
Firewall.pdfFirewall.pdf
WeOS 4.32.0 und WeConfig 1.15.pdf
WeOS 4.32.0 und WeConfig 1.15.pdfWeOS 4.32.0 und WeConfig 1.15.pdf
WeOS 4.32.0 und WeConfig 1.15.pdf
Westermo Network Technologies
 
WLAN
WLANWLAN
Merlin - Die neue Mobilfunkrouterserie
Merlin - Die neue MobilfunkrouterserieMerlin - Die neue Mobilfunkrouterserie
Merlin - Die neue Mobilfunkrouterserie
Westermo Network Technologies
 
We os 4.31.0 und weconfig 1.14.0
We os 4.31.0 und weconfig 1.14.0We os 4.31.0 und weconfig 1.14.0
We os 4.31.0 und weconfig 1.14.0
Westermo Network Technologies
 
Layer 2 Redundanzen
Layer 2 RedundanzenLayer 2 Redundanzen
Layer 2 Redundanzen
Westermo Network Technologies
 

More from Westermo Network Technologies (20)

Westermo Technologie Webinar WeOS4 und WeOS5
Westermo Technologie Webinar WeOS4 und WeOS5Westermo Technologie Webinar WeOS4 und WeOS5
Westermo Technologie Webinar WeOS4 und WeOS5
 
Westermo Webinar - Geroutete Redundanzen
Westermo Webinar - Geroutete RedundanzenWestermo Webinar - Geroutete Redundanzen
Westermo Webinar - Geroutete Redundanzen
 
Webinar - WeOS 4.33.0 und WeConfig 1.19.0.pdf
Webinar - WeOS 4.33.0 und WeConfig 1.19.0.pdfWebinar - WeOS 4.33.0 und WeConfig 1.19.0.pdf
Webinar - WeOS 4.33.0 und WeConfig 1.19.0.pdf
 
Webinar WeConfig - State of the Art NCM
Webinar WeConfig - State of the Art NCMWebinar WeConfig - State of the Art NCM
Webinar WeConfig - State of the Art NCM
 
Webinar Serial-over-IP
Webinar Serial-over-IPWebinar Serial-over-IP
Webinar Serial-over-IP
 
Webinar - Protokollkonvertierung
Webinar - ProtokollkonvertierungWebinar - Protokollkonvertierung
Webinar - Protokollkonvertierung
 
OpenWRT - Überblick
OpenWRT - ÜberblickOpenWRT - Überblick
OpenWRT - Überblick
 
DHCP
DHCPDHCP
DHCP
 
Switchkonfiguration
SwitchkonfigurationSwitchkonfiguration
Switchkonfiguration
 
PoE & Lösungen.pdf
PoE & Lösungen.pdfPoE & Lösungen.pdf
PoE & Lösungen.pdf
 
VPN&Verschlüsselung
VPN&VerschlüsselungVPN&Verschlüsselung
VPN&Verschlüsselung
 
Mobilfunkanbindungen
MobilfunkanbindungenMobilfunkanbindungen
Mobilfunkanbindungen
 
450 MHz – Das neue Medium in OT-Netzwerken der Energiewirtschaft
450 MHz – Das neue Medium in OT-Netzwerken der Energiewirtschaft450 MHz – Das neue Medium in OT-Netzwerken der Energiewirtschaft
450 MHz – Das neue Medium in OT-Netzwerken der Energiewirtschaft
 
Netzwerkmonitoring.pdf
Netzwerkmonitoring.pdfNetzwerkmonitoring.pdf
Netzwerkmonitoring.pdf
 
Firewall.pdf
Firewall.pdfFirewall.pdf
Firewall.pdf
 
WeOS 4.32.0 und WeConfig 1.15.pdf
WeOS 4.32.0 und WeConfig 1.15.pdfWeOS 4.32.0 und WeConfig 1.15.pdf
WeOS 4.32.0 und WeConfig 1.15.pdf
 
WLAN
WLANWLAN
WLAN
 
Merlin - Die neue Mobilfunkrouterserie
Merlin - Die neue MobilfunkrouterserieMerlin - Die neue Mobilfunkrouterserie
Merlin - Die neue Mobilfunkrouterserie
 
We os 4.31.0 und weconfig 1.14.0
We os 4.31.0 und weconfig 1.14.0We os 4.31.0 und weconfig 1.14.0
We os 4.31.0 und weconfig 1.14.0
 
Layer 2 Redundanzen
Layer 2 RedundanzenLayer 2 Redundanzen
Layer 2 Redundanzen
 

Recently uploaded

Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
Claudio Di Ciccio
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
Techgropse Pvt.Ltd.
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 

Recently uploaded (20)

Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 

Build Redundant and Resilient Networks with Micro-Segmentation

  • 1. Redundant and Resilient Networks with Microsegmentation
  • 2. Overview  Team Introduction  Who is Westermo 2021  Industrial Cybersecurity At the Edge  Defining Microsegmentation  Implementing Cyber Secure Concepts
  • 3. 3 Team Introduction John Pavlos Managing Director john.pavlos@westermo.com 847-453-3898 Benjamin Campbell Technical Support Engineer benjamin.campbell@westermo.com 847.453.3896 Dakota Diehl Technical Director dakota.diehl@westermo.com 847.453.3896
  • 4. 4 Who is Westermo 2021  Founded in 1975  No. of employees: 250  14% R&D  Extensive IPR portfolio for key technologies  Recent Aquistions:  Neratec Solutions AG – June 2019  Virtual Access – November 2019  Eltec – April 2021  Flexible production with state of the art process control  Sales and support units in 12 countries, distributors in another 36  Member of the Beijer Electronics Group www.westermo.us
  • 6. 6 Edge Networks are a Threatened Environment  The largest number of vulnerabilities affect Industrial Control Systems:  Energy Sector (178)  Manufacturing (164)  Water Supply (97)  Transportation (74) Employee errors, unintentional actions and disgruntled employees were responsible for 52% of incidents affecting Operation Technology (OT) and Industrial Control Systems (ICS) networks in the past year. Source: KL ICS CERT Report FY2017 H2 Source: computerweekly.com
  • 7. 7  Cybersecurity becomes less effective when it is an afterthought.  Design the strategy as part of the system from the start.  Understand the threat and the threat level.  Cybersecurity is top-down AND a bottom-up process.  Cybersecurity is not set and forget, it requires maintenance.  80% of the protection comes from 20% of the setup.  Vendor sourcing is an avenue of attack, so trust with partners is imperative. Cyber Secure Concepts
  • 9. 9 What is Microsegmentation?  The first rule of Cyber Security is to assume the attack will happen eventually. Reducing the surface area of the attack will limit the impact.  Micro-segementation is about reducing the surface area of an attack to the smallest possible zone – so an attack on one server will not propagate to another server’s functions.  By implementing security policies to individual work zones, it becomes harder for malicious traffic to move between the network, limiting the aforementioned surface area.
  • 10. 10 Applying Microsegmentation to a Network  Starting from a flat, solid network.  No VLANs or Subnets are configured, so everything in the network can see any other node.  0 Cybersecurity in place, and no segmentation.
  • 11. 11 Applying Microsegmentation to a Network  By dividing the network into VLANs and using subnets, we are adding the first layer of segmentation. VLAN 10 VLAN 20 10.10.0.0/16 192.168.2.0/24
  • 12. 12 Applying Microsegmentation to a Network  We can add further VLANs to the network and divide those VLANS with Firewalls to limit all communications to strictly necessary traffic. VLAN 10 VLAN 20 10.10.0.0/16 192.168.2.0/24 VLAN 11 VLAN 12
  • 13. 13 Applying Microsegmentation to a Network  We can also add data conduits in the form of a VPN to networks, preventing data from being accessed while it is on route to a destination. VLAN 10 VLAN 20 10.10.0.0/16 192.168.2.0/24 VLAN 11 VLAN 12
  • 14. 14  IEC-62443 has updated with terminology known as “Data Conduits”  Such as links between zones i.e., Fiber backbone between different processes or buildings.  Direct connections over a large distance can be prohibitively expensive. In this case, a VPN can be considered a “Data Conduit.”  VPNs can secure traffic through unsecure media (such as the Internet).  They can secure traffic over long-distance media links that are susceptible to interception.  Can connect two remote networks together regardless of distance.  Allow access to devices behind an NAT interface. IEC-62443 A Note on Data Conduits
  • 15. 15 Applying Microsegmentation to a Network  Adding further VLANs and VPNs brings the network to being completely microsegmented. Traffic cannot travel from one zone to another without going through a firewall. VLAN 20 VLAN 10 10.10.0.0/16 192.168.2.0/24 VLAN 11 VLAN 12 VLAN 13
  • 17. 17 Beyond Microsegmentation  Just because a network is completely microsegmented, does not make it cyber secure.  Microsegementation is about reducing attack surface area, mitigating damage done.  Consider other ways to increase cyber security such as adding redundancy and authentication. VLAN 10 10.10.0.0/16 192.168.2.0/24 VLAN 11 VLAN 12 VLAN 13
  • 18. 18 Beyond Microsegmentation  An example of a microsegmented network.  Each end device is segmented, and firewalls provide Data Conduits.  Only defined traffic can travel around the ring.  The backhaul ring offers further redundancy. Backhaul L2 ring topology 20-30ms re-convergence time L3 routing and FW at each node creates a Zone Dynamic routing protocol (OSPF) used to advertise location of subnets only, not used for re-convergence
  • 19. 19 Some Layer 2 and Layer 3 Protocols How Do You Add Redundancy?  RSTP is a common Layer 2 Protocol to add redundancy.  You cannot have Layer 2 devices connected in a ring without a redundancy protocol, would cause a data storm.  Protocols such as RSTP or FRNT detect redundant links and shut them off until they are needed.  Usually require some additional bandwidth to maintain the “heartbeat”.  VRRP stands for Virtual Router Redundancy Protocol, a Layer 3 protocol.  Two or more routers become one “Virtual” router, and that virtual router is the Default Gateway for one or more hosts.  If the current Primary/Active router fails or cannot be reached, a secondary router takes over.  Limited to one virtual router per subnet.
  • 20. 20 Beyond Microsegmentation  We can add redundant links within the ring via a VPN  The VPN adds security to connection, and redundant links decrease chances of communication loss.  Efficient routing means that all communications only enter and leave the backbone once and are filtered through a firewall. Backhaul X Backup Primary VRRP SSL VPN Primary routes via VPN Backup routes via VPN
  • 21. 21 Beyond Microsegmentation  By adding an Authentication server such as RADIUS or TACACS+ one can get control of the assets.  Instead of using default user/pass to access the network, or maintaining a large user database on each device, one central server manages it.  Password management is key in cybersecurity. Authentication server
  • 22. 22 Beyond Microsegmentation  Cybersecurity is not a “Fire and Forget” implementation.  New threats must be evaluated, and the system must be reviewed.  Patches and updates must be maintained across the network.  By building a secure network from the outset, much of the work is done later.  Microsegmentation is only one tool in a cyber secure network.
  • 24. 24  Introduction to IP  Introduction to WeOS  Certified Engineer Switching  Certified Engineer Routing  Also Available Customer Tailored Training https://www.westermo.us/support/academy
  • 25. 25 Future Webinars  Accessing The Last Mile  Presentation this September  Accessing remote networks through remote media such as cellular or VPNs.  Zero Touch Deployment and other tools to make remote setup possible.  We look forward to seeing you there!
  • 26. 26