8 network security - klinkmannmedia.klinkmann.fi/pdf/fi/training/8_network_security.pdf · what...

Network Security

Tampere Seminarp

23rd October 2008

© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 11

Contents

Overview

Switch Securityy

Firewalls

Conclusion


Contents

Overview

Switch Securityy

Firewalls

Conclusion


Information Security

Definition :

“A collection of measures adopted to prevent unauthorized use, p p ,malicious use, denial of use, or modification of information, facts, data, or resources....”


The Threats

• Components in a plant environment are more and more

interconnectedinterconnected

• Plant environments are increasingly open to external influences

Att k i l t i ti t i t d d t l hi h• Attacks are simple to instigate using standard tools, which are

always up to date

• Protocols (TCP/IP) and networks (Ethernet) are vulnerable

• Attacks are difficult to trace


Attacks

• Attacks have different purposes :

– System intrusion (hacking)System intrusion (hacking)

– Destruction / sabotage / terrorism

– FraudFraud

– Theft of information

Web site attack– Web site attack

– Revenge

Accidental manipulation– Accidental manipulation


Forms of Attack

• Denial of Service (DOS)

– Virus / Trojan Horse / WormsVirus / Trojan Horse / Worms

– Network saturation (TCP SYN, ICMP, …)

– System weaknesses TCP/IPSystem weaknesses, TCP/IP

• Access Attacks

– Social engineering physical access– Social engineering, physical access

– Password breaking

Impersonation spoofing– Impersonation, spoofing

• Collection of information / probing

C t i S iffi– Capturing, Sniffing

– Probing TCP, ICMP


Business Strategy Survey

What percentage of network security attacks do you believe originateWhat percentage of network security attacks do you believe originate from inside or outside of your company?

13%

4%

13%

Inside

Outside

Don't knowDon t know

83%


Source:AT&T/Economist Intelligence Unit Networking and Business Strategy Survey, March-April 2004

Nessus

Nessus is the world's most popular vulnerability scanner

Used in over 75 000 organizations world-wide


Used in over 75,000 organizations world wide.

SCADA Plug-in


CERN SCADA Testing –SwitzerlandSwitzerland

Netwox – Denial of Service Attack Nessus – Vulnerability Attack

Results of 51 different TOCSSiC* tests on networked i d t i l t l d i i l PLC i N t d

y

industrial control devices - mainly PLCs - using Netwox andNessus


Source: The Industrial Ethernet Book, November 2006

* Test stand On Control System Security program in CERN

Contents

Overview

Switch Securityy

Firewalls

Conclusion


Physical Access


Physical Access – M12 ConnectorsConnectors


Unused Ports

Unused ports can be switched off

No access possible to network


Port Security

Network access via a port can be limited to a specific device

MAC address

IP address

Access violation

Warning message to Management Station

Port can be automaticallyautomatically switched off


802.1X Authentification –RADIUSRADIUS

1

RADIUS Client

User requests authentication

2Switch requests proof of identity f li tfrom client

3Client gives switch proof of identity

4Switch forwards proof of identity to RADIUSto RADIUS

5RADIUS requests challenge from client

6RADIUS request is forwardedfrom switch to client

7Client gives challenge to switch

8Switch forwards challenge to RADIUSRADIUS

10 RADIUS response is forwarded from switch to client activation of

9RADIUS checks challenge and sends response


from switch to client, activation of controlled port

sends response

Physical LAN


Virtual LANs


Multiple VLANs per Switch

HIRSCHMANN HIRSCHMANN


Management VLAN

HIRSCHMANN HIRSCHMANN


Access To Network DevicesDevices

• SNMPv1 SNMPv2 SNMPv3

• Telnet SSH

• Web Interface

Acronyms:

SNMP – Simple Network . .M M t P t l


M Management Protocol

SSH – Secure Shell

Contents

Overview

Switch Securityy

Firewalls

Conclusion


What is a Firewall?

A firewall is a system or group of systems that enforces an access control policy between two networks.

ExternalFirewall

DMZDMZ

InternalInternetInternet

Firewall


Private NetworkPrivate Network

Functions

Basic

Protects against attacks from insecure networksg

Hides the internal network structure

Advanced

Access control: when and how may computers may communicate with each other

User control: which users can access which services

P t l d S i t l hi h t l d iProtocol and Services control: which protocols and services can run over which ports

Data control: which data can be transmitted and receivedData control: which data can be transmitted and received

Logging, Accounting, and Auditing

Alarming during attacks and failures


Alarming during attacks and failures

Limitations

A firewall offers limited or no protection against:

Internal attacks

Social engineering attacks

Attacks over permitted connections

Malware such as Trojans, Viruses, Spyware, Phishing, or damaging active components (ActiveX, Java Applets, JavaScript)

Passive attacks (Sniffing the LAN, traffic analysis, etc.)

Improper use of mobile computers

Removable media


Dual-homed Firewall

Firewall with 2 Ethernet ports

one for the secure network

one for the insecure network

InternetInternet



Multi-homed Firewall with DMZDMZ

Firewall with 3 or more ports

one for the secure network

one for the insecure network

one for the DeMilitarised Zone

DMZDMZ

InternetInternet

© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 2828Private NetworkPrivate Network

Screened Subnet

Deployment of two firewalls, one either side of the DMZ

ExternalFirewall

DMZDMZ

InternalInternetInternet

Firewall



High Security Firewall SystemSystem

Deployment of three firewalls

Recommended by the BSI (German Federal Office for Information y (Security)

PacketFilter

DMZDMZ

Packet InternetInternet

Filter

ApplicationFilter



Firewalls and the OSI ModelModel

Application Proxies

Session

Presentation

Transport Stateful Inspection

Network Packet Filter

Physical

Data link


Stateful Inspection

Communication is analyzed at Layer 4 (Transport)

The firewall maintains a table of which devices are communicatingg

Data is only allowed through the firewall from the insecure network if it has been requested from the secure network.

Advantages

The status of the connection is checked

Cheaper and faster than Application Layer Firewalls

Disadvantage

Th d t i id th k t i t h k dThe data inside the packet is not checked


Stateful Inspection

Insecure Secure

RequestResponse

XRequest

Response


XRequestResponse

Packet Filter

Packets are analyzed and filtered at the Layer 3 (Network) level.

Source IP address

Source port

Destination IP address

Destination port

Protocol

Access Rules define which communication is allowed.

Two alternative principles:

“Deny all“ (all traffic which is not explicitly permitted is denied)

“Laissez faire“ (all traffic which is not explicitly denied is allowed)


Packet Filter

Special considerations

Only the header of the packet is checked – not the enclosed data y p(payload)

Each individual packet is checked, but not the data stream itself

Often implemented in a router (Access Control Lists)

Advantages

Fast to implement

Disadvantages

Neither the connection nor the data is checked

L b f lLarge number of rules

Easy to make a mistake

Maintenance after network changes


Maintenance after network changes

Packet Filtering

Insecure Secure

HTTP

FTP


Application Layer Firewalls (Proxies)Firewalls (Proxies)

There is no direct communication between a Client on the secure network and a Server on the insecure network.

ProxyInternetInternet



Application Layer Firewalls (Proxies)Firewalls (Proxies)

Advantages

The payload of the packet is examinedp y p

Much more detailed log files

Extremely high security

Disadvantages

Slower than Stateful Inspection Firewalls

More expensive

Fact of life

The more security you want, the worse the performance of your network (and vice versa)


NAT / PAT

Network Address Translation 1 to n / Port Address Translation

All internal IP address are mapped to a single external IP addresspp g

Hides the protected network‘s addressing scheme

Reduces cost by sharing a single valid Internet address

Network Address Translation 1 to 1

Individual internal addresses are mapped to individual external addresses

Hides the network addressing while allowing incoming connections


Network Address Translation – 1:nTranslation – 1:n

Maps multiple internal addresses to a single external address

Source

10.10.10.44

Source

81.65.129.31

Source

10.10.10.55

Source

81.65.129.31


Network Address Translation – 1:1Translation – 1:1

Maps internal and external addresses 1 to 1.

Source

10.10.10.44

Source

81.65.129.44

Source

10.10.10.55

Source

81.65.129.55


Multiple Identical Cells

10 10 10 123

Automation Cell

10.10.10.123

192 168 23 0

10.10.10.010.10.10.234

192.168.23.0

Core Network

10 10 10 0

Automation

10.10.10.0

10.10.10.123192.168.54.0

Cell

© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 424210.10.10.234

Firewall Techniques

Hard Perimeter

OfficeNet ork

Hard Perimeter

Network


Firewall Techniques

Defence in

OfficeNet ork

Defence in Depth

Network


Adding Security

In a perfect world, you design the network security when you design the network.

What if you want to add security to an existing network?

M t fi ll tMost firewalls are routers.


Transparent (Bridging) FirewallsFirewalls


Symbols Used In Presentation DiagramsPresentation Diagrams

HIRSCHMANN

Industrial firewall and/or VPN Client/Server

Corporate firewall and/or VPN Client/Server

Corporate networkCorporate Network

Industrial network Internet


Basic Industrial FirewallingFirewalling

HIRSCHMANN

HIRSCHMANN

Corporate NetworkHIRSCHMANN Network

Office Network

© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 4848Automation Network

Access for Specific DevicesDevices

HIRSCHMANN

HIRSCHMANN

Corporate Network

Management Station

HIRSCHMANN

Management Station


Access for Specific DevicesDevices

HIRSCHMANN

HIRSCHMANN

Corporate Network

Maintenance

HIRSCHMANN Network


Employee from an External CompanyExternal Company

HIRSCHMANN

HIRSCHMANN

Corporate NetworkHIRSCHMANN Network

Service EngineerHIRSCHMANN

© 2008 Hirschmann Automation and Control GmbHCopyright © 2008 Hirschmann Automation and Control GmbH. 5151DHCP

Contents

Overview

Switch Securityy

Firewalls

Conclusion


Conclusion

Security should be designed into a network right from the start

Managed switches provide a range of security features

A control network should only be connected to another network via a firewall

Successful protection requires a range of techniques


Contents

Overview

Switch Securityy

Firewalls

Conclusion

Comments or Questions?


8 network security - klinkmannmedia.klinkmann.fi/pdf/fi/training/8_network_security.pdf · what...

Documents