SlideShare a Scribd company logo

Secure your network - Segmentation and segregation

M
Magnus Jansson

This document summarizes a webinar presentation about network segmentation and segregation. The presentation covered the current threat landscape for industrial networks, the importance of having a strong security posture, and the benefits of network segmentation including avoiding single points of failure and implementing a policy of least privilege. It then described how to implement network segmentation using VLANs and traffic segregation using firewall rules to block unauthorized communications and only allow approved traffic flows. The presentation concluded with a recap of these concepts and a mention of how more complex network topologies can also be segmented.

Technology
1 of 52
Download to read offline
Robust Industrial Data Communications – Made EasyRobust Industrial Data Communications – Made Easy Secure your network - Segmentation & Segregation Niklas Mörth & Jon-Olov Vatn If you need instruction on how to connect audio, please visit https://collaborationhelp.cisco.com/article/en-us/cjr7xq
2 Westermo group 2018 ▪ Founded in 1975 ▪ Industry leading software and hardware development force ▪ Own production in Sweden with state of the art process control ▪ Own sales and support units in 12 key countries, distribution partners in many others
3 Presenters Niklas Mörth Product manager, Cybersecurity Dr. Jon-Olov Vatn Network applications expert Topic: Network segmentation and segregation Run-time: 45 minutes A webinar recording will be provided after the session is completed.
4 Questions ▪ Ask questions in the chat window ▪ Ask question to ”Host” ▪ Questions will be answered in the end of the presentation
5 Agenda ▪ The Threat Landscape ▪ Your Security Posture ▪ The Why ▪ The What and How ▪ Summary
6 Agenda ▪ The Threat Landscape ▪ Your Security Posture ▪ The Why ▪ The What and How ▪ Summary Protect Detect Respond Security Posture
7 Agenda ▪ The Threat Landscape ▪ Your Security Posture ▪ The Why ▪ The What and How ▪ Summary ? ?? ?
8 Agenda ▪ The Threat Landscape ▪ Your Security Posture ▪ The Why ▪ The What and How ▪ Summary ! !! !
9 Agenda ▪ The Threat Landscape ▪ Your Security Posture ▪ The Why ▪ The What and How ▪ Summary
Robust Industrial Data Communications – Made EasyRobust Industrial Data Communications – Made Easy The Threat Landscape
11 The Threat Landscape Verizon Data Breach Investigation Report 2018
Robust Industrial Data Communications – Made EasyRobust Industrial Data Communications – Made Easy Your Security Posture
13 Wikipedia definition “Cybersecurity is the protection of computer systems from theft or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide.” What is Cybersecurity?
14 Your Security Posture Protect Detect Respond Security Posture
15 Your Security Posture Protect Detect Respond Firewall Anti-virus Authentication & Authorization Cryptography Network Segmentation Etc. Security Posture
16 Your Security Posture Protect Detect Respond Firewall Anti-virus Authentication & Authorization Cryptography Network Segmentation Etc. Network Monitoring (NMS) Intrusion Detection (IDS) Security Incidents (SIEM) Threat Hunting Etc. Security Posture
17 Your Security Posture Protect Detect Respond Firewall Anti-virus Authentication & Authorization Cryptography Network Segmentation Etc. Network Monitoring (NMS) Intrusion Detection (IDS) Security Incidents (SIEM) Threat Hunting Etc. Incident Response Plan Breach containment Security Incident Response Team Etc. Security Posture
Robust Industrial Data Communications – Made EasyRobust Industrial Data Communications – Made Easy The Why!
19 The Why! CONTROL NETWORK OFFICE NETWORK
20 The Why! CONTROL NETWORK OFFICE NETWORK
21 The Why! CONTROL NETWORK OFFICE NETWORK
22 The Why! ▪ Avoid single point of failure CONTROL NETWORK OFFICE NETWORK
23 The Why! ▪ Avoid single point of failure CONTROL NETWORK OFFICE NETWORK
24 The Why! ▪ Avoid single point of failure CONTROL NETWORK OFFICE NETWORK
25 The Why! ▪ Avoid single point of failure ▪ Policy of least privilege CONTROL NETWORK OFFICE NETWORK
26 The Why! ▪ Avoid single point of failure ▪ Policy of least privilege CONTROL NETWORK OFFICE NETWORK
27 The Why! ▪ Avoid single point of failure ▪ Policy of least privilege CONTROL NETWORK OFFICE NETWORK
28 The Why! ▪ Avoid single point of failure ▪ Policy of least privilege ▪ Slowing down attackers CONTROL NETWORK OFFICE NETWORK
29 The Why! ▪ Avoid single point of failure ▪ Policy of least privilege ▪ Slowing down attackers CONTROL NETWORK OFFICE NETWORK SENSITIVE DATA
30 The Why! ▪ Avoid single point of failure ▪ Policy of least privilege ▪ Slowing down attackers CONTROL NETWORK OFFICE NETWORK SENSITIVE DATA
31 The Why! ▪ Avoid single point of failure ▪ Policy of least privilege ▪ Slowing down attackers ▪ Reduce damage of succeful breaches CONTROL NETWORK OFFICE NETWORK SENSITIVE DATA
32 The Why! ▪ Avoid single point of failure ▪ Policy of least privilege ▪ Slowing down attackers ▪ Reduce damage of succeful breaches CONTROL NETWORK OFFICE NETWORK
Robust Industrial Data Communications – Made EasyRobust Industrial Data Communications – Made Easy The What and How!
34 Start: A plant network in need of organizing ▪ Mix of units with different purposes and criticality ▪ Single, flat network (switched) ▪ Or multiple networks, each with mix of units ▪ Little or no control of traffic patterns within the Intranet FW/ RouterIntranet Internet (WAN) Office PCs Management Clients PLCs & Process Equipment Servers Switched Network
35 Goal: A network with proper segmentation ▪ Group units based their purpose ▪ Segment network accordingly (zones) ▪ Connect via router/firewall capable of segregating traffic flows ▪ May use multiple firewalls ▪ Possibly from different vendors ▪ Can have external FW managed by IT department (IT FW) ▪ The internal FW can be dedicated to operations (OT FW) FW/ RouterIntranet Internet (WAN) Office Net Supervisory Net Control Net A Control Net B FW/ Router
36 Goal: A network with proper segmentation ▪ Group units based their purpose ▪ Segment network accordingly (zones) ▪ Connect via router/firewall capable of segregating traffic flows ▪ May use multiple firewalls ▪ Possibly from different vendors ▪ Can have external FW managed by IT department (IT FW) ▪ The internal FW can be dedicated to operations (OT FW) FW/ RouterIntranet Internet (WAN) Office Net Supervisory Net Control Net A Control Net B FW/ Router
37 Segmentation: Local Area Networks ▪ What is a LAN? ▪ LAN – Local Area Network ▪ Sometimes it means ”your local network”, i.e., your whole Intranet ▪ Here we use LAN when referring to a broadcast network, typically using IEEE 802.3/Ethernet technology. ▪ Form star topology by using a switch/hub/bridge to connect Ethernet equipment. ▪ Switches can be connected together to extend the LAN (tree topology). ▪ Connecting switches in a ring improves robustness (requires RSTP, FRNT, ...) Connecting units to LAN via a switch (Star Topology) Using multiple switches to extend the LAN (Tree Topology)
38 Segmentation: Virtual Local Area Networks ▪ What is a VLAN? ▪ VLAN - Virtual LAN ▪ Your LAN equipment is split into logical, isolated LANs (isolated broadcast domains) ▪ Sharing a single switch ▪ Port based VLAN ▪ Split a single switch ▪ Extend VLAN over multiple switches ▪ VLAN trunk cables ▪ ”VLAN tag” added ▪ Holds multiplex info (VLAN ID) VLAN 10 VLAN 20 VLAN 10 VLAN 20 VLAN 10 VLAN 20 VLAN trunk: VLAN 10 & 20 VLANs to share switch (Port based VLAN) VLANs spanning multiple switches (Port based VLAN and VLAN tagging)
39 Using VLANs to segment our network ▪ Configure VLANs on the (OT) Firewall/Router ▪ Creates one zone for each network ▪ Within each zone there are additional switches (not shown) FW/Router VLAN 50Intranet Internet (WAN) VLAN 10 Office Net VLAN 20 Supervisory Net VLAN 30 Control Net A VLAN 40: Control Net B FW/Router 1 2 3 4 5
40 Assigning IP addresses/subnets ▪ IP addresses: Identifies a unit and its location ▪ Logically assigned ▪ Network part and Host part ▪ Assign one subnet per VLAN, e.g., ▪ 10.0.10.0/24: Office Net ▪ 10.0.20.0/24: Supervisory Net ▪ 10.0.30.0/24: Control Net A ▪ 10.0.40.0/24: Control Net B ▪ 10.0.50.0/24: Upstream Net FW/Router VLAN 50 10.0.50.0/24Intranet Internet (WAN) VLAN 10 Office Net 10.0.10.0/24 VLAN 20 Supervisory Net 10.0.20.0/24 VLAN 30 Control Net A 10.0.30.0/24 FW/Router .2 VLAN 40 Control Net B 10.0.40.0/24 .1 .1 .1.1 .1 Example IP address with ”prefix length” 24 (netmask 255.255.255.0): 10.0.40.1 Network ID Host ID
41 Configuring IP address ▪ Example, configuring IP address for interface ”vlan40” on (OT) Firewall ▪ Address: 10.0.40.1/24 FW/Router VLAN 50 10.0.50.0/24Intranet Internet (WAN) VLAN 10 Office Net 10.0.10.0/24 VLAN 20 Supervisory Net 10.0.20.0/24 VLAN 30 Control Net A 10.0.30.0/24 FW/Router .2 VLAN 40 Control Net B 10.0.40.0/24 .1 .1 .1.1 .1
42 Segmentation Done ▪ Segmentation using (V)LANs ▪ Units devided into groups based on role ▪ Each group in separate segment (zone) ▪ Within segment, communication typically switched ▪ Across segments, routed via Firewall/Router ▪ ”Default gateway” setting adds route towards Internet ▪ Firewall not enabled ▪ All units can still communicate ▪ Security not (yet) enhanced ▪ Next step: Traffic segregation! FW/Router VLAN 50 10.0.50.0/24Intranet Internet (WAN) VLAN 10 Office Net 10.0.10.0/24 VLAN 20 Supervisory Net 10.0.20.0/24 VLAN 30 Control Net A 10.0.30.0/24 FW/Router .2 VLAN 40 Control Net B 10.0.40.0/24 .1 .1 .1.1 .1
43 Traffic Segregation using Firewall ▪ Block all traffic by default ▪ ”Default forward policy”: Deny ▪ No traffic will be routed between LANs! ▪ Add ”packet filter allow” rules for legal traffic flows ▪ Whitelisting ▪ Need to learn your traffic patterns ▪ Example: ▪ Office network gets access towards Internet (perhaps only HTTPS and DNS) ▪ No communication between Control Networks ▪ Supervisory Network can access Control Networks ▪ Limit to specific sources/destinations and protocols ▪ Complements to Firewall packet filters ▪ Stateful Inspection ▪ Deep inspection firewall FW/Router VLAN 50 10.0.50.0/24Intranet Internet (WAN) VLAN 10 Office Net 10.0.10.0/24 VLAN 20 Supervisory Net 10.0.20.0/24 VLAN 30 Control Net A 10.0.30.0/24 FW/Router .2 VLAN 40 Control Net B 10.0.40.0/24 .1 .1 .1.1 .1
44 Firewall filter rules in WeOS ▪ Default ”Forward Policy”: Drop ▪ Add ”Filter allow” rules for whitelisting allowed traffic patterns ▪ Match traffic based on ▪ Network Interface (in/out) ▪ IP address (src/dst) ▪ IP payload protocol (TCP, UDP, ICMP, ...) ▪ TCP or UDP Port number ▪ Stop at first match (action: allow or deny/drop) ▪ Input or Forward chain? ▪ Input chain: Rules without ”Out Interface” and ”Destination address” ▪ Forward chain: Rules with ”Out Interface” and/or ”Destination address” ▪ Stateful firewall ▪ Logging possible ▪ Note: Does not apply to switched traffic
45 Firewall filter configuration example ▪ Add ability for management station in supervision network to control a unit in control network A via SNMP. ▪ Here we limit to specific IP addresses of management station (10.0.20.5) and the controlled unit (10.0.30.33). FW/Router VLAN 50 10.0.50.0/24Intranet Internet (WAN) VLAN 10 Office Net 10.0.10.0/24 VLAN 20 Supervisory Net 10.0.20.0/24 VLAN 30 Control Net A 10.0.30.0/24 FW/Router .2 VLAN 40 Control Net B 10.0.40.0/24 .1 .1 .1.1 .1
46 Segmentation and Segregation Recap ▪ Segmentation using (V)LANs ▪ IP address and subnet assignment and routing for connectivity ▪ Traffic segregation using firewall rules Done! FW/Router VLAN 50 10.0.50.0/24Intranet Internet (WAN) VLAN 10 Office Net 10.0.10.0/24 VLAN 20 Supervisory Net 10.0.20.0/24 VLAN 30 Control Net A 10.0.30.0/24 FW/Router .2 VLAN 40 Control Net B 10.0.40.0/24 .1 .1 .1.1 .1
47 More complex networks ▪ Intermediate Communication Network between your zones ▪ Internal to plant ▪ Remote locations ▪ Use of VPNs (Conduits) ▪ Multiple (OT) Firewalls ▪ Redundancy within LANs ▪ Within Zones ▪ Intermediate Communication Networks ▪ Ring Topologies Intranet Internet (WAN) Office Net Supervisory Net Control Net A Control Net B FW/ Router FW/ Router FW/ Router FW/ Router FW/ Router
Robust Industrial Data Communications – Made EasyRobust Industrial Data Communications – Made Easy Summary
49 Summary ▪ The threat is real, keep your Security Posture updated! ▪ Why you should segment and segregate your network: ▪ Avoid single point of failure ▪ Policy of least privilege ▪ Slow down the attacker ▪ Reduce the damage of a successful breach ▪ How to: ▪ Segmentation using (V)LANs ▪ Traffic segregation using firewall rules
50 Fundamentals of cybersecurity ▪ Network-to-Network protection Recording available at Westermo.com ▪ Best practices for using VPNs for easy network-to-network protection ▪ Network segregation Recording available at Westermo.com in short ▪ Use WeOS switching routers to create security zones in your network ▪ Perimeter protection and spoofing protection April 17th 09.00 and 15.00 CET ▪ Protect your industrial network from unsolicited requests
51 Thank you for attending! ▪ An email will be sent to you including ▪ Playback link to Webinar recording ▪ Contact information to your local Westermo dealer ▪ Information on how to register for next webinar Next webinar: April 17th, 2019 Perimeter protection and spoofing protection
52 Robust Industrial Data Communications – Made Easy Robust Industrial Data Communications – Made Easy

Recommended

PACE-IT: The Importance of Network Segmentation
PACE-IT: The Importance of Network SegmentationPACE-IT: The Importance of Network Segmentation
PACE-IT: The Importance of Network Segmentation
Pace IT at Edmonds Community College
 
Segmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglySegmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the Ugly
AlgoSec
 
Introduction of firewall slides
Introduction of firewall slidesIntroduction of firewall slides
Introduction of firewall slidesrahul kundu
 
Best Practices for Network Security Management
Best Practices for Network Security Management Best Practices for Network Security Management
Best Practices for Network Security Management
Skybox Security
 
Wireless LAN Security
Wireless LAN SecurityWireless LAN Security
Wireless LAN Security
Abu Rayhan Ahmmed Rimu
 
A Software Defined WAN Architecture
A Software Defined WAN ArchitectureA Software Defined WAN Architecture
A Software Defined WAN Architecture
Open Networking Summits
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptx
MohanPandey31
 
SD WAN
SD WANSD WAN
SD WANBri Molina
 

Recommended

PACE-IT: The Importance of Network Segmentation
PACE-IT: The Importance of Network SegmentationPACE-IT: The Importance of Network Segmentation
PACE-IT: The Importance of Network Segmentation
Pace IT at Edmonds Community College
 
Segmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the UglySegmenting your Network for Security - The Good, the Bad and the Ugly
Segmenting your Network for Security - The Good, the Bad and the Ugly
AlgoSec
 
Introduction of firewall slides
Introduction of firewall slidesIntroduction of firewall slides
Introduction of firewall slidesrahul kundu
 
Best Practices for Network Security Management
Best Practices for Network Security Management Best Practices for Network Security Management
Best Practices for Network Security Management
Skybox Security
 
Wireless LAN Security
Wireless LAN SecurityWireless LAN Security
Wireless LAN Security
Abu Rayhan Ahmmed Rimu
 
A Software Defined WAN Architecture
A Software Defined WAN ArchitectureA Software Defined WAN Architecture
A Software Defined WAN Architecture
Open Networking Summits
 
Security of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptxSecurity of IOT,OT And IT.pptx
Security of IOT,OT And IT.pptx
MohanPandey31
 
SD WAN
SD WANSD WAN
SD WANBri Molina
 
Network Security
Network SecurityNetwork Security
Network Security
forpalmigho
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
Netwax Lab
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)
Cloudflare
 
Firewall
FirewallFirewall
Firewall
reddivarihareesh
 
The History and Evolution of SDN
The History and Evolution of SDNThe History and Evolution of SDN
The History and Evolution of SDN
Napier University
 
Network Security
Network SecurityNetwork Security
Network Security
Manoj Singh
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration Testing
Mohammed Adam
 
SD WAN Overview | What is SD WAN | Benefits of SD WAN
SD WAN Overview | What is SD WAN | Benefits of SD WAN SD WAN Overview | What is SD WAN | Benefits of SD WAN
SD WAN Overview | What is SD WAN | Benefits of SD WAN
Ashutosh Kaushik
 
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellAll about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
Hishan Shouketh
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
Creekside Marketing Group, LLC
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network Security
kentquirk
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
newbie2019
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security SuccessOT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Success
accenture
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
KAMALI PRIYA P
 
Firewall protection
Firewall protectionFirewall protection
Firewall protection
VC Infotech
 
Dmz
Dmz Dmz
Dmz أحلام انصارى
 
security in wireless sensor networks
security in wireless sensor networkssecurity in wireless sensor networks
security in wireless sensor networksVishnu Kudumula
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
NCS Computech Ltd.
 
LAN Security
LAN Security LAN Security
LAN Security
Syed Ubaid Ali Jafri
 
How to secure your industrial network using segmentation and segregation
How to secure your industrial network using segmentation and segregationHow to secure your industrial network using segmentation and segregation
How to secure your industrial network using segmentation and segregation
Westermo Network Technologies
 
Final report firewall reconciliation
Final report firewall reconciliationFinal report firewall reconciliation
Final report firewall reconciliationGurjan Oberoi
 

More Related Content

What's hot

Network Security
Network SecurityNetwork Security
Network Security
forpalmigho
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
Netwax Lab
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)
Cloudflare
 
Firewall
FirewallFirewall
Firewall
reddivarihareesh
 
The History and Evolution of SDN
The History and Evolution of SDNThe History and Evolution of SDN
The History and Evolution of SDN
Napier University
 
Network Security
Network SecurityNetwork Security
Network Security
Manoj Singh
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration Testing
Mohammed Adam
 
SD WAN Overview | What is SD WAN | Benefits of SD WAN
SD WAN Overview | What is SD WAN | Benefits of SD WAN SD WAN Overview | What is SD WAN | Benefits of SD WAN
SD WAN Overview | What is SD WAN | Benefits of SD WAN
Ashutosh Kaushik
 
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellAll about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
Hishan Shouketh
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
Creekside Marketing Group, LLC
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network Security
kentquirk
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
newbie2019
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security SuccessOT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Success
accenture
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
KAMALI PRIYA P
 
Firewall protection
Firewall protectionFirewall protection
Firewall protection
VC Infotech
 
security in wireless sensor networks
security in wireless sensor networkssecurity in wireless sensor networks
security in wireless sensor networksVishnu Kudumula
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
NCS Computech Ltd.
 
LAN Security
LAN Security LAN Security
LAN Security
Syed Ubaid Ali Jafri
 

What's hot (20)

Network Security
Network SecurityNetwork Security
Network Security
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
 
Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)Succeeding with Secure Access Service Edge (SASE)
Succeeding with Secure Access Service Edge (SASE)
 
Firewall
FirewallFirewall
Firewall
 
The History and Evolution of SDN
The History and Evolution of SDNThe History and Evolution of SDN
The History and Evolution of SDN
 
Network Security
Network SecurityNetwork Security
Network Security
 
Wireless Penetration Testing
Wireless Penetration TestingWireless Penetration Testing
Wireless Penetration Testing
 
SD WAN Overview | What is SD WAN | Benefits of SD WAN
SD WAN Overview | What is SD WAN | Benefits of SD WAN SD WAN Overview | What is SD WAN | Benefits of SD WAN
SD WAN Overview | What is SD WAN | Benefits of SD WAN
 
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshellAll about Firewalls ,IPS IDS and the era of UTM in a nutshell
All about Firewalls ,IPS IDS and the era of UTM in a nutshell
 
CyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoTCyberSecurity Best Practices for the IIoT
CyberSecurity Best Practices for the IIoT
 
Wireless Network Security
Wireless Network SecurityWireless Network Security
Wireless Network Security
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
 
OT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security SuccessOT Security Architecture & Resilience: Designing for Security Success
OT Security Architecture & Resilience: Designing for Security Success
 
Network traffic analysis with cyber security
Network traffic analysis with cyber securityNetwork traffic analysis with cyber security
Network traffic analysis with cyber security
 
Firewall protection
Firewall protectionFirewall protection
Firewall protection
 
Dmz
Dmz Dmz
Dmz
 
security in wireless sensor networks
security in wireless sensor networkssecurity in wireless sensor networks
security in wireless sensor networks
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
 
LAN Security
LAN Security LAN Security
LAN Security
 

Similar to Secure your network - Segmentation and segregation

How to secure your industrial network using segmentation and segregation
How to secure your industrial network using segmentation and segregationHow to secure your industrial network using segmentation and segregation
How to secure your industrial network using segmentation and segregation
Westermo Network Technologies
 
Final report firewall reconciliation
Final report firewall reconciliationFinal report firewall reconciliation
Final report firewall reconciliationGurjan Oberoi
 
summer training report on Computer network and Cisco packet tracer
summer training report on Computer network and Cisco packet tracer summer training report on Computer network and Cisco packet tracer
summer training report on Computer network and Cisco packet tracer
Dheeraj Giri
 
CompTIA Security Plus Overview
CompTIA Security Plus OverviewCompTIA Security Plus Overview
CompTIA Security Plus Overview
Joseph Holbrook, Chief Learning Officer (CLO)
 
MX Deep Dive PPT
MX Deep Dive PPTMX Deep Dive PPT
MX Deep Dive PPTomar awad
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
Cisco Canada
 
SDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSrinivasa Addepalli
 
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
Mike Svoboda
 
Zcom Wireless products application overview
Zcom Wireless products application overviewZcom Wireless products application overview
Zcom Wireless products application overviewRajesh Kapoor
 
Why sdn
Why sdnWhy sdn
Why sdn
lz1dsb
 
Eng.abd elrhman(cv u)
Eng.abd elrhman(cv u)Eng.abd elrhman(cv u)
Eng.abd elrhman(cv u)
INOGHOST
 
Building the SD-Branch using uCPE
Building the SD-Branch using uCPEBuilding the SD-Branch using uCPE
Building the SD-Branch using uCPE
Michelle Holley
 
Improving performance and efficiency with Network Virtualization Overlays
Improving performance and efficiency with Network Virtualization OverlaysImproving performance and efficiency with Network Virtualization Overlays
Improving performance and efficiency with Network Virtualization Overlays
Adam Johnson
 
Juniper ssg5-ssg20-datasheet
Juniper ssg5-ssg20-datasheetJuniper ssg5-ssg20-datasheet
Juniper ssg5-ssg20-datasheet
Shaikh Danial
 
Paul Coggin - Digital Energy BPT (Basic Persistent Threat)
Paul Coggin - Digital Energy BPT (Basic Persistent Threat)Paul Coggin - Digital Energy BPT (Basic Persistent Threat)
Paul Coggin - Digital Energy BPT (Basic Persistent Threat)bsidesaugusta
 
Ccna (200 125)
Ccna (200 125)Ccna (200 125)
Ccna (200 125)
shajeeha khalid
 
CCNA(R&S) By Ezxprt
CCNA(R&S) By EzxprtCCNA(R&S) By Ezxprt
CCNA(R&S) By Ezxprt
Ezxprt
 
Zabbix on the Road Thiago Santos - Short Talk - Distributed Monitoring on ...
Zabbix on the Road Thiago Santos - Short Talk - Distributed Monitoring on ...Zabbix on the Road Thiago Santos - Short Talk - Distributed Monitoring on ...
Zabbix on the Road Thiago Santos - Short Talk - Distributed Monitoring on ...
Thiago Santos
 

Similar to Secure your network - Segmentation and segregation (20)

How to secure your industrial network using segmentation and segregation
How to secure your industrial network using segmentation and segregationHow to secure your industrial network using segmentation and segregation
How to secure your industrial network using segmentation and segregation
 
Final report firewall reconciliation
Final report firewall reconciliationFinal report firewall reconciliation
Final report firewall reconciliation
 
summer training report on Computer network and Cisco packet tracer
summer training report on Computer network and Cisco packet tracer summer training report on Computer network and Cisco packet tracer
summer training report on Computer network and Cisco packet tracer
 
CompTIA Security Plus Overview
CompTIA Security Plus OverviewCompTIA Security Plus Overview
CompTIA Security Plus Overview
 
MX Deep Dive PPT
MX Deep Dive PPTMX Deep Dive PPT
MX Deep Dive PPT
 
Data Center Security
Data Center SecurityData Center Security
Data Center Security
 
SDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_NetworksSDN_and_NFV_technologies_in_IoT_Networks
SDN_and_NFV_technologies_in_IoT_Networks
 
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)2017 - LISA - LinkedIn's Distributed Firewall (DFW)
2017 - LISA - LinkedIn's Distributed Firewall (DFW)
 
NOTES
NOTESNOTES
NOTES
 
Zcom Wireless products application overview
Zcom Wireless products application overviewZcom Wireless products application overview
Zcom Wireless products application overview
 
Why sdn
Why sdnWhy sdn
Why sdn
 
Eng.abd elrhman(cv u)
Eng.abd elrhman(cv u)Eng.abd elrhman(cv u)
Eng.abd elrhman(cv u)
 
Building the SD-Branch using uCPE
Building the SD-Branch using uCPEBuilding the SD-Branch using uCPE
Building the SD-Branch using uCPE
 
Improving performance and efficiency with Network Virtualization Overlays
Improving performance and efficiency with Network Virtualization OverlaysImproving performance and efficiency with Network Virtualization Overlays
Improving performance and efficiency with Network Virtualization Overlays
 
Juniper ssg5-ssg20-datasheet
Juniper ssg5-ssg20-datasheetJuniper ssg5-ssg20-datasheet
Juniper ssg5-ssg20-datasheet
 
NetX
NetXNetX
NetX
 
Paul Coggin - Digital Energy BPT (Basic Persistent Threat)
Paul Coggin - Digital Energy BPT (Basic Persistent Threat)Paul Coggin - Digital Energy BPT (Basic Persistent Threat)
Paul Coggin - Digital Energy BPT (Basic Persistent Threat)
 
Ccna (200 125)
Ccna (200 125)Ccna (200 125)
Ccna (200 125)
 
CCNA(R&S) By Ezxprt
CCNA(R&S) By EzxprtCCNA(R&S) By Ezxprt
CCNA(R&S) By Ezxprt
 
Zabbix on the Road Thiago Santos - Short Talk - Distributed Monitoring on ...
Zabbix on the Road Thiago Santos - Short Talk - Distributed Monitoring on ...Zabbix on the Road Thiago Santos - Short Talk - Distributed Monitoring on ...
Zabbix on the Road Thiago Santos - Short Talk - Distributed Monitoring on ...
 

Recently uploaded

Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
Kari Kakkonen
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Vladimir Iglovikov, Ph.D.
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 

Recently uploaded (20)

Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Climate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing DaysClimate Impact of Software Testing at Nordic Testing Days
Climate Impact of Software Testing at Nordic Testing Days
 
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIEnchancing adoption of Open Source Libraries. A case study on Albumentations.AI
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 

Secure your network - Segmentation and segregation

  • 1. Robust Industrial Data Communications – Made EasyRobust Industrial Data Communications – Made Easy Secure your network - Segmentation & Segregation Niklas Mörth & Jon-Olov Vatn If you need instruction on how to connect audio, please visit https://collaborationhelp.cisco.com/article/en-us/cjr7xq
  • 2. 2 Westermo group 2018 ▪ Founded in 1975 ▪ Industry leading software and hardware development force ▪ Own production in Sweden with state of the art process control ▪ Own sales and support units in 12 key countries, distribution partners in many others
  • 3. 3 Presenters Niklas Mörth Product manager, Cybersecurity Dr. Jon-Olov Vatn Network applications expert Topic: Network segmentation and segregation Run-time: 45 minutes A webinar recording will be provided after the session is completed.
  • 4. 4 Questions ▪ Ask questions in the chat window ▪ Ask question to ”Host” ▪ Questions will be answered in the end of the presentation
  • 5. 5 Agenda ▪ The Threat Landscape ▪ Your Security Posture ▪ The Why ▪ The What and How ▪ Summary
  • 6. 6 Agenda ▪ The Threat Landscape ▪ Your Security Posture ▪ The Why ▪ The What and How ▪ Summary Protect Detect Respond Security Posture
  • 7. 7 Agenda ▪ The Threat Landscape ▪ Your Security Posture ▪ The Why ▪ The What and How ▪ Summary ? ?? ?
  • 8. 8 Agenda ▪ The Threat Landscape ▪ Your Security Posture ▪ The Why ▪ The What and How ▪ Summary ! !! !
  • 9. 9 Agenda ▪ The Threat Landscape ▪ Your Security Posture ▪ The Why ▪ The What and How ▪ Summary
  • 10. Robust Industrial Data Communications – Made EasyRobust Industrial Data Communications – Made Easy The Threat Landscape
  • 11. 11 The Threat Landscape Verizon Data Breach Investigation Report 2018
  • 12. Robust Industrial Data Communications – Made EasyRobust Industrial Data Communications – Made Easy Your Security Posture
  • 13. 13 Wikipedia definition “Cybersecurity is the protection of computer systems from theft or damage to their hardware, software or electronic data, as well as from disruption or misdirection of the services they provide.” What is Cybersecurity?
  • 15. 15 Your Security Posture Protect Detect Respond Firewall Anti-virus Authentication & Authorization Cryptography Network Segmentation Etc. Security Posture
  • 16. 16 Your Security Posture Protect Detect Respond Firewall Anti-virus Authentication & Authorization Cryptography Network Segmentation Etc. Network Monitoring (NMS) Intrusion Detection (IDS) Security Incidents (SIEM) Threat Hunting Etc. Security Posture
  • 17. 17 Your Security Posture Protect Detect Respond Firewall Anti-virus Authentication & Authorization Cryptography Network Segmentation Etc. Network Monitoring (NMS) Intrusion Detection (IDS) Security Incidents (SIEM) Threat Hunting Etc. Incident Response Plan Breach containment Security Incident Response Team Etc. Security Posture
  • 18. Robust Industrial Data Communications – Made EasyRobust Industrial Data Communications – Made Easy The Why!
  • 22. 22 The Why! ▪ Avoid single point of failure CONTROL NETWORK OFFICE NETWORK
  • 23. 23 The Why! ▪ Avoid single point of failure CONTROL NETWORK OFFICE NETWORK
  • 24. 24 The Why! ▪ Avoid single point of failure CONTROL NETWORK OFFICE NETWORK
  • 25. 25 The Why! ▪ Avoid single point of failure ▪ Policy of least privilege CONTROL NETWORK OFFICE NETWORK
  • 26. 26 The Why! ▪ Avoid single point of failure ▪ Policy of least privilege CONTROL NETWORK OFFICE NETWORK
  • 27. 27 The Why! ▪ Avoid single point of failure ▪ Policy of least privilege CONTROL NETWORK OFFICE NETWORK
  • 28. 28 The Why! ▪ Avoid single point of failure ▪ Policy of least privilege ▪ Slowing down attackers CONTROL NETWORK OFFICE NETWORK
  • 29. 29 The Why! ▪ Avoid single point of failure ▪ Policy of least privilege ▪ Slowing down attackers CONTROL NETWORK OFFICE NETWORK SENSITIVE DATA
  • 30. 30 The Why! ▪ Avoid single point of failure ▪ Policy of least privilege ▪ Slowing down attackers CONTROL NETWORK OFFICE NETWORK SENSITIVE DATA
  • 31. 31 The Why! ▪ Avoid single point of failure ▪ Policy of least privilege ▪ Slowing down attackers ▪ Reduce damage of succeful breaches CONTROL NETWORK OFFICE NETWORK SENSITIVE DATA
  • 32. 32 The Why! ▪ Avoid single point of failure ▪ Policy of least privilege ▪ Slowing down attackers ▪ Reduce damage of succeful breaches CONTROL NETWORK OFFICE NETWORK
  • 33. Robust Industrial Data Communications – Made EasyRobust Industrial Data Communications – Made Easy The What and How!
  • 34. 34 Start: A plant network in need of organizing ▪ Mix of units with different purposes and criticality ▪ Single, flat network (switched) ▪ Or multiple networks, each with mix of units ▪ Little or no control of traffic patterns within the Intranet FW/ RouterIntranet Internet (WAN) Office PCs Management Clients PLCs & Process Equipment Servers Switched Network
  • 35. 35 Goal: A network with proper segmentation ▪ Group units based their purpose ▪ Segment network accordingly (zones) ▪ Connect via router/firewall capable of segregating traffic flows ▪ May use multiple firewalls ▪ Possibly from different vendors ▪ Can have external FW managed by IT department (IT FW) ▪ The internal FW can be dedicated to operations (OT FW) FW/ RouterIntranet Internet (WAN) Office Net Supervisory Net Control Net A Control Net B FW/ Router
  • 36. 36 Goal: A network with proper segmentation ▪ Group units based their purpose ▪ Segment network accordingly (zones) ▪ Connect via router/firewall capable of segregating traffic flows ▪ May use multiple firewalls ▪ Possibly from different vendors ▪ Can have external FW managed by IT department (IT FW) ▪ The internal FW can be dedicated to operations (OT FW) FW/ RouterIntranet Internet (WAN) Office Net Supervisory Net Control Net A Control Net B FW/ Router
  • 37. 37 Segmentation: Local Area Networks ▪ What is a LAN? ▪ LAN – Local Area Network ▪ Sometimes it means ”your local network”, i.e., your whole Intranet ▪ Here we use LAN when referring to a broadcast network, typically using IEEE 802.3/Ethernet technology. ▪ Form star topology by using a switch/hub/bridge to connect Ethernet equipment. ▪ Switches can be connected together to extend the LAN (tree topology). ▪ Connecting switches in a ring improves robustness (requires RSTP, FRNT, ...) Connecting units to LAN via a switch (Star Topology) Using multiple switches to extend the LAN (Tree Topology)
  • 38. 38 Segmentation: Virtual Local Area Networks ▪ What is a VLAN? ▪ VLAN - Virtual LAN ▪ Your LAN equipment is split into logical, isolated LANs (isolated broadcast domains) ▪ Sharing a single switch ▪ Port based VLAN ▪ Split a single switch ▪ Extend VLAN over multiple switches ▪ VLAN trunk cables ▪ ”VLAN tag” added ▪ Holds multiplex info (VLAN ID) VLAN 10 VLAN 20 VLAN 10 VLAN 20 VLAN 10 VLAN 20 VLAN trunk: VLAN 10 & 20 VLANs to share switch (Port based VLAN) VLANs spanning multiple switches (Port based VLAN and VLAN tagging)
  • 39. 39 Using VLANs to segment our network ▪ Configure VLANs on the (OT) Firewall/Router ▪ Creates one zone for each network ▪ Within each zone there are additional switches (not shown) FW/Router VLAN 50Intranet Internet (WAN) VLAN 10 Office Net VLAN 20 Supervisory Net VLAN 30 Control Net A VLAN 40: Control Net B FW/Router 1 2 3 4 5
  • 40. 40 Assigning IP addresses/subnets ▪ IP addresses: Identifies a unit and its location ▪ Logically assigned ▪ Network part and Host part ▪ Assign one subnet per VLAN, e.g., ▪ 10.0.10.0/24: Office Net ▪ 10.0.20.0/24: Supervisory Net ▪ 10.0.30.0/24: Control Net A ▪ 10.0.40.0/24: Control Net B ▪ 10.0.50.0/24: Upstream Net FW/Router VLAN 50 10.0.50.0/24Intranet Internet (WAN) VLAN 10 Office Net 10.0.10.0/24 VLAN 20 Supervisory Net 10.0.20.0/24 VLAN 30 Control Net A 10.0.30.0/24 FW/Router .2 VLAN 40 Control Net B 10.0.40.0/24 .1 .1 .1.1 .1 Example IP address with ”prefix length” 24 (netmask 255.255.255.0): 10.0.40.1 Network ID Host ID
  • 41. 41 Configuring IP address ▪ Example, configuring IP address for interface ”vlan40” on (OT) Firewall ▪ Address: 10.0.40.1/24 FW/Router VLAN 50 10.0.50.0/24Intranet Internet (WAN) VLAN 10 Office Net 10.0.10.0/24 VLAN 20 Supervisory Net 10.0.20.0/24 VLAN 30 Control Net A 10.0.30.0/24 FW/Router .2 VLAN 40 Control Net B 10.0.40.0/24 .1 .1 .1.1 .1
  • 42. 42 Segmentation Done ▪ Segmentation using (V)LANs ▪ Units devided into groups based on role ▪ Each group in separate segment (zone) ▪ Within segment, communication typically switched ▪ Across segments, routed via Firewall/Router ▪ ”Default gateway” setting adds route towards Internet ▪ Firewall not enabled ▪ All units can still communicate ▪ Security not (yet) enhanced ▪ Next step: Traffic segregation! FW/Router VLAN 50 10.0.50.0/24Intranet Internet (WAN) VLAN 10 Office Net 10.0.10.0/24 VLAN 20 Supervisory Net 10.0.20.0/24 VLAN 30 Control Net A 10.0.30.0/24 FW/Router .2 VLAN 40 Control Net B 10.0.40.0/24 .1 .1 .1.1 .1
  • 43. 43 Traffic Segregation using Firewall ▪ Block all traffic by default ▪ ”Default forward policy”: Deny ▪ No traffic will be routed between LANs! ▪ Add ”packet filter allow” rules for legal traffic flows ▪ Whitelisting ▪ Need to learn your traffic patterns ▪ Example: ▪ Office network gets access towards Internet (perhaps only HTTPS and DNS) ▪ No communication between Control Networks ▪ Supervisory Network can access Control Networks ▪ Limit to specific sources/destinations and protocols ▪ Complements to Firewall packet filters ▪ Stateful Inspection ▪ Deep inspection firewall FW/Router VLAN 50 10.0.50.0/24Intranet Internet (WAN) VLAN 10 Office Net 10.0.10.0/24 VLAN 20 Supervisory Net 10.0.20.0/24 VLAN 30 Control Net A 10.0.30.0/24 FW/Router .2 VLAN 40 Control Net B 10.0.40.0/24 .1 .1 .1.1 .1
  • 44. 44 Firewall filter rules in WeOS ▪ Default ”Forward Policy”: Drop ▪ Add ”Filter allow” rules for whitelisting allowed traffic patterns ▪ Match traffic based on ▪ Network Interface (in/out) ▪ IP address (src/dst) ▪ IP payload protocol (TCP, UDP, ICMP, ...) ▪ TCP or UDP Port number ▪ Stop at first match (action: allow or deny/drop) ▪ Input or Forward chain? ▪ Input chain: Rules without ”Out Interface” and ”Destination address” ▪ Forward chain: Rules with ”Out Interface” and/or ”Destination address” ▪ Stateful firewall ▪ Logging possible ▪ Note: Does not apply to switched traffic
  • 45. 45 Firewall filter configuration example ▪ Add ability for management station in supervision network to control a unit in control network A via SNMP. ▪ Here we limit to specific IP addresses of management station (10.0.20.5) and the controlled unit (10.0.30.33). FW/Router VLAN 50 10.0.50.0/24Intranet Internet (WAN) VLAN 10 Office Net 10.0.10.0/24 VLAN 20 Supervisory Net 10.0.20.0/24 VLAN 30 Control Net A 10.0.30.0/24 FW/Router .2 VLAN 40 Control Net B 10.0.40.0/24 .1 .1 .1.1 .1
  • 46. 46 Segmentation and Segregation Recap ▪ Segmentation using (V)LANs ▪ IP address and subnet assignment and routing for connectivity ▪ Traffic segregation using firewall rules Done! FW/Router VLAN 50 10.0.50.0/24Intranet Internet (WAN) VLAN 10 Office Net 10.0.10.0/24 VLAN 20 Supervisory Net 10.0.20.0/24 VLAN 30 Control Net A 10.0.30.0/24 FW/Router .2 VLAN 40 Control Net B 10.0.40.0/24 .1 .1 .1.1 .1
  • 47. 47 More complex networks ▪ Intermediate Communication Network between your zones ▪ Internal to plant ▪ Remote locations ▪ Use of VPNs (Conduits) ▪ Multiple (OT) Firewalls ▪ Redundancy within LANs ▪ Within Zones ▪ Intermediate Communication Networks ▪ Ring Topologies Intranet Internet (WAN) Office Net Supervisory Net Control Net A Control Net B FW/ Router FW/ Router FW/ Router FW/ Router FW/ Router
  • 48. Robust Industrial Data Communications – Made EasyRobust Industrial Data Communications – Made Easy Summary
  • 49. 49 Summary ▪ The threat is real, keep your Security Posture updated! ▪ Why you should segment and segregate your network: ▪ Avoid single point of failure ▪ Policy of least privilege ▪ Slow down the attacker ▪ Reduce the damage of a successful breach ▪ How to: ▪ Segmentation using (V)LANs ▪ Traffic segregation using firewall rules
  • 50. 50 Fundamentals of cybersecurity ▪ Network-to-Network protection Recording available at Westermo.com ▪ Best practices for using VPNs for easy network-to-network protection ▪ Network segregation Recording available at Westermo.com in short ▪ Use WeOS switching routers to create security zones in your network ▪ Perimeter protection and spoofing protection April 17th 09.00 and 15.00 CET ▪ Protect your industrial network from unsolicited requests
  • 51. 51 Thank you for attending! ▪ An email will be sent to you including ▪ Playback link to Webinar recording ▪ Contact information to your local Westermo dealer ▪ Information on how to register for next webinar Next webinar: April 17th, 2019 Perimeter protection and spoofing protection
  • 52. 52 Robust Industrial Data Communications – Made Easy Robust Industrial Data Communications – Made Easy