More Related Content
Similar to Understanding IT Network Security for Wireless and Wired Measurement Applications
Understanding IT Network Security for Wireless and Wired Measurement Applications
- 1. Understanding IT NetworkSecurity for Wireless and Wired Measurement Applications Charlie Stiernberg Product Manager, Remote Data Acquisition National Instruments
- 2. 2 Agenda • Corporate &engineering networks are converging • Risks & benefits of convergence trend • Network security technologies IT networking overview Wired security: Firewall, VLAN, QoS Wireless security: 802.11i, 802.15.4/ZigBee • Pulling it altogether
- 3. 3 IT & EngineeringNetwork Convergence Traditional Model – Separate Networks for IT/Corporate & Measurement/Control Converged Model – Shared Network for IT/Corporate & Measurement/Control HMI Sensors Motors PLCPAC Control Network Gateway Back-End Servers Business Logic HMI Sensors Motors Wireless DAQ Ethernet DAQ PAC Back-End Servers Business Logic
- 4. 4 Benefits of aMerged Network • A merged network provides better visibility into business processes and better system management Lower Total Cost of Ownership Faster Time to Market Better Asset Optimization Broader Risk Management COTS Widely available skills Manufacturing Plantwide Systems Business Enterprise Systems Customer Demand Supply Chain Integration Flexible Manufacturing Suppliers
- 5. 5 Risks of aMerged Network • The Maroochy Shire sewage treatment plant (Australia) Between January and April 2000 the sewage system experienced 47 unexplainable faults Millions of liters of sewage were spilled • On October 31, 2001 Vitek Boden was convicted of: 26 counts of willfully using a computer to cause damage 1 count of causing serious environment harm
- 6. 6 Security is Key •To realize the benefits of COTS technology and a combined Enterprise / Engineering network, proper security is critical Manufacturing Plantwide Systems Business Enterprise Systems Customer Demand Supply Chain Integration Flexible Manufacturing Suppliers
- 7. 7 IT 101 forScientists & Engineers The OSI Model Data Unit Layer Function Host Layers Data 7. Application Network process to application 6. Presentation Data representation and encryption 5. Session Inter-host communication Segment 4. Transport End-to-end connections and reliability Media Layers Packet 3. Network Path determination and logical addressing Frame 2. Data Link Physical addressing Bit 1. Physical Media, signal, and binary transmission
- 8. 8 IT 101 forScientists & Engineers • Hub – repeats incoming traffic to all other ports regardless of addressee • Switch – sends packets to an appropriate destination based on MAC address. • Router (Layer 3 Switch) – routes packets traveling between LANs in a corporate network or between a LAN and the Internet • WAP – wireless access point provides a wireless extension to the wired network
- 9. 9 Security Technologies forMeasurement & Control Networks Wired Networks • Firewall • Virtual Local Area Network (VLAN) • Quality of Service (QoS) Wireless Networks • IEEE 802.11i and IEEE 802.1X • IEEE 802.15.4 and ZigBee
- 10. 10 Firewall • Blocks unauthorizedaccess while permitting outward communication • Can also permit, deny, encrypt, decrypt, or proxy all traffic between different security domains
- 11. 11 Virtual Local AreaNetworks (VLANs) • OSI Layer 2 technology • Switch ports assigned to a VLAN • Data is only forwarded to ports within the same VLAN • Broadcasts and multicasts are restricted to their respective VLANs • A Layer 3 device (router or Layer 3 switch) can pass messages between different VLANs 1 2 3 4 5 VLAN 1 VLAN 2 VLAN 3
- 12. 12 VLAN Best Practices •Logically segment networks (ie, instrumentation VLAN vs enterprise VLAN) • Assign VLANs to devices when traffic patterns are known • Limit the flow of producer/consumer traffic outside of required devices • Use Layer 3 switch or router to exchange data between VLANs
- 13. 13 Quality of Service(QoS) • Intended to overcome traffic congestion for critical applications • Used heavily in VOIP applications • Not originally designed for network security • Combine with VLANs to help mitigate denial of service (DoS) attacks or other network abnormalities • Packets are “tagged” and routed at the switch level based on priority YouTube Instrumentation Oracle YouTube Instrumentation Oracle Before QoS After QoS Network Bandwidth
- 14. 14 IEEE 802.11 Overview •“Wireless Ethernet” • High bandwidth for streaming / waveform measurements • 10+ years in the IT sector Version Released Frequency Max PHY Rate Max TCP Rate 802.11 1997 2.4 GHz 2 Mb/s 1 Mbps 802.11b 1999 2.4 GHz 11 Mb/s 14.4 Mbps 802.11a 1999 5 GHz 54 Mb/s 24.4 Mbps 802.11g 2003 2.4 GHz 54 Mb/s 24.4 Mbps 802.11n 2009? 2.4 GHz ~540 Mb/s ~100 Mbps
- 15. 15 IEEE 802.11 (Wi-Fi)Security • Three levels of IEEE 802.11 security WEP (weak) WPA (ok) WPA2 (best) <IEEE 802.11i> • IEEE 802.11i security has two key components Encryption = data protection Authentication = access control
- 16. 16 Encryption • TKIP =Temporal Key Integrity Protocol (WPA) • AES = Advanced Encryption Standard (WPA2) NIST-endorsed standard for government agencies FIPS-approved (FIPS 197) Key size (bits) Number of alternative keys Time required at 1 decryption/us Time required at 106 decryptions/us 32 232 = 4.3 x 109 35.8 minutes 2.15 milliseconds 56 256 = 7.2 x 1016 1,142 years 10 hours 128 2128 = 3.4 x 1038 5.4 x 1024 years 5.4 x 1018 years Time required for exhaustive key search (brute force attack) http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
- 17. 18 Authentication • Three playersin 802.11i authentication Supplicant = client trying to access network (Wi-Fi DAQ) Authenticator = WAP hardwired to secured network Authentication Server = verifies identity of client Supplicant Authenticator Authentication Sever
- 18. 19 IEEE 802.1X Port-ControlledAuthentication Uncontrolled Port Controlled Port 802.1X Traffic Non-802.1X Traffic (Blocked) Before Authentication After Authentication 802.1X Traffic Non-802.1X Traffic (Blocked)
- 19. 20 802.1X (EAP-Request Identity) 802.1X(EAP-Response Identity) EAP Transport (EAP-Response Identity) EAP-specific (mutual) authentication EAP Transport (EAP-Success, PMK) 802.1X (EAP-Success) Derive Pairwise Master Key (PMK) Derive Pairwise Master Key (PMK) 802.1X Backend EAP Transport 802.1X Message Flow
- 20. 21 EAP = ExtensibleAuthentication Protocol • EAP is a framework with different implementations • ~40 different EAP methods • Some require passwords/user credentials (PEAP) • Some require client-side and/or server-side certificates (EAP-TLS) • EAP can provide mutual authentication for the network and the supplicant
- 21. 22 IEEE 802.15.4 Overview Application ZigBeeApplication Layer (APL) ZigBee Network Layer (NWK) 802.15.4 Medium Access Control Layer (MAC) 802.15.4 Physical Layer (PHY) ZigBee Security Service Provider End User ZigBee Alliance IEEE 802.15.4
- 22. 23 IEEE 802.15.4 Security •Security services defined in the MAC layer • Access Control List (ACL) Mode The MAC maintains a list of hardware devices addresses with which it will communicate • Secured Mode adds… AES encryption up to 128 bits Frame integrity with message integrity code (MIC) Sequential freshness appends values to MAC frame to prevent replay attacks
- 23. 24 ZigBee Overview • ZigBeeCoordinator – starts and controls the network • ZigBee Routers – extend network coverage • ZigBee End Devices – transmit/receive messages Star Tree Mesh ZC ZC ZC ZR ZR ZR ZRZRZR ZR
- 24. 25 ZigBee Security • ZigBeesecurity builds on IEEE 802.15.4 Application and Network Layer security Key management for encryption and authentication • ZigBee Trust Center Authenticates joining devices Manages key distribution in the network • Standard Security Mode • High Security Mode
- 25. 26 ZigBee Security Keys Keysare used for encryption & authentication • Network Keys All devices on a ZigBee network share the same key • Link Keys Secure unicast messages between two devices • Master Keys Used as an initial shared secret between two devices to perform SKKE to generate link key
- 26. 27 ZigBee Commissioning &Security • Standard security Preconfigured with active network key Preconfigured with a Trust Center link key and address • High security Preconfigured with a Trust Center master key and address • Not preconfigured (not recommended)
- 27. 28 Pulling it AllTogether • Logically segmented network (NIST SP 800-82) • Firewalls & VLANs • Demilitarized Zone (DMZ) • QoS for reliability • Wireless link encryption & authentication Measurement & Control Network DMZ Enterprise Internet
- 28. 29 Summary • Common COTStechnology shared between IT and engineering departments can realize great cost savings and process efficiency • Standards-based network security is a key component for the viability of any wired or wireless measurement system • Proper planning and communication will lead to long- term gains
- 29. 30 For More Information CharlieStiernberg charlie.stiernberg@ni.com ni.com/wifi
Editor's Notes
- #3 Layer 3 switch vs a router is just in the hardware implementationhttp://compnetworking.about.com/od/hardwarenetworkgear/f/layer3switches.htm
- #4 The COTS technology trend has led to the convergence of previously disparate groups
- #5 Proven technologies that are simpler to integrate, require widely available skills, secure, and reliableSave money by moving away from expensive, closed, factory-floor optimized networksIn other words, better visibility and better management
- #6 On April 23, 2000 VitekBoden was arrested with stolen radio equipment, controller programming software on a laptop and a fully operational controllerThe facts of the case:Vitek worked for the contractor involved in the installation of Maroochy Shire sewage treatment plant.Vitek left the contractor in December 1999 and approached the shire for employment. He was refused.Between Jan and Apr 2000 the sewage system experienced 47 unexplainable faults, causing millions of liters of sewage to be spilled.http://www.cso.com.au/article/151361/utility_hack_led_security_overhaulSystem downtime = lost $$Loss of critical dataOutagesPerformance degradationRegulated products means loss of data is criticalLoss of customer satisfactionNoncompliance penaltiesCorporate imageThreatsMalware (viruses, worm, trojan horse)Distributed DoSEavesdroppingUnauthorized accessBandwidth/Jitter (YouTube affect)
- #9 Hub –collects incoming traffic (TCP/IP packets) from each port and repeats the traffic to all other ports, whether the traffic is addressed to those ports or not.Switch – inspects each incoming TCP/IP packet before sending it to an appropriate destination, based on its media access control (MAC) address. Router (Layer 3 Switch) – serves as an intermediate destination for packets traveling between LANs in a corporate network orbetween a LAN and the Internet.WAP – wireless access point provides a wireless extension to the wired network
- #11 Need to talk about stateful, packet inspection, etc.A firewall is a part of a computer system or network that is designed to block unauthorized access while permitting outward communication. It is also a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria.
- #12 VLANs divide physical networks into smaller logical networks to increase performance, improve manageability, and simplify network design. VLANs are achieved through configuration of Ethernet switches. Each VLAN consists of a single broadcast domain that isolates traffic from other VLANs. Just as replacing hubs with switches reduces collisions, using VLANs limits the broadcast traffic, as well as allowing logical subnets to span multiple physical locations. There are two categories of VLANs: Static, often referred to as port-based, where switch ports are assigned to a VLAN so that it is transparent to the end user Dynamic, where an end device negotiates VLAN characteristics with the switch or determines the VLAN based on the IP or hardware addresses. Although more than one IP subnet may coexist on the same VLAN, the general recommendation is to use a one-to-one relationship between subnets and VLANs. This practice requires the use of a router or multi-layer switch to join multiple VLANs. Many routers and firewalls support tagged frames so that a single physical interface can be used to route between multiple logical networks. VLANs are not typically deployed to address host or network vulnerabilities in the way that firewalls or IDSs are. However, when properly configured, VLANs do allow switches to enforce security policies and segregate traffic at the Ethernet layer. Properly segmented networks can also mitigate the risks of broadcast storms that may result from port scanning or worm activity. VLAN is a Layer 2/Ethernet conceptPorts on a switch are assigned to a VLANSwitch interconnections are “trunk” ports that carry multiple VLANsData is only forwarded to ports within the same VLANBroadcasts and multicasts are restricted to their respective VLANsA Layer 3 device (router or Layer 3 switch) can pass messages between different VLANsRouter: subnets, IPSwitch: VLAN, MAC
- #14 Mostly used (traditionally) for VOIP….why? Because it needs low latency…it’s important, time critical data….is this not also true of instrumentation???Points of aggregationLinks and buffersPoints of substantial speed mismatchTransmit buffers tend to fillBuffering reduces loss, introduces delay
- #16 Speak their languageCatepillar
- #17 1 decryption / us ok today’s machine10^6 decryption / us massively parallel organizations of microprocessorsFor effective protection of wireless data transmissions, a Wi-Fi network must have a strong encryption algorithm (cipher) and some form of key management. Two encryption standards are widely used today with Wi-Fi networks: TKIP and AES. The IEEE 802.11i task group introduced the Temporal Key Integrity Protocol (TKIP) with WPA as a stop gap for existing WEP networks. Access points and clients can upgrade from WEP to WPA/TKIP with a simple firmware or software change. One advantage of TKIP over WEP is that it uses a 128-bit key versus a 40-bit key, though the encryption algorithm (RC4) is still the same. The more significant difference is that TKIP uses a different key for every message packet, hence the name “temporal.” This key is created dynamically by mixing a known pairwise transient key (PTK) with the MAC address of the client and a serial number for each packet. The PTK is created when a client connects to an access point using a preshared key (a passphrase that is known to all network members) and a random number generator. The serial number is incremented each time a new packet is sent. This means that replay attacks are impossible, because the same key is never used from one packet to the next. An access point can detect when an attacker attempts to replay old packets.
- #18 As final security solution, the IEEE 802.11i task group chose the Advanced Encryption Standard (AES) as the preferred encryption algorithm for Wi-Fi networks. Unlike TKIP, AES requires hardware upgrades for most WEP installations, because the cryptographic algorithm is more processor intensive. AES uses a 128-bit cipher that is significantly more difficult to crack than the RC4 algorithm used by TKIP and WEP. In fact, the National Institute of Standards and Technology (NIST) chose AES as the encryption standard required for all US government agencies. (FIPS publication 197 describes these requirements in detail.) Any wireless data acquisition application for the government or military will likely have to use AES to transmit data. http://csrc.nist.gov/publications/fips/fips197/fips-197.pdfIn 1999, the Electronic Frontier Foundation’s “Deep Crack” machine, in combination with distributed.net, successfully solved RSA’s DES Challenge III in 22 hours and 15 minutes.DES $10,000 28 January 1997, 9 am PST 17 June 1997, 10:40 pm PST 140 daysNIST StandardSupport 128, 192 and 256 key sizesResult of a selection process where the World’s cryptographic community participatedThe Rijndael algorithm was selected as the AES algorithm in 2001Fast implementations in both software and hardwareSmall memory footprint
- #19 When there’s no RADIUS server (WPA2-PSK), the access point serves both roles (simplifies setup)
- #20 When we speak to someone on the phone, we rely on our recognition of theperson’s voice on the other end of the phone. Our conversations are based ontrusting our ability to identify the other party. When we speak to someone for thefirst time, we want to get information from them before we divulge anyinformation. We might ask them their name, why they are calling, and even howthey discovered our phone number. The world of WLAN communication is nodifferent. Wireless network administrators needed a means by which to ensurethat wireless clients could authenticate themselves to access points.
- #21 When a supplicant requests access to a network, the authenticator provides access to uncontrolled ports for authentication. The authenticator forwards the access request to the authentication server, which either accepts or denies access to the supplicant. The authenticator forwards the response from the authentication server to the supplicant and either grants access to controlled ports or continues to block a denied supplicant. A successful authentication process results a pairwise master key (PMK) used to encrypt wireless traffic. The details of this exchange depend on which Extensible Authentication Protocol (EAP) method the network supports.
- #22 EAP is an authentication framework, not a specific authentication mechanism.There are tradeoffs for each, but ultimately this is the job of the IT department to decide what works best for them…we can handle the most common typesSome require client side, others are server sidestandard leaves the upper layerauthentication choice up to the enterprise. Enterprises must make a decisionbased on many different factors including, but not limited to, interoperability, cost,and administrative overhead. While the Wi-Fi alliance has made no attempts tohide their recommendation of implementing EAP-TLS for upper-layerauthentication, the 802.11i taskforce has stayed away from making suchrecommendations.
- #24 AES-CCM-128802.15.4 stops short of defining cryptographic key management….
- #25 Coordinator This device starts and controls the network. The coordinator stores information about the network, which includes acting as the Trust Center and being the repository for security keys. Router These devices extend network area coverage, dynamically route around obstacles, and provide backup routes in case of network congestion or device failure. They can connect to the coordinator and other routers, and also support child devices. End Devices These devices can transmit or receive a message, but cannot perform any routing operations. They must be connected to either the coordinator or a router, and do not support child devices.
- #29 ISA SP99