SlideShare a Scribd company logo

eWON_SecurityV5 - Public

Download as PPTX, PDF
Y
Yvan Rudzinski

This document summarizes eWON's defense-in-depth security approach for remote access. It discusses six layers of security: 1) the eWON device, 2) application filtering with Talk2M, 3) encryption, 4) user management and accountability, 5) the Talk2M network infrastructure, and 6) security policies and procedures. For each layer, it provides details on the specific security controls and countermeasures used, such as network segregation, user authentication, encryption standards, infrastructure monitoring, and compatibility with customer networks and policies. The goal is to protect data integrity, availability, and confidentiality using multiple overlapping security layers based on industry standards and best practices.

1 of 31
Security @ eWON Yvan Rudzinski, RSM eWON range, CEE & NE yri@ewon.biz
• Ensuring a secure and reliable remote access to your assets is vital for eWON business continuity • Security VS Usability • Needs of PLC technician & automation engineer • Mandate of IT department • Secure « by design », based on standards VS secure « by obscurity » … Security #1 PRIORITY @ eWON
• Mission of our Security Manager: • Internal company security • Services & products security • Our duty is also to communicate and advise: • https://ewon.biz/security • https://ewon.biz/support/news/support • News letters, white papers, … • Assessment(s) by independant specialists • Cyber security experts in Industry Security Our daily duty and commitment
What exactly we secure for You? Quick overview of eWON remote access concept
Defense-in-depth approach Layered security model • Purpose is to protect integrity, availability & confidentiality of data and information systems • Coordinated use of multiple security countermeasures, with several layers of security controls • Based on guidelines set forth by leading security standards ( ISO27002, IEC 62443-2-4, NIST Cyber security Framework 1.0) in addition to other publications, guidelines and industry best practices
1st layer: eWON device
• Different credential with Talk2M account login • Different levels of users • Several levels of access & security • R&W, services, etc … 1st layer: eWON device eWON authentication
• Network segregation between the WAN factory network and the LAN machine network.  users can only access authorized devices on LAN • Security settings enable restriction of traffic between WAN & LAN 1st layer: eWON device Network segregation
• Using eWON DI: • enabling/disabling the eWON access to Internet • VPN access can be controlled with an external key switch • Increase customer acceptance on the whole RA solution 1st layer: eWON device Physical switch
2nd layer: Application
• 2 filtering levels • No filtering in level “Standard”: • All users access all devices on eWON LAN • Filtering level “High”: • Access to restricted list of Ethernet devices connected on eWON LAN 2nd layer: Application Filtering with Talk2M Free+
2nd layer: Application Filtering with Talk2M Pro (1) • 4 Filtering levels • User management • Filtering level “Enforced” : • Filter on gateways • Access to restricted list of serial and USB devices
2nd layer: Application Filtering with Talk2M Pro (2) • Filtering level “Ultra”: • Filter on services • Access to restricted services ( ftp, http, …) for a list of devices
3rd layer: Encryption
• Used during authentication and on data for secure tunnel transport • Both are SSL/TLS based: • the X509 PKI (public key infrastructure) for session authentication • TLS protocol for key exchange • Cipher-independent EVP (DES, 3DES, AES, BF) interface for encrypting tunnel data, • and the HMAC-SHA1 algorithm for authenticating tunnel data 3rd layer: Encryption
4th layer: User Management & Accountability
• Password reinforcement policies: • Minimum length, requiring letter, digit and special char. • Expiration period • Old password list • Double factor authentication: • Set up by the Talk2M administrator • After regular login/password … a second window pops up, requiring SMS key 4th layer: User Management & Accountability User logging in Talk2M
• Only for Talk2M Pro account: • Group of users • Pool of routers ( = devices) • Assigning different rights to users to allow the access to specific routers 4th layer: User Management & Accountability Device and user Management
• For the Administrator of a Talk2M account • Details which user connects to which router, how long and when 4th layer: User Management & Accountability Monthly connection report
• For each eWON unit of a Talk2M account • Provides more details about eWON registration, connection, disconnection, SMS sent, user messages, etc. 4th layer: User Management & Accountability eWON logs
5th layer: Talk2M Network Infrastructure
• Total devices ever connected: 100 000+ • 28 000+ routers simultaneously connected • From 150+ countries • 5 million eCatcher VPN connections • 10+ million emails • 55 TB of user traffic • 25 physical dedicated servers in 11 datacenters across 5 continents • Dedicated servers in the 4 largest hosting providers worldwide • Rackspace, OVH, IBM SoftLayer, Amazon • But also with local players in remote regions 5th layer: Talk2M Network Infrastructure Talk2M: facts & figures (1)
• All our hosting providers are Tier 1 and compliant with: • ISO 27001 • SSAE 16/ISAE 3402 (formerly SAS 70) • Servers are globally redundant: • On-site load balancing • Across several providers • And geographical spread (USA, UK, FR, JP, AUS, CN, ZA, …) • Service Level Agreement provided to Talk2MPro customers with: • 99,6 % availability services on 365 days • 4 hours max. breakdown • No congestion on servers with reserved bandwidth 5th layer: Talk2M Network Infrastructure Talk2M: facts & figures (2)
5th layer: Talk2M Network Infrastructure Talk2M: facts & figures (3) Worldwide presence
5th layer : Talk2M Network Infrastructure Talk2M: facts & figures (4) Talk2M shapes the world!
5th layer: Talk2M Network Infrastructure Talk2M: infrastructure monitoring (1) Talk2M support console
5th layer: Talk2M Network Infrastructure Talk2M: infrastructure monitoring (2) • Continuous automated health checks • Server connectivity ( ping & TCP tests) • Processes, heartbeats • Disk space • Possible signs of anormal activity, cyber attacks • Amount of connected eWONs • Status & health of each VPN connection • Consistency of DB • …
5th layer: Talk2M Network Infrastructure Talk2M: infrastructure monitoring (3) • Alerts: SMS texts to 5 persons • 1 dev engineer on duty 24/7/365 • Incident reporting: • Each incident is reported into our tracking system • Support, Sales, Marketing & Mgt are automatically notified • Public notification: http://www.talk2m.com/status
6th layer: Policies & Procedures
• Enhanced compatibility with: • Customer network due to our « Firewall friendly » approach • Only “outbound” connections • Use standard ports: 80 (Web access), 1194 (UDP), 443 (HTTPS) • Compatible with most proxy servers • Corporate security policies at customer’s • No intrusive traffic • Outgoing traffic can be « whitelisted » towards Talk2M servers IP only • Talk2M administrator can: • customize and reinforce the password policy to match corporate compliance • restrict which user can access which device and service remotely • monitor accurately all possible usage with monthly connection reports and logs 6th layer: Policies & Procedures
Thanks for listening! www.hms-networks.com

Recommended

Wifi
WifiWifi
WifiTheSmit Chheda
 
Network scanner
Network scannerNetwork scanner
Network scanner
Shrikrishna Parab
 
Security algorithms for manet
Security algorithms for manetSecurity algorithms for manet
Security algorithms for manet
Ahmad El Tawil
 
Seminar
SeminarSeminar
Seminar
Abhinav Kushwah
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS Vulnerabilities
Sam Bowne
 
Firewall
FirewallFirewall
Firewall
Husumihadi
 
Dncybersecurity
DncybersecurityDncybersecurity
Dncybersecurity
Anne Starr
 
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
CISSP Prep: Ch 5. Communication and Network Security (Part 2)CISSP Prep: Ch 5. Communication and Network Security (Part 2)
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
Sam Bowne
 

Recommended

Wifi
WifiWifi
WifiTheSmit Chheda
 
Network scanner
Network scannerNetwork scanner
Network scanner
Shrikrishna Parab
 
Security algorithms for manet
Security algorithms for manetSecurity algorithms for manet
Security algorithms for manet
Ahmad El Tawil
 
Seminar
SeminarSeminar
Seminar
Abhinav Kushwah
 
CNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS VulnerabilitiesCNIT 123 8: Desktop and Server OS Vulnerabilities
CNIT 123 8: Desktop and Server OS Vulnerabilities
Sam Bowne
 
Firewall
FirewallFirewall
Firewall
Husumihadi
 
Dncybersecurity
DncybersecurityDncybersecurity
Dncybersecurity
Anne Starr
 
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
CISSP Prep: Ch 5. Communication and Network Security (Part 2)CISSP Prep: Ch 5. Communication and Network Security (Part 2)
CISSP Prep: Ch 5. Communication and Network Security (Part 2)
Sam Bowne
 
CNIT 123 12: Cryptography
CNIT 123 12: CryptographyCNIT 123 12: Cryptography
CNIT 123 12: Cryptography
Sam Bowne
 
Identify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilitiesIdentify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilities
GENIANS, INC.
 
gkkSecurity essentials domain 2
gkkSecurity essentials domain 2gkkSecurity essentials domain 2
gkkSecurity essentials domain 2
Anne Starr
 
Ch 13: Network Protection Systems
Ch 13: Network Protection SystemsCh 13: Network Protection Systems
Ch 13: Network Protection Systems
Sam Bowne
 
Cybersecurity cyberlab2
Cybersecurity cyberlab2Cybersecurity cyberlab2
Cybersecurity cyberlab2
rayborg
 
CNIT 123: Ch 6: Enumeration
CNIT 123: Ch 6: EnumerationCNIT 123: Ch 6: Enumeration
CNIT 123: Ch 6: Enumeration
Sam Bowne
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
Mrx security
Mrx securityMrx security
Mrx securitydavidjd
 
Ch 6: Enumeration
Ch 6: EnumerationCh 6: Enumeration
Ch 6: Enumeration
Sam Bowne
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatCNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
G Prachi
 
SNMP Network Management the Essentials
SNMP Network Management the EssentialsSNMP Network Management the Essentials
SNMP Network Management the Essentials
Living Online
 
Network security at_osi_layers
Network security at_osi_layersNetwork security at_osi_layers
Network security at_osi_layersFederal Urdu University
 
Firewall
FirewallFirewall
Firewall
Tapan Khilar
 
Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8
Kabul Education University
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
hibaehed
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network Security
SAHEEL FAL DESAI
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
ajeet singh
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer Attacks
Sam Bowne
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
 
Cybersecurity for Board.pptx
Cybersecurity for Board.pptxCybersecurity for Board.pptx
Cybersecurity for Board.pptx
SandeepAgrawal98
 
Minimizing Information Transparency
Minimizing Information TransparencyMinimizing Information Transparency
Minimizing Information Transparency
Usman Arshad
 

More Related Content

What's hot

CNIT 123 12: Cryptography
CNIT 123 12: CryptographyCNIT 123 12: Cryptography
CNIT 123 12: Cryptography
Sam Bowne
 
Identify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilitiesIdentify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilities
GENIANS, INC.
 
gkkSecurity essentials domain 2
gkkSecurity essentials domain 2gkkSecurity essentials domain 2
gkkSecurity essentials domain 2
Anne Starr
 
Ch 13: Network Protection Systems
Ch 13: Network Protection SystemsCh 13: Network Protection Systems
Ch 13: Network Protection Systems
Sam Bowne
 
Cybersecurity cyberlab2
Cybersecurity cyberlab2Cybersecurity cyberlab2
Cybersecurity cyberlab2
rayborg
 
CNIT 123: Ch 6: Enumeration
CNIT 123: Ch 6: EnumerationCNIT 123: Ch 6: Enumeration
CNIT 123: Ch 6: Enumeration
Sam Bowne
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
Mrx security
Mrx securityMrx security
Mrx securitydavidjd
 
Ch 6: Enumeration
Ch 6: EnumerationCh 6: Enumeration
Ch 6: Enumeration
Sam Bowne
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatCNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
G Prachi
 
SNMP Network Management the Essentials
SNMP Network Management the EssentialsSNMP Network Management the Essentials
SNMP Network Management the Essentials
Living Online
 
Firewall
FirewallFirewall
Firewall
Tapan Khilar
 
Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8
Kabul Education University
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
hibaehed
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network Security
SAHEEL FAL DESAI
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
ajeet singh
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer Attacks
Sam Bowne
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
 

What's hot (20)

CNIT 123 12: Cryptography
CNIT 123 12: CryptographyCNIT 123 12: Cryptography
CNIT 123 12: Cryptography
 
Identify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilitiesIdentify and mitigate high risk port vulnerabilities
Identify and mitigate high risk port vulnerabilities
 
gkkSecurity essentials domain 2
gkkSecurity essentials domain 2gkkSecurity essentials domain 2
gkkSecurity essentials domain 2
 
Ch 13: Network Protection Systems
Ch 13: Network Protection SystemsCh 13: Network Protection Systems
Ch 13: Network Protection Systems
 
Cybersecurity cyberlab2
Cybersecurity cyberlab2Cybersecurity cyberlab2
Cybersecurity cyberlab2
 
CNIT 123: Ch 6: Enumeration
CNIT 123: Ch 6: EnumerationCNIT 123: Ch 6: Enumeration
CNIT 123: Ch 6: Enumeration
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
Mrx security
Mrx securityMrx security
Mrx security
 
Ch 6: Enumeration
Ch 6: EnumerationCh 6: Enumeration
Ch 6: Enumeration
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatCNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 
SNMP Network Management the Essentials
SNMP Network Management the EssentialsSNMP Network Management the Essentials
SNMP Network Management the Essentials
 
Network security at_osi_layers
Network security at_osi_layersNetwork security at_osi_layers
Network security at_osi_layers
 
Firewall
FirewallFirewall
Firewall
 
Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8Cryptography and Network security # Lecture 8
Cryptography and Network security # Lecture 8
 
640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths640-554 IT Certification and Career Paths
640-554 IT Certification and Career Paths
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network Security
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 
CNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer AttacksCNIT 123: Ch 3: Network and Computer Attacks
CNIT 123: Ch 3: Network and Computer Attacks
 
Ch 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden ThreatCh 9: Embedded Operating Systems: The Hidden Threat
Ch 9: Embedded Operating Systems: The Hidden Threat
 

Similar to eWON_SecurityV5 - Public

Cybersecurity for Board.pptx
Cybersecurity for Board.pptxCybersecurity for Board.pptx
Cybersecurity for Board.pptx
SandeepAgrawal98
 
Minimizing Information Transparency
Minimizing Information TransparencyMinimizing Information Transparency
Minimizing Information Transparency
Usman Arshad
 
Wireless Security Best Practices for Remote Monitoring Applications
Wireless Security Best Practices for Remote Monitoring ApplicationsWireless Security Best Practices for Remote Monitoring Applications
Wireless Security Best Practices for Remote Monitoring Applications
cmstiernberg
 
Mailjet Security Presentation 2017
Mailjet Security Presentation 2017Mailjet Security Presentation 2017
Mailjet Security Presentation 2017
Mailjet
 
Understanding IT Network Security for Wireless and Wired Measurement Applicat...
Understanding IT Network Security for Wireless and Wired Measurement Applicat...Understanding IT Network Security for Wireless and Wired Measurement Applicat...
Understanding IT Network Security for Wireless and Wired Measurement Applicat...
cmstiernberg
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureFiras Alsayied
 
Offre revendeurs UC
Offre revendeurs UCOffre revendeurs UC
Offre revendeurs UCRachid ZINE
 
Security Threats at OSI layers
Security Threats at OSI layersSecurity Threats at OSI layers
Security Threats at OSI layers
Department of Computer Science
 
gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1
Anne Starr
 
A Guide to Secure Remote Access - Eric Vanderburg
A Guide to Secure Remote Access - Eric VanderburgA Guide to Secure Remote Access - Eric Vanderburg
A Guide to Secure Remote Access - Eric Vanderburg
Eric Vanderburg
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Honeywell
 
Extreme & Microsoft Lync
Extreme & Microsoft LyncExtreme & Microsoft Lync
Extreme & Microsoft Lync
WESTCON EMEA
 
Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1
PROIDEA
 
Ransomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respondRansomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respond
AlgoSec
 
how does the OSI Model relate to the seven domains of an IT infrastr.pdf
how does the OSI Model relate to the seven domains of an IT infrastr.pdfhow does the OSI Model relate to the seven domains of an IT infrastr.pdf
how does the OSI Model relate to the seven domains of an IT infrastr.pdf
mohammedfootwear
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocols
Online
 
internet network for o level
internet network for o level internet network for o level
internet network for o level
Samit Singh
 
Chapter 5-IT infrastructure(REV 2.0).pptx
Chapter 5-IT infrastructure(REV 2.0).pptxChapter 5-IT infrastructure(REV 2.0).pptx
Chapter 5-IT infrastructure(REV 2.0).pptx
MohdSyaifuadJasemi
 
Wireless Network security
Wireless Network securityWireless Network security
Wireless Network security
Fathima Rahaman
 
Introductorytocomputing
IntroductorytocomputingIntroductorytocomputing
Introductorytocomputing
Anne Starr
 

Similar to eWON_SecurityV5 - Public (20)

Cybersecurity for Board.pptx
Cybersecurity for Board.pptxCybersecurity for Board.pptx
Cybersecurity for Board.pptx
 
Minimizing Information Transparency
Minimizing Information TransparencyMinimizing Information Transparency
Minimizing Information Transparency
 
Wireless Security Best Practices for Remote Monitoring Applications
Wireless Security Best Practices for Remote Monitoring ApplicationsWireless Security Best Practices for Remote Monitoring Applications
Wireless Security Best Practices for Remote Monitoring Applications
 
Mailjet Security Presentation 2017
Mailjet Security Presentation 2017Mailjet Security Presentation 2017
Mailjet Security Presentation 2017
 
Understanding IT Network Security for Wireless and Wired Measurement Applicat...
Understanding IT Network Security for Wireless and Wired Measurement Applicat...Understanding IT Network Security for Wireless and Wired Measurement Applicat...
Understanding IT Network Security for Wireless and Wired Measurement Applicat...
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a Secure
 
Offre revendeurs UC
Offre revendeurs UCOffre revendeurs UC
Offre revendeurs UC
 
Security Threats at OSI layers
Security Threats at OSI layersSecurity Threats at OSI layers
Security Threats at OSI layers
 
gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1gkkCloudtechnologyassociate(cta)day 1
gkkCloudtechnologyassociate(cta)day 1
 
A Guide to Secure Remote Access - Eric Vanderburg
A Guide to Secure Remote Access - Eric VanderburgA Guide to Secure Remote Access - Eric Vanderburg
A Guide to Secure Remote Access - Eric Vanderburg
 
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity SolutionsSchneider-Electric & NextNine – Comparing Remote Connectivity Solutions
Schneider-Electric & NextNine – Comparing Remote Connectivity Solutions
 
Extreme & Microsoft Lync
Extreme & Microsoft LyncExtreme & Microsoft Lync
Extreme & Microsoft Lync
 
Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1Plnog13 2014 security intelligence_pkedra_v1
Plnog13 2014 security intelligence_pkedra_v1
 
Ransomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respondRansomware Attack: Best Practices to proactively prevent contain and respond
Ransomware Attack: Best Practices to proactively prevent contain and respond
 
how does the OSI Model relate to the seven domains of an IT infrastr.pdf
how does the OSI Model relate to the seven domains of an IT infrastr.pdfhow does the OSI Model relate to the seven domains of an IT infrastr.pdf
how does the OSI Model relate to the seven domains of an IT infrastr.pdf
 
Network security and protocols
Network security and protocolsNetwork security and protocols
Network security and protocols
 
internet network for o level
internet network for o level internet network for o level
internet network for o level
 
Chapter 5-IT infrastructure(REV 2.0).pptx
Chapter 5-IT infrastructure(REV 2.0).pptxChapter 5-IT infrastructure(REV 2.0).pptx
Chapter 5-IT infrastructure(REV 2.0).pptx
 
Wireless Network security
Wireless Network securityWireless Network security
Wireless Network security
 
Introductorytocomputing
IntroductorytocomputingIntroductorytocomputing
Introductorytocomputing
 

eWON_SecurityV5 - Public

  • 1. Security @ eWON Yvan Rudzinski, RSM eWON range, CEE & NE yri@ewon.biz
  • 2. • Ensuring a secure and reliable remote access to your assets is vital for eWON business continuity • Security VS Usability • Needs of PLC technician & automation engineer • Mandate of IT department • Secure « by design », based on standards VS secure « by obscurity » … Security #1 PRIORITY @ eWON
  • 3. • Mission of our Security Manager: • Internal company security • Services & products security • Our duty is also to communicate and advise: • https://ewon.biz/security • https://ewon.biz/support/news/support • News letters, white papers, … • Assessment(s) by independant specialists • Cyber security experts in Industry Security Our daily duty and commitment
  • 4. What exactly we secure for You? Quick overview of eWON remote access concept
  • 5. Defense-in-depth approach Layered security model • Purpose is to protect integrity, availability & confidentiality of data and information systems • Coordinated use of multiple security countermeasures, with several layers of security controls • Based on guidelines set forth by leading security standards ( ISO27002, IEC 62443-2-4, NIST Cyber security Framework 1.0) in addition to other publications, guidelines and industry best practices
  • 7. • Different credential with Talk2M account login • Different levels of users • Several levels of access & security • R&W, services, etc … 1st layer: eWON device eWON authentication
  • 8. • Network segregation between the WAN factory network and the LAN machine network.  users can only access authorized devices on LAN • Security settings enable restriction of traffic between WAN & LAN 1st layer: eWON device Network segregation
  • 9. • Using eWON DI: • enabling/disabling the eWON access to Internet • VPN access can be controlled with an external key switch • Increase customer acceptance on the whole RA solution 1st layer: eWON device Physical switch
  • 11. • 2 filtering levels • No filtering in level “Standard”: • All users access all devices on eWON LAN • Filtering level “High”: • Access to restricted list of Ethernet devices connected on eWON LAN 2nd layer: Application Filtering with Talk2M Free+
  • 12. 2nd layer: Application Filtering with Talk2M Pro (1) • 4 Filtering levels • User management • Filtering level “Enforced” : • Filter on gateways • Access to restricted list of serial and USB devices
  • 13. 2nd layer: Application Filtering with Talk2M Pro (2) • Filtering level “Ultra”: • Filter on services • Access to restricted services ( ftp, http, …) for a list of devices
  • 15. • Used during authentication and on data for secure tunnel transport • Both are SSL/TLS based: • the X509 PKI (public key infrastructure) for session authentication • TLS protocol for key exchange • Cipher-independent EVP (DES, 3DES, AES, BF) interface for encrypting tunnel data, • and the HMAC-SHA1 algorithm for authenticating tunnel data 3rd layer: Encryption
  • 16. 4th layer: User Management & Accountability
  • 17. • Password reinforcement policies: • Minimum length, requiring letter, digit and special char. • Expiration period • Old password list • Double factor authentication: • Set up by the Talk2M administrator • After regular login/password … a second window pops up, requiring SMS key 4th layer: User Management & Accountability User logging in Talk2M
  • 18. • Only for Talk2M Pro account: • Group of users • Pool of routers ( = devices) • Assigning different rights to users to allow the access to specific routers 4th layer: User Management & Accountability Device and user Management
  • 19. • For the Administrator of a Talk2M account • Details which user connects to which router, how long and when 4th layer: User Management & Accountability Monthly connection report
  • 20. • For each eWON unit of a Talk2M account • Provides more details about eWON registration, connection, disconnection, SMS sent, user messages, etc. 4th layer: User Management & Accountability eWON logs
  • 21. 5th layer: Talk2M Network Infrastructure
  • 22. • Total devices ever connected: 100 000+ • 28 000+ routers simultaneously connected • From 150+ countries • 5 million eCatcher VPN connections • 10+ million emails • 55 TB of user traffic • 25 physical dedicated servers in 11 datacenters across 5 continents • Dedicated servers in the 4 largest hosting providers worldwide • Rackspace, OVH, IBM SoftLayer, Amazon • But also with local players in remote regions 5th layer: Talk2M Network Infrastructure Talk2M: facts & figures (1)
  • 23. • All our hosting providers are Tier 1 and compliant with: • ISO 27001 • SSAE 16/ISAE 3402 (formerly SAS 70) • Servers are globally redundant: • On-site load balancing • Across several providers • And geographical spread (USA, UK, FR, JP, AUS, CN, ZA, …) • Service Level Agreement provided to Talk2MPro customers with: • 99,6 % availability services on 365 days • 4 hours max. breakdown • No congestion on servers with reserved bandwidth 5th layer: Talk2M Network Infrastructure Talk2M: facts & figures (2)
  • 24. 5th layer: Talk2M Network Infrastructure Talk2M: facts & figures (3) Worldwide presence
  • 25. 5th layer : Talk2M Network Infrastructure Talk2M: facts & figures (4) Talk2M shapes the world!
  • 26. 5th layer: Talk2M Network Infrastructure Talk2M: infrastructure monitoring (1) Talk2M support console
  • 27. 5th layer: Talk2M Network Infrastructure Talk2M: infrastructure monitoring (2) • Continuous automated health checks • Server connectivity ( ping & TCP tests) • Processes, heartbeats • Disk space • Possible signs of anormal activity, cyber attacks • Amount of connected eWONs • Status & health of each VPN connection • Consistency of DB • …
  • 28. 5th layer: Talk2M Network Infrastructure Talk2M: infrastructure monitoring (3) • Alerts: SMS texts to 5 persons • 1 dev engineer on duty 24/7/365 • Incident reporting: • Each incident is reported into our tracking system • Support, Sales, Marketing & Mgt are automatically notified • Public notification: http://www.talk2m.com/status
  • 29. 6th layer: Policies & Procedures
  • 30. • Enhanced compatibility with: • Customer network due to our « Firewall friendly » approach • Only “outbound” connections • Use standard ports: 80 (Web access), 1194 (UDP), 443 (HTTPS) • Compatible with most proxy servers • Corporate security policies at customer’s • No intrusive traffic • Outgoing traffic can be « whitelisted » towards Talk2M servers IP only • Talk2M administrator can: • customize and reinforce the password policy to match corporate compliance • restrict which user can access which device and service remotely • monitor accurately all possible usage with monthly connection reports and logs 6th layer: Policies & Procedures