Network and Information Technology (IT) Considerations

Transcription

1 Technical Bulletin Issue Date March 31, 2003 Network and Information Technology (IT) Considerations Network and Information Technology (IT) Considerations...3 Introduction... 3 Key Concepts... 4 Dynamic Host Configuration Protocol (DHCP)... 4 Demilitarized Zone (DMZ)... 4 Domain Name System (DNS) Firewall... 6 Network Address Translation (NAT)... 7 Flash Memory...7 Microsoft Internet Explorer (IE) Browser Recommendations... 7 Internet Service Provider (ISP)... 7 Internet Protocol (IP)...7 Internet Protocol for the Metasys System... 7 IP Address Local Area Network (LAN) Point-to-Point Protocol (PPP) Java Plug-in Software The Metasys Applet Proxy Considerations Remote Access Service (RAS) Simple Mail Transfer Protocol (SMTP) Simple Network Management Protocol (SNMP) Simple Network Time Protocol (SNTP) Virtual Private Network (VPN) Security Considerations Johnson Controls, Inc. Code No. LIT Software Release 1.0

2 2 Network and Information Technology (IT) Considerations Technical Bulletin Detailed Procedures Verifying Java Proxy Settings Verifying Microsoft Internet Explorer Options... 25

3 Network and Information Technology Considerations (IT) Technical Bulletin 3 Network and Information Technology (IT) Considerations Introduction The purpose of this document is to highlight information, including security risks, that you should consider when connecting your Metasys system to the Internet. Review this document with the appropriate personnel from your customer s Information Technology (IT) department. This document is not designed to teach networking principles. The document assumes a basic understanding of the Dynamic Host Configuration Protocol (DHCP) and Transfer Control Protocol/Internet Protocol (TCP/IP) which is necessary to configure the Metasys system extended architecture and associated devices on a customer s network. Microsoft Press publications publishes several helpful resources: Microsoft Windows XP Networking Inside Out, Deluxe Edition and Microsoft Windows XP Professional Resource Kit Documentation. This document also assumes a basic understanding of the Metasys devices used to configure the extended architecture. This information includes, but is not limited to, the Network Automation Engine (NAE), the Network Integration Engine (NIE), the Site Director, and the Application and Data Server (ADS). IMPORTANT: Engage appropriate network security professionals to ensure the Personal Computer (PC) hosting the Site Director is a secure host for Internet access. Network Security is an important issue. Your customer's IT department must approve configurations that expose customer networks to the Internet. Refer to the Configuring the NAE Network Screen section of the Configuring the Network Automation Engine (NAE) Technical Bulletin (LIT ) for configuration information.

4 4 Network and Information Technology (IT) Considerations Technical Bulletin Key Concepts Dynamic Host Configuration Protocol (DHCP) Dynamic Host Configuration Protocol (DHCP) is an application layer protocol the NAE, ADS, and Application and Data Extended Server (ADX) can use to obtain its Internet Protocol (IP) address and other network information. DHCP is a communications protocol that lets network administrators centrally manage and automate the assignment of IP addresses in an organization s network. Each NAE that can connect to the network needs a unique IP address. When a network is set up to allow NAEs to connect to the Internet, an IP address must be assigned to each machine. Without DHCP, the IP address must be entered manually at each computer, and if computers are moved to another subnet on the network, a new IP address must be entered. DHCP lets a network administrator supervise and distribute IP addresses from a central point and automatically sends a new IP address when a computer is plugged into a different place in the network. DHCP can also automatically assign dial-up users an IP address when they connect to the network. DHCP servers support static addresses for computers containing Web servers that need a permanent IP address. Each Site Director must have a non-changing IP address. A DHCP server can be configured to assign the same IP address to a particular Media Access Control (MAC) address. DHCP is an alternative to another network IP management protocol, Bootstrap Protocol (BOOTP). DHCP is a more advanced protocol, but both configuration management protocols are commonly used. Some organizations use both protocols, but understanding how and when to use them in the same organization is important. Some operating systems, including Windows NT and Windows 2000 operating systems, come with DHCP servers. A DHCP or BOOTP client is a program that is located in (and perhaps downloaded to) each computer so that it can be configured. The NAE, NIE, ADS, and ADX each can be configured to use its internal DHCP client. Demilitarized Zone (DMZ) A Demilitarized Zone (DMZ) is a term that refers to a portion of the network located between the Internet and the intranet. It is a buffered area that is usually protected by one or more firewalls. If the Site Director is placed in the DMZ, only the Site Director is accessible from the Internet. All devices on the site are exposed through the Site Director.

5 Network and Information Technology Considerations (IT) Technical Bulletin 5 Domain Name System (DNS) The Domain Name System (DNS) is the method that host domain names are located and translated into IP addresses. A domain name is a meaningful and easy-to-remember handle for an Internet address. DNS is the Internet standard for naming and locating host devices and mapping host names to IP addresses. An example of a DNS handle is A DHCP server can assign a customer s DNS server to each NAE/NIE DHCP client. A customer s DNS server address can be configured into each NAE/NIE and ADS/ADX. When a customer does not have an internal DNS server, NAE/NIE and ADS/ADX devices can be configured to exchange host names and update their local host file. Either DNS or local host file updates are necessary for communication between a Site Director and all devices on the Metasys system site. If the customer is not using DNS, use the customer s existing mechanism to exchange hostnames and update the local host file with the identification of our devices. All devices that are part of the Metasys system extended architecture use only Simple Mail Transfer Protocol (SMTP) to communicate with the customer s mail server. Post Office Protocol 3 (POP3) is the most recent version of a standard protocol for receiving . POP3 is a client/server protocol in which is received and held for you by your Internet server. Periodically, you (or your client receiver) check your mailbox on the server and download any mail. POP3 is built into the Netscape Navigator and Microsoft Internet Explorer browsers. An alternative protocol is Internet Message Access Protocol (IMAP). With IMAP, you view your at the server as though it were on your client computer. An message deleted locally is still on the server. can be kept on and searched at the server. POP can be thought of as a store-and-forward service. IMAP can be thought of as a remote file server. POP and IMAP deal with the receiving of and are not to be confused with the Simple Mail Transfer Protocol (SMTP), a protocol for transferring across the Internet. You send with SMTP and a mail handler receives it on your recipient s behalf. The mail is then read using POP or IMAP.

6 6 Network and Information Technology (IT) Considerations Technical Bulletin Firewall A firewall is a combination of hardware and software that provides a security system to prevent unauthorized access from the Internet to the intranet. (The term also implies the security policy that is used with the programs.) When NAEs have access to the Internet, the customer typically installs a firewall to prevent outsiders from accessing private data resources and to control which outside resources its own users can access. The Site Director provides access to all the devices on the site using only one public IP address (the address of the Site Director). Only the Site Director requires access through the firewall to the intranet. Note: Only HTTP traffic needs to go through a firewall in order for clients to communicate with all Metasys devices. Upgrades using remote desktop over the Internet require additional ports to be open to the intranet. Internet Access to the Metasys System Using a Firewall You can connect to the Metasys system behind a firewall from the Internet. Web Browser Internet Firewall Site Server (ADS/ADX) Firewall NAE NAE Firewall Figure 1: Metasys System Internet Communication via Firewall

7 Network and Information Technology Considerations (IT) Technical Bulletin 7 Network Address Translation (NAT) NAT enables a local area network to use one set of IP addresses for internal traffic and a second set of addresses for external traffic. If you are using NAT to communicate to or from the internet, our site director must have static internal and external IP addresses. Dynamic NAT will not work. Flash Memory Flash memory is a type of constantly-powered nonvolatile memory that can be erased and reprogrammed. In the NAE, flash is used like a hard disk for storing limited information. Use an ADS on a site when you need to store large amounts of historical data. Microsoft Internet Explorer (IE) Browser Recommendations Always open a new browser window to access the Metasys user interface. Do not use the Metasys user interface browser window to navigate to any other Web site. If you access a Web site that requires a Java plug-in, configuration and runtime problems may arise. Launching Microsoft IE from a shortcut on the desktop, or typing a Universal Resource Locator (URL) in the address field of the task bar may replace the Metasys system application if Microsoft IE is configured to reuse windows when launching shortcuts. Refer to the Verifying Microsoft IE Settings procedure in this document. Internet Service Provider (ISP) A commercial organization that provides its customers with the ability to connect to the Internet. Internet Protocol (IP) IP is the method used to send data from one computer to another on the Internet. All devices on a Metasys network have an IP address. This address is used to communicate with other devices on the network. Internet Protocol for the Metasys System Table 1 describes the various IP protocols and how they relate to the Metasys system. This table is a guide for you and IT personnel assisting with the setup of the Metasys system. In determining which protocol is best for your system, note that implementing a firewall is one way to provide security between your company and its Internet access.

8 8 Network and Information Technology (IT) Considerations Technical Bulletin Table 1: Protocols and Ports Protocol Port** Number Dynamic Host Configuration Protocol (DHCP) Domain Name Service (DNS) HyperText Transfer Protocol (HTTP) Post Office Protocol 3 (POP3) Secure HyperText Transfer Protocol (HTTPS) Simple Mail Transfer Protocol (SMTP) Simple Network Management Protocol (SNMP) Simple Object Access Protocol (SOAP) Supervisory Controller NAE/NIE N30 Description Assigns and keeps track of dynamic IP addresses and other network configuration parameters. Alternate Method: Use static IP addresses. 53 NAE/NIE Translates domain names into IP addresses. 80 NAE/NIE Provides communication between peer controllers, PCs, and other Internet systems. 110 NAE/NIE Receives and holds for downloading from your Internet server. Note: Access is not necessary in most cases because this server should be behind the firewall. 443 NAE/NIE Available in a future release of the Metasys System 25 NAE/NIE N NAE/NIE M-Series Workstation Ethernet IP s alarms. Note: Access is not necessary in most cases because this server should be behind the firewall. Provides network monitoring and maintenance. 80 NAE/NIE Provides upload and download capabilities to the NAE/NIE and invokes Web services. SNMP Trap 162 NAE/NIE M-Series Workstation (M-Alarm messages) Simple Network Time Protocol (SNTP) User Datagram Protocol (UDP) Receives alarms (alarm destination) in large networks to direct alarms to its IT department so they can notify facility personnel. The site must use network SNMP Trap software for implementation. Note: M-Alarm uses this protocol regardless of the size of the network. Alternate Method: Use pager or destinations for remote alarm notification instead of IT personnel. 123 NAE/NIE Used to synchronize computer clocks over a network * NIE Network Control Module (NCM) Provides message transmission (proprietary packet encoded in UDP). If you are connecting to multiple N1 networks, the port is unique for each N1 network. The default port number is Choose a UDP Choose additional UDP ports that do not conflict with a port that is in use. Bacnet Protocol NAE N30 Refer to the BACnet System Integration with NAE Technical Bulletin (LIT ) * This Port number is registered to Johnson Controls. ** Generally recorded and registered by the Internet Assigned Number Authority (IANA)

9 Network and Information Technology Considerations (IT) Technical Bulletin 9 Metasys System Architecture Figure 2 shows the architectural design of the Metasys system. Demilitarized Zone (DMZ) Web Browser Internet Firewall Site Director (NAE) or Site Director (ADS/ADX) Firewall NAE NAE DMZ Figure 2: Metasys System Architecture Connectivity and Protocol Models The following figures are examples of the various types of connectivity and protocols for the Metasys system. Figure 3 is an example of the connectivity and protocols for a Metasys system using multiple NAE or NIE controllers and an ADS. Note: Figure 3 does not show the interaction between the N1 network and the NIE. See the N1 Migration with NIE Technical Bulletin (LIT ) for details.

10 10 Network and Information Technology (IT) Considerations Technical Bulletin Web Browser Printer ADS Server (User Interface, System Configuration Tool and data archive) Firewall Internet NAE/NIE 3 NAE/NIE 3 4 IP Network NAE/NIE Customer Server Field Bus Field Bus Field Bus Network Services (Network Management Workstation, Mail/DNS/DHCP Server) MultipleNAE_NIE Figure 3: Metasys System with Multiple NAE/NIEs and an ADS Server Table 2: Metasys System with Multiple NAE/NIEs and an ADS Server Interaction Protocol Between Callouts 1 2 HTTP, HTTPS, SOAP 1 3 HTTP*, HTTPS*, SOAP* 1 4 Customer standard configuration 2 3 HTTP, SNTP**, SOAP 2 4 DHCP, DNS, SMTP, SNMP, SNMP Trap, SNTP 3 3 HTTP, SOAP 4 3 DHCP, DNS, SMTP, SNMP, SNMP Trap, SNTP * Used for local Web browsers only. ** To ensure proper performance, a PC browser should never use an NAE/NIE for its SNTP server.

11 esc N30 Network and Information Technology Considerations (IT) Technical Bulletin 11 Printer M3 Workstation Web Browser - User Interface ADS Server 1 IP Ethernet N30 (BACnet Protocol) 2 N30 2 (BACnet Protocol) NIE NAE 3 Customer Server Field Bus (N2) Field Bus (N2) Field Bus (N2) Network Services (Network Management Workstation, Mail/DNS/DHCP Server) BACnet Integration Figure 4 is an example of the connectivity and protocols for a Metasys system using the M3 Workstation and N30 controllers. For more information refer to the BACnet System Integration with NAE Technical Bulletin (LIT )

12 esc N30 12 Network and Information Technology (IT) Considerations Technical Bulletin Printer M3 Workstation Web Browser - User Interface ADS Server 1 IP Ethernet N30 (BACnet Protocol) 2 N30 2 (BACnet Protocol) NIE NAE 3 Customer Server Field Bus (N2) Field Bus (N2) Field Bus (N2) Network Services (Network Management Workstation, Mail/DNS/DHCP Server) BACnet Integration Figure 4: Metasys System with N30 Controllers Using BACnet Protocol Table 3: Metasys System with N30 Controllers Using BACnet Protocol Interaction Protocol Between Callouts 1 2 UDP* 1 3 POP3, SMTP, SNMP, SNMP Trap 2 2 UDP* 3 2 DHCP * When using BACnet protocol with N30s, you must specify UDP port 0xBAC0 as being used. For multiple BACnet networks, you must use a different port number for each network. Figure 5 is an example of the connectivity and protocols used in a Metasys system using the Operator Workstation (OWS) or M5 Workstation and NCMs.

13 Network and Information Technology Considerations (IT) Technical Bulletin 13 Printer M5 Workstation OWS Web Browser - User Interface ADS Server 1 IP Ethernet NCM 2 N1 NCM 2 4 NIE NAE 3 Customert Server Field Bus (N2) Field Bus (N2) Field Bus (N2) Network Services (Network Management Workstation, Mail/DNS/DHCP Server) N1 Integration Figure 5: Metasys System with NCMs Table 4: Metasys System with NCMs Interaction Protocol Between Callouts 1 2 UDP* 1 3 SNMP, SNMP Trap 2 2 UDP* 2 4** UDP* * When using UDP protocol with NCMs, you must specify port as being used. For multiple N1 networks, you must use a different port number for each network. ** You can configure multiple N1 networks on the NIE. See the N1 Migration with NIE Technical Bulletin (LIT ) for details.

14 14 Network and Information Technology (IT) Considerations Technical Bulletin IP Address All Metasys devices communicate using TCP/IP and must follow Internet standard IP address constraints. Configure each device with a static name and IP address that matches one in the Customer s Name lookup service, or configure the device to obtain the IP address from a DHCP server that communicates the name and address to the Name Lookup Server. The Site Director allows access to the entire Metasys system using only one public IP address. This allows access to all devices on the site without having a public IP address for each device. Local Area Network (LAN) A Local Area Network (LAN) is a high-speed communications system designed to link computers and other data processing devices together within a small geographic area such as a workgroup, department, or a single floor of a multi-story building. Point-to-Point Protocol (PPP) Point-to-Point Protocol (PPP) is a protocol for communication between two computers using a serial interface, typically a personal computer connected by phone line to a server. For example, your Internet service provider may provide you with a PPP connection so that the providers server can respond to your requests, pass them on to the Internet, and forward your requested Internet responses back to you. PPP uses the IP (and is designed to handle others). It is sometimes considered a member of the TCP/IP suite of protocols. Relative to the Open Systems Interconnection (OSI) reference model, PPP provides layer 2 (data-link layer) service. Essentially, it packages your computer's TCP/IP packets and forwards them to the server where they can actually be put on the Internet. PPP is used for all Metasys dial-up communication.

15 Network and Information Technology Considerations (IT) Technical Bulletin 15 Java Plug-in Software Java Plug-in software extends the functionality of a Web browser, allowing applets to be run using the Sun Microsystems Java 2 Runtime Environment (JRE) rather than the Java Runtime Environment that comes with the Web browser. The Java Plug-in software installation provides a drop-down selection list for the desired locale, which allows the user to install the international version. The default locale is U.S. English. If you are using an international version of the Metasys system extended architecture, you must install the international version of the Java Plug-in software. If the U.S. English version is already installed, you must uninstall the Java Plug-in software, then re-install the Java Plug-in software and select the international locale. Note: If the Java Plug-in software is not installed, the user is prompted to install the Java Plug-in software upon accessing the Metasys user interface. The Metasys Applet The Metasys user interface is comprised of a Java applet, which runs in the Java Plug-in within your browser. The Java security model allows only trusted applets to perform certain activities such as printing, connecting to the network, retrieving system information, and accessing your computer's local file system. Trusted applets must be digitally signed, and must be granted permissions by the end-user. The Metasys applet is digitally signed with a certificate provided by the VeriSign Certificate Authority (CA). The certificate verifies that the Metasys applet is distributed by Johnson Controls, Inc., and has not been tampered with. In order for the Metasys applet to be trusted, you must grant the applet permission to run each Web browser prompted by the Java Plug-In security system.

16 16 Network and Information Technology (IT) Considerations Technical Bulletin Expired Certificate Digital certificates expire one year after they are issued. When a certificate expires, it can no longer be used to digitally sign new applets, but any existing applets signed with the certificate are still valid. The certificate used to sign the Metasys applet at Release 1.0 expires on September 16, When the certificate expires, it is important to note the following. The expired certificate does not affect: the integrity of the Metasys applet the performance of the Metasys applet. All Metasys system functions will continue to work normally, and you can continue to use the Metasys system safely. If you access the Metasys applet on or after the certificate expiration date, and you have not yet granted permissions to the applet, the Java Plug-in warns you that the certificate has expired and asks if you want to ignore the warning and proceed. Select Yes to continue accessing the Metasys system. Figure 6 shows an example of the expired certificate warning. Figure 6: Java Plug-in Security Warning Window

17 Network and Information Technology Considerations (IT) Technical Bulletin 17 Granting Permissions Each time you access the Metasys user interface, the Java Plug-in security system checks to verify that you have granted permissions for the Metasys applet to run before it displays the login screen. If the security system does not find the permissions, the Java Plug-in Security Warning (Figure 7) appears. Figure 7: Java Plug-in Security Warning If you select: Grant this session, you are giving a one-time permission to run the applet. In this case, you will be prompted to grant permission again the next time you access the Metasys user interface. Deny, the Metasys applet cannot run. Grant always, the certificate information is stored on your computer, and is available for the next time you access the Metasys user interface (from the same computer). When you grant permissions for the Metasys applet, it applies to all Metasys applets signed with the same digital certificate (for example, all Release 1.0 Metasys applets). This means that you are not prompted again for permission to run the applet even if you connect to a different device or platform (NAE/NIE, ADS/ADX, SCT). Note: Since the certificate information is stored on your computer, you will have to grant permissions for the applet to run on each computer that you use. More Info, the certificate properties display, including the effective date, expiration date, issuer (CA), and other technical information related to the certificate that was used to sign the applet.

18 18 Network and Information Technology (IT) Considerations Technical Bulletin Proxy Considerations If a customer site has its proxy server set up with a cache for intranet traffic, the customer may need to adjust the proxy rules to allow direct communication from the browser to the intranet devices (NAEs, ADSs, ADXs). The embedded Web servers in every NAE/NIE and ADS/ADX require direct communication with a connected client Web browser. If the client does not communicate properly, you can test the proxy settings. Set the browser to direct communication and reconnect to the device. If client browser communication is now correct, the proxy must be adjusted. If the proxy settings are explicitly set in the browser, (for example, Internet Explorer), you must verify that the proxy settings are available to the Java applet. If the browser s proxy settings are not explicitly set in the browser, either there are no settings or the browser is using an automatic configuration script and you must verify that the proxy settings are available to the Java applet. Refer to the Verifying Java Proxy Settings procedure in this document. Remote Access Service (RAS) Remote Access Service (RAS) allows dial-up connections between computers and networks. RAS is delivered in Windows NT Version 4.0, Windows 2000 and Windows XP operating systems. It is also found in Routing and Remote Access Server (RRAS) for Windows NT 4.0 operating systems.

19 Network and Information Technology Considerations (IT) Technical Bulletin 19 Simple Mail Transfer Protocol (SMTP) Simple Mail Transfer Protocol (SMTP), a protocol for sending messages between servers. Most systems that send mail over the Internet use SMTP to send messages from one server to another; the messages can then be retrieved with an client using either POP or IMAP. All devices in the Metasys system extended architecture use only SMTP to communicate with a customer s mail server. Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) is the primary protocol governing IP network management and the monitoring of IP network devices and their functions. It is not necessarily limited to TCP/IP networks. The NAE includes an SNMP client to allow an SNMP manager to monitor network activity. Alarms can be configured to send SNMP traps. The Metasys devices (NAE, ADS, ADX) do not include an SNMP manager. Refer to the Configuring SNMP for Network Monitoring section of the Configuring the Network Automation Engine (NAE) Technical Bulletin (LIT ) for configuration information. Simple Network Time Protocol (SNTP) Simple Network Time Protocol (SNTP) is a simplified version of Network Time Protocol (NTP). These protocols allow one computer to ask another computer what time it is across a TCP/IP network, then set its own clock accordingly. SNTP is used to synchronize an NAE network s time to ensure that schedules, calendars, alarms, and events, occur or are reported at the correct time. An ADS or an NAE acting as Site Director may be configured as a time server. All other NAEs are configured as clients. The client for SNTP is included in the NAE operating system (Windows XP embedded operating system). Due to performance problems, an ADS/ADX is the only Metasys device that should be used as an SNTP server by Web browser PCs. More commonly, configure Metasys devices to user a customer s existing time server.

20 20 Network and Information Technology (IT) Considerations Technical Bulletin There are a number of public servers that keep track of time with a very high degree of accuracy that can be used to ensure that the network is synced to real time. Lists of public time servers can be found on the Internet by searching any of the popular search engines such as Google search engine. Only the SNTP server synchronizes its time over the Internet. The other devices on the Metasys network synchronize with the ADS or NAE device you have configured as your server. Refer to the Setting the Time, Date, Time Zone, and Time Sychronization section of the Configuring the Network Automation Engine (NAE) Technical Bulletin (LIT ) for configuration information. Virtual Private Network (VPN) A Virtual Private Data Network (VPN) is a private data network that uses the public telecommunication infrastructure and the Internet, maintaining privacy through the use of tunneling protocol and security procedures (encrypting data before sending it through the public network and decrypting it at the receiving end). Internet Access to the Metasys System using a VPN The simplest method of connecting to the Metasys system is to use a customer s existing VPN. If a VPN already exists, the risks and security concerns have already been established. The system acts as though remote users are on the company intranet. The Metasys system has no specific ability to configure or use a VPN. VPN Tunnel Internet VPN Router Web Browser with VPN client intranet BAS Network Site Server (ADS/ADX) Figure 8: Metasys System Internet Communication via VPN

21 Network and Information Technology Considerations (IT) Technical Bulletin 21 Security Considerations This section discusses appropriate recommendations based on Microsoft TechNet, Best Practices for Enterprise Security. For more information refer to Microsoft TechNet on Microsoft s Web site, Risk Assessment It is important to recognize the types of assets within your organization. Risk assessment provides a baseline for implementing security plans to protect assets against various threats. To improve a system s security, ask three basic questions. What assets within the organization need protection? What are the risks to each of these assets? How much time, effort, and money is the organization willing to expend to upgrade or obtain new adequate protection against these threats? You cannot protect your assets until you know what you need to protect the assets against. Risks can come from three sources: natural disaster risks, intentional risks, and unintentional risks. Network Security Risks Building Automation Systems (BASs) are an integral part of any organization; therefore they must be protected from security threats. When the Metasys system extended architecture has Internet connectivity it is even more important to guard against malicious attacks because the attacks may originate from inside (intranet) as well as outside (Internet) the company. While no system should be considered hacker-proof, it is extremely important to plan for possible threats and define policies that limit the existing vulnerabilities. This can be done through the combination of system design (for example, Authorization, Authentication, IP Security, Digital Signatures, Architecture), network infrastructure (firewalls, routers), and security policies (who has access to the system, when passwords must be changed, how/when accounts are revoked). The system design, network infrastructure, and security policies must be set up and maintained by your customer s facility. The client must engage appropriate network security professionals to ensure the PC hosting the Site Director is a secure host for Internet access. Several examples of security concerns follow. Please keep in mind this is not a comprehensive list.

22 22 Network and Information Technology (IT) Considerations Technical Bulletin Note: Customers must have the appropriate infrastructure and security policies in place to prevent Domain Name System (DNS) and Denial of Service (DoS) attacks and authentication cracking. Johnson Controls, Inc. is not responsible for all aspects of security planning and implementation for the customer s infrastructure. For more information on security planning, refer to Best Practices of Enterprise Security on the Microsoft Web site. Domain Name System (DNS) Attacks Domain Name System (DNS) attacks occur when a hacker programmatically intercepts Web page requests for an intended Uniform Resource Locator (URL), then displays fake HyperText Markup Language (HTML). For example, a hacker could intercept and display a spoofed Metasys system login page. At this point, the hacker is able to intercept the user s Metasys system account name and password after the user submits the information. The hacker can attempt to access the real Metasys Web site with the user s stolen account name and password. If the appropriate infrastructure is in place, Web page spoofing cannot occur. The Metasys system security design thwarts possible DNS attacks using: Public/Private Key Encryption: The hacker may have the user account information, but in order to decrypt data the hacker also needs a valid private key. The hacker has no way to access the valid private key. Denial of Service (DoS) Attacks Denials of Service (DoS) attacks exploit the company s need to have a system available. It is a growing trend on the Internet because Web sites, theoretically, are open doors. People can easily flood the Web Server with communication in order to keep it busy. DoS Attacks are difficult to trace and they subdue other types of attacks. Therefore, companies with Internet access should prepare for detecting and halting DoS attacks.

23 Network and Information Technology Considerations (IT) Technical Bulletin 23 Authentication Cracking Authentication attacks occur when user IDs and passwords are intercepted over a network and are used by unauthorized individuals. The Metasys system security design addresses authentication attacks using IP security (IP Sec). Data traveling by way of IP has no inherent security. It is fairly simple to intercept IP traffic, forge IP addresses, and perform any number of other unscrupulous acts. There are no assurances that a claimed sender is actually sending packets or that the data has remained unaltered in transit. IP Sec provides authentication, integrity, and optionally, confidentiality. The sending computer secures the data prior to transmission and the receiving computer decodes the data. Based on cryptographic keys, IP Sec can be used to secure computers, sites, domains, application communication, dial-up users, and extranet communication. All Metasys system user authentication messages are sent using IP Sec, encrypting both the ID and password. Passwords Intra-computer accounts are used to perform authentication and authorization between devices within the Metasys system. An intra-computer account is a Metasys system site account, which means the account resides in a proprietary Metasys database of users and not within the Microsoft database of users. When a new NAE registers with the Site Director, the new NAE s Metasys system intra-computer account password is synchronized with the rest of the Site. This account is not displayed in the Security Administrator UI, and cannot be administered. Password cracking is a technique attackers use to gain unauthorized system access through another user s account. Password cracking is possible because users often select weak passwords. The two major problems with passwords exist when they are easy to guess based on knowledge of the user (for example, wife s maiden name) and when they are susceptible to dictionary attacks (using a dictionary as a source of guesses). Reasons for gaining unauthorized access to a system include: gaining access to secured data and disrupting the normal operation of the system (a form of an DoS attack). The Metasys system security design addresses Password Cracking attacks in the following ways: Metasys System Site Account Policies Account Polices define how passwords are used by the user account (blank passwords, how often the password must change), account lockout policy, and the inactive session policy.

24 24 Network and Information Technology (IT) Considerations Technical Bulletin Intra-computer accounts, which can not be renamed, have passwords that automatically change every 24 hours. Intra-computer accounts are not disabled during failed login attempts, since the account is required to keep the Metasys system operational. However, to thwart any possible attacks on the system through login trial and error, failed login attempts with this account generate an alarm within the Metasys system. The Metasys Administrator Account (which can not be renamed) does not use the account name Admin or Administrator because it would be easy for a hacker to guess. The user controls the passwords. Note: We strongly recommend changing the default Administrator Account password upon installation of the system. Once this password is changed, Johnson Controls, Inc personnel has no knowledge of the password and do not have the ability to change the password. Passwords are: stored encrypted transmitted encrypted through the use of public and private keys Note: Customers must have appropriate security policies in place to prevent password cracking attacks. Johnson Controls, Inc. is not responsible for all aspects of security planning and implementation for the customer s infrastructure. For more information on security planning, refer to Best Practices of Enterprise Security on the Microsoft Web site.

25 Network and Information Technology Considerations (IT) Technical Bulletin 25 Detailed Procedures Verifying Java Proxy Settings To verify the Java Proxy Settings: 1. From Windows Explorer, select Control Panel. 2. Open the Java Plug-In control panel. 3. Select the Proxies tab. 4. Verify that a check mark appears in the Use Browser Settings check box Verifying Microsoft Internet Explorer Options To verify the Microsoft Internet Explorer Options: 1. From the Microsoft Internet Explorer task bar, select Tools > Internet Options. 2. Select the Advanced tab. 3. Uncheck the Reuse windows for Launching Shortcuts option. Controls Group 507 E. Michigan Street P.O. Box 423 Milwaukee, WI Published in U.S.A.