This document discusses how to build a resilient network through various methods like hardware redundancy, microsegmentation, and configuration backups. It introduces Westermo and defines network resiliency. It describes using hardware redundancy through layer 2 protocols like FRNT rings and layer 3 protocols like OSPF. Microsegmentation is achieved through a hybrid L2/L3 network with firewalls separating different network zones. The importance of configuration backups for maintaining control of network assets is also covered.

1. Building Resilient Networks
November

2. Agenda
 Introductions
 Who is Westermo
 Defining Network Resiliency
 Hardware Redundancy
 Microsegmentation
 Configuration Backups

3. 3
Introductions
Dakota Diehl
Network Application Engineer
dakota.diehl@westermo.us
847.453.3899
Benjamin Campbell
Technical Support Engineer
benjamin.campbell@westermo.us
847.453.3896

4. 4
Westermo Group 2020
 Founded in 1975
 Industry leading software and hardware
development force
 Own production in Sweden with
state of the art process control
 Own sales and support units in 12 key countries,
distribution partners in many others

5. How To Build a Resilient
Network

6. 6
 Resilience in computer networks is the “ability to provide and maintain an acceptable
level of service in the face of faults and challenges to normal operation.”
 This is a very wide definition, as it covers everything from packet loss to complete failure
of a node or link.
 Also includes the ability to defend against and respond to cybersecurity attacks, whether
malicious or unintended misconfigurations.
 The more resilient a network is, the more tolerant it is to faults or errors across the
network and can maintain uptime.
 Because of the wide definition, there are also a multitude of ways to improve your
network’s resilience.
Resiliency – What is it?

7. Hardware Redundancy

8. 8
 One of the most straightforward ways to improve resiliency is to add redundancy
 If one node or link suffers a catastrophic failure, redundant connections keep the
network running without impacting performance.
 Unfortunately, not as simple as just dropping in another switch to the network!
 Layer 2 protocols such as FRNT or RSTP manage ring topologies, adding extra paths to
nodes without causing debilitating Broadcast Storms.
 Layer 3 protocols such as OSPF and VRRP can automatically designate a route between
networks and failover in the event of broken links.
Hardware Redundancy

9. 9
 Built in functions to avoid uncontrolled broadcast storms.
 Link integrity control.
 Non-FRNT ports are not allowed to communicate with FRNT ports.
 Default FRNT alarm signaling via SNMP, LED, Digital-Out and Syslog.
 Very fast fail-over of Multicast traffic, no need to wait for IGMP timeouts.
 Supports different medias fiber optic, copper and SHDSL, although fiber optic links allows for best fail-
over performance.
 Extremely fast convergence time of 20ms means little impact to network in the event of a link failure.
This translates to high resilience!
Layer 2 Redundancy
FRNT

10. 10
Layer 2 Redundancy: FRNT Ring Coupling
FRNT
Master
Ring
FRNT
Sub
Ring
FRNT
Sub
Ring
FRNT
Sub
Ring

11. 11
Layer 2 Redundancy: FRNT Ring Coupling
X
X
X
FRNT
Master Ring
FRNT
Sub Ring
FRNT
Sub Ring

12. 12
 Within the Network Layer, there are many options to add resiliency to a network:
 RIP
 OSPF
 VRRP
 RIP and OSPF are what are called “Dynamic Routing Protocols” which can automatically
determine best paths between networks, for automatic convergence in the event of a
network outage.
 VRRP or “Virtual Router Redundancy Protocol” will automatically designate a router as a
default gateway, with multiple routers configured as backups.
Layer 3 Resiliency: Routing Protocols

13. 13
Routing Protocols create resiliency on L3, between L2 Networks
Dynamic Routing Protocols
FRNT
VRRP
VRRP VRRP
FRNT FRNT
OSPF
OSPF
OSPFOSPF

14. 14
Combining Layer 2 and Layer 3 resilience functionality allows for
extremly high availablity.
FRNT Super Ring
FRNT Sub Ring FRNT Sub Ring
RiCo Node
RiCo Node RiCo Node
RiCo Node
CORE-Network
X
X
X
Link Failure
FRNT Ring Failover
Link Failure
Ring Coupling Failover X
X
Link Failure
FRNT Ring Failover
Link Failure
Ring Coupling Failover
FRNT Ring Failover
Distribution Layer,
Rack/Control rooms
Layer 3
Layer 2
XOSPF Failover OSPF Routing Protocol

15. Microsegmentation

16. 16
Hybrid L2/L3 Network
L2 ring topology 20-30ms
re-convergence time
L3 routing and FW at each
node creates a Zone
X Dynamic routing protocol (OSPF) used to advertise
location of subnets only, not used for re-convergence

17. 17
Efficient Routing to Minimize Network Delay
Network backbone
Router firewall Router firewall Router firewall
Messages are only ever routed twice
• Once into the backbone
• Second time when leaving backbone
• Messages pass though the FW when entering and leaving the network backbone

18. 18
Multiple Zones
Backbone Fibre
ZONE 1
10.10.10.0/28
ZONE 2
10.20.20.0/28
Traffic cannot pass
between zones
unless it is allowed
to do so
XObject controller
/smart IO

19. 19
Maintainer’s Sandbox Connection
Backbone Fibre
ZONE 1
10.10.10.0/28
ZONE 2
10.20.20.0/28
Traffic cannot pass
between zones
unless it is allowed
to do so
XObject controller
/smart IO
ZONE 3
192.20.20.0/28
Maintainers sandbox entry point,
access to network is FW, if 802.1x
configured only valid
users/machines can join the
network

20. Configuration Backups

21. 21
Getting Control of the Assets
 Using common UN and PW are an open
door to cyber actors
 Maintainers leave taking the common
credentials with them
 Almost impossible to change UN and PW
across a large user population
 Maintaining a large user DB on each
device is equally difficult
 Solution is to use RADIUS or TACACS+
User Authentication
 Effort required initially, much tighter
control and lower ownership cost long-
term
Authentication
server

22. 22