Welcome to PHOENIX CONTACT Routing

Transcription

1 Welcome to PHOENIX CONTACT Routing Kevin Speed Phoenix Contact

2 Need for Cyber Security in the Industrial World Hacks, attacks, broadcast storms, etc. happen every day. Not just an IT problem anymore Inter-connectedness has a lot of plusses, but security must be addressed. Level of expertise needed to pull of an attack is dropping Sophistication of attacks are rising October 2009 May 2010

3 Non-Windows devices can be affected too ANY networked device can be affected or brought down by a Denial of Service (DoS), Spoof or Flooding attack

4 What can you do to help secure your network??? Take control of the situation Everyone has a role to play in Security Work with IT when possible No help from them? It s on you. Whose got skin in the game?

5 What is Routing A way to get from one network/subnet to another Can be Accounting subnet to HR subnet Can be from PxC-USA network to PxC-Germany Can be from Home network to Google.com HR subnet Accounting subnet PxC-USA PC Blomberg Intranet Server Internet

6 Devices in the Same/Other Network R PC 1: PC2: PC1 IP = PC2 IP = Mask = Mask = Network = Network =

7 Simple Enough with mask of Network portion is , host is.4.6 He is on same logical network as all s, i.e. no router with mask of Network is , host is 5 If he wants to talk to he needs to go through a router

8 YES Send the packet to the Destination IP and Destination MAC Send it to the Multi/Broadcast IP and MAC Address Do I have the Destination s MAC address in my ARP cache? NO Broadcast an ARP packet to discover the MAC of your destination IP. YES Get an ARP reply from your destination? Multi/Broadcast YES NO ARP REPLY Unicast or Multi/ Broadcast? Unicast Calculate whether the destination IP address is on my subnet (binary math) Is the Destination on my local subnet? NO Gateway Defined PACKET IS NOT SENT I want to send a packet NO Do I have a Default Gateway defined? NO ARP REPLY Is the Gateway MAC in my ARP Cache? NO Broadcast an ARP packet to discover the MAC of your destination IP. Get an ARP reply from your destination? YES YES Send the packet to the DESTINATION IP and GATEWAY MAC

9 Default Gateway Is the router your PC / network device connects to Should always be on the same subnet as your device Device needs this to talk to other networks No Gateway defined & he won t even try to talk My mguard s IP Address

10 NATing Network Address Translation (NAT) is the translation of an IP address used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses. This helps ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of global IP addresses that a company needs and it lets the company use a single IP address in its communication with the world. Neither inside or outside end devices know the traffic has been NAT d

11 NAT IP Masquerading example Internet Routers should always IP Masquerade! Allows those private IPs to be routed on the Internet Corporate Network /24 Internet mguard NAT Web Server SRC IP: SRC Port: 2305 DST IP: DST Port: 80 SRC IP: SRC Port: 80 DST IP: DST Port: 2305 NAT Connection Tracking Table NAT SRC IP: SRC Port: DST IP: DST Port: 80 SRC IP: SRC Port: 80 DST IP: DST Port: 60132

12 1:1 NAT 1:1 NAT is used to connect several subnets to the corporate network, which use the same network IP. Great for situations with multiple identical lines simplifying programming Troubleshooting Maintenance No spreadsheet needed PLC 1 is always Corporate Network /16 mguard 1 mguard 2 mguard 3 mguard 4 Production Site /24 Production Site /24 Production Site /24 Production Site /24

13 1:1 NAT example Production Site /24 Corporate Network / Production Site / ping ping

14 Port Forwarding The headers of data packets incoming from the external network, which are addressed to the mguards external IP address and to one of the ports on the mguard, will be rewritten to forward them to a specific port on a specific system in the internal network. Note: Port forwarding rules have a higher priority than the incoming firewall rules. Therefore they overrule the defined incoming firewall rules! Can access multiple devices through only 1 external IP Can hide a device behind router but still access via specific port

15 Port Forward - Continued Access 2 devices through 1 IP, depending on port you go to

16 Description of Firewalls and how they can help A hardware appliance or software application that will filter traffic based on user-defined or pre-configured rules. Hardware has superior performance, no resource drain on the PC, can protect multiple devices (including non- Windows devices), and will stop traffic BEFORE getting to your device. Local Network

17 Port Forwarding hiding a device Internet http request mguard

18 Firewalling Primary means of defending networks/end devices A hardware appliance or software application that will filter traffic based on user-defined or pre-configured rules. Traffic can be passed through or dropped Can look at different packet attributes MAC, IP, TCP/UDP headers; even some data 18 PHC 0399 Dan Schaffer Marketing Feb 2010

19 Description of Firewalls Hardware has superior performance, no resource drain on the PC, can protect multiple devices (including non- Windows devices), and will stop traffic BEFORE getting to your device. Local Network 19 PHC 0399 Dan Schaffer Marketing Feb 2010

20 Firewalls 3 Main Types ACL list, Stateful Firewall, Deep Packet Inspection/App Proxy Gateway ACL list very basic but also limited; low latency What IP are you coming from, what IP are you going to? Need to setup rules for both halves of the conversation. Stateless (i.e. no protection against Spoofing) Fair amount of manual configuration Is there a rule allowing to talk to ? OK Is there another rule allowing to talk to ? OK I/O s Response Get Data from I/O IP address ACL List style Firewall IP address PHC 0399 Dan Schaffer Marketing Feb 2010

21 Stateful Firewall Stateful Firewall more advanced protection; also low latency Can filter on IP addresses (source and/or destination) Also on protocol (TCP, UDP, Ping, etc.) AND application port Stateful means it keeps track of connection status if you request a web page from Server X, its response is allowed back through. Protects against Spoofing, HiJacking and other attacks Less configuration and more flexibility, still low latency! Is allowed to talk Modbus to ? OK I know this conversation. Response is OK. I/O s Response Get Data from I/O IP address Stateful Firewall IP address PHC 0399 Dan Schaffer Marketing Feb 2010

22 Deep Packet Inspection Firewalls Deep Packet Inspection Checks data of each packet, big latency. More costly, greater processor needs, delays packets Not very suitable for Industrial world, more for IT world where a few hundred ms of latency is tolerable. 10, 50, 100+ ms extra delay in getting response Is allowed to talk Modbus to ? What s in this packet? Reading data? Set Config? Is this OK? What s in this Response? Is this consistent with the baseline? I/O s Response IP address Get Data from I/O Deep Packet Inspection Firewall IP address PHC 0399 Dan Schaffer Marketing Feb 2010

23 1963A Questions?