Machine Remote Access and Network Security Utilizing ewon

Similar documents
Secure Industrial Automation Remote Access Connectivity. Using ewon and Talk2M Pro solutions

FAQ TALK2M. ewon SA Avenue de l artisanat, Braine L Alleud Belgium

Remotely connect from an ewon Flexy to Omron NJ MAC and also send an when there is an alarm

Double WeOS 1-1 NAT Rules with Proxy ARP

HikCentral V.1.1.x for Windows Hardening Guide

How to reach a device behind the ewon Cosy 131 from a PC on the remote site

Configuration Guide. For Managing EAPs via EAP Controller

HikCentral V1.3 for Windows Hardening Guide

The StrideLinx Remote Access Solution comprises the StrideLinx router, web-based platform, and VPN client.

Talk2M. You and your devices, together everywhere. IIoT Cloud for Remote Connectivity.

ecatcher 4 - New Features

Using a VPN with Niagara Systems. v0.3 6, July 2013

HMK. Guide to ewon COSY 141 and 4005CD. Site survey, Setup and Testing

You and your devices, together everywhere

The Cosy 131 User Guide USER MANUAL

Over Cellular. Jim Weikert Strategic Marketing Manager ProSoft Technology Technical Track

You and your devices, together everywhere

u-link Remote Access Service Technical User Guide Version 1.4

Remote Diagnostics with the ewon Cosy 131 Quick Start

Siemens Spares. Setting up security in STEP 7. Professional SIMATIC NET. Industrial Ethernet Security Setting up security in STEP 7 Professional

Access Omron PLCs through an existing Talk2M connection

Flexy Industrial IoT Router & Data gateway. Unlock your remote data. Think Flexy!

WIALAN Technologies, Inc. Unit Configuration Thursday, March 24, 2005 Version 1.1

SIMATIC NET. Industrial Ethernet Security SCALANCE S615 Getting Started. Preface. Connecting SCALANCE S615 to the WAN 1

Quick information and setup overview. Remote Engineer ServiceGate

You and your devices, together everywhere

HTG XROADS NETWORKS. Network Appliance How To Guide: PPTP Client. How To Guide

Quick Installation Guide DIR-300NRU. Wireless Router with Built-in 4-port Switch

Connectivity 101 for Remote Monitoring Systems

Wireless a CPE User Manual

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

Quick Start Guide. W-118 Access Point. Arista Networks. DOC

Access Mistubishi PLCs through an existing Talk2M connection

Barracuda Link Balancer

Cosy Industrial Remote Access Router. Stop traveling on site for support! Let s stay Cosy!

All it takes to reduce maintenance costs & optimize uptime

Example - Configuring a Site-to-Site IPsec VPN Tunnel

Remote Connectivity: HMS Industrial Networks/eWon

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Flexy-ble M2M router for remote access and data services. Industrial M2M Router.

AT&T Cloud Web Security Service

Version No. Build Date No./ Release Date. Supported OS Apply to Models New Features/Enhancements. Bugs Fixed/Changes

CtrlS Datacenters Placement Questions And Answers

Connecting the DI-804V Broadband Router to your network

Endian Firewall validation - REP

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

D-Link DSR Series Router

Software Manual Net Configuration Tool Rev. 1.01

MTA_98-366_Vindicator930

Application Note Startup Tool - Getting Started Guide

SOFTWARE DESIGN GUIDE AUG ENGLISH

Network Security Policy

Sonicwall NSA240 / TZ210 Configuration Guide (Firmware: SonicOS Enhanced o & up)

Step-by-Step Configuration

Startup Tool TG - Getting Started Guide

VI. Corente Services Client

From Human Machine Interface to Web Machine Interface

Step-by-Step Configuration

Unified-E App Manager

Microsoft Exam

Application Note Asterisk BE with SIP Trunking - Configuration Guide

PCI DSS Compliance. White Paper Parallels Remote Application Server

Achieving End-to-End Security in the Internet of Things (IoT)

Gigabit SSL VPN Security Router SG-4800

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Accessing an Extremely Secure LAN Via Remote Access That Was Not Possible With Previous Technologies

Talk2M Pro - Remote Connection Quick Start

Network Planning Guide for ProSafe VPN Firewall Router FVX538

Quick Start Guide. C-100 Access Point. Arista Networks DOC

Step-by-Step Configuration

DC-228. ADSL2+ Modem/Router. User Manual. -Annex A- Version: 1.0

Setting up L2TP Over IPSec Server for remote access to LAN

firewall { all-ping enable broadcast-ping disable ipv6-receive-redirects disable ipv6-src-route disable ip-src-route disable log-martians enable name

Windows Server Network Access Protection. Richard Chiu

SonicOS Enhanced Release Notes

Digi Connect Family Application Guide How to Create a VPN between Digi and D-Link

CyberP3i Course Module Series

Version 13. Cisco to Meraki Firewall Upgrade Graphical Instructions

Setting up a secure VPN Connection between SCALANCE M-800 and SSC

Identify the features of network and client operating systems (Windows, NetWare, Linux, Mac OS)

On the left hand side of the screen, click on Setup Wizard and go through the Wizard.

Application Note Asterisk BE with Remote Phones - Configuration Guide

G-4200 SMB PAC with built-in AAA

Gigabit SSL VPN Security Router

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

WHITE PAPER. Good Mobile Intranet Technical Overview

vcloud Director User's Guide

MAC Address Filtering Setup (3G18Wn)

Chapter 20 Web VPN/ SSL VPN

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

What s New in Fireware v WatchGuard Training

Yamaha Router Configuration Training ~ Web GUI ~

Ready Theatre Systems RTS POS

VG422R. User s Manual. Rev , 5

Send documentation feedback to Supported Functionalities - Switches and IEDs

Setting up a secure VPN Connection between CP x43-1 Adv. and SOFTNET Security Client Using a static IP Address

Wireless-G Router User s Guide

Quick Start Guide. C-120 Access Point. Arista Networks DOC

How to Configure Guest Access with the Ticketing System

Chapter 3 LAN Configuration

Transcription:

Machine Remote Access and Network Security Utilizing ewon by Mike Wojda mwojda@vcail.com Vision Control and Automation, division of Standard Electric 1. Overview of ewon Technology Today, most modern production equipment utilizes programmable devices (PLCs, HMIs, VFDs, etc.) to efficiently control a machine or process. When trouble occurs or minor changes need to be made, remote access to the machine can significantly improve response time and minimize the costs required to resolve issues that may occur. Your equipment supplier or equipment support team can utilize an ewon, which provides a very easy implementation of creating an encrypted network connection allowing for direct communication exclusively with the designated machine LAN subnet. This connection provides secure control and appropriate firewalls against unauthorized access. Local site concerns of allowing access anytime to a machine can be under the direct control of the end user. DIRECT Encrypted Access to ONLY Machine LAN ewon Security 3_2014 rev. e Page 1

2. Secure Tunneling over the Internet When utilizing an ewon, many of current security and industrial networking design principles are embraced, including: Encrypted connections Network layer zoning or tunneling to a unique machine layer LAN or zone Firewall protection for both local and public access Required authentication, name and password with Group Access control Activity access logging and reporting The ewon utilizes cloud based server(s) (Talk2M) that maintain and manage all ewon remote connections. One of the unique features of the ewon unit is that implementation is both easy and secure. The ewon does not require any special ports or firewall modifications to be made by the user site. If internet access exists for a DHCP server, the ewon is typically plug and go. The ewon utilizes port 80 (general Internet access) and either UDP port 1194 or TCP/IP Port 443 for establishing an SSL layer connection (https:) to the Talk2M server. The encryption method utilized is the open-vpn protocol. Because SSL (Open VPN) operates at the application layer, it is possible to provide controlled access to specific devices instead of access to the entire corporate LAN network by utilizing a common network path. The connection is initiated and maintained by the ewon unit itself from inside the remote site. Each ewon is identified by a unique 36-digit encryption key and serial number and is accessed by ONLY one Talk2M account. While the Talk2M Server itself has a public IP address, access to it is only allowed with the ecatcher management software from a Windows-based PC and with proper authentication. Each account is identified by a defined ACCOUNT NAME, and logging in requires a valid USER NAME and PASSWORD for authentication. Unlimited USER NAME and PASSWORDS are supported. Each USER NAME access is logged and locked to the specific MAC ID address that was last used at log in. This prevents immediate USER NAME and PASSWORD sharing among several users to access the Talk2M server. Group Access Control designates which ewon(s) are accessible by each user. In the representation of the ewon layout (page 1), the local network (Factory LAN) is used for internet access only, and the encrypted connection data path is shown in green from the remote programing PC to the ewon s designated machine LAN or ZONE. No access to other IP Zones at the site is allowed. Access to the ewon itself (for configuration changes) is controlled with a separate unique USER NAME and PASSWORD with access level control. An ewon unit will ONLY respond to the Talk2M server. For ewon systems that utilize an optional cellular (GSM) connection, there is no direct path to anything other than the machine LAN Zone. Protection is provided by same topology in that an ewon will ONLY respond to the Talk2M server. Direct access from cellular network IP is by default disabled and NOT ALLOWED. ewon Security 3_2014 rev. e Page 2

3. Local Control and Access Tracking When using an ewon for remote access, local site concerns of allowing access anytime to a machine can be under the direct control of the end user. Several ways to control access are: 1. Key-Switch control (digital input enable) 2. Tag value control from PLC or HMI 3. Physical removal of internet connection (User un-plugs WAN port) 4. Static IP address control (User site IT managed) 5. VLAN internet Access (User site IT managed) 6. Proxy Server (User site IT managed) Additional site security features of the ewon are: ewon units are not pingable and will ONLY respond to Talk2M server requests ewon does not require a static IP address. In fact, knowing what the ewon s assigned address has no value for remote access. Local access to Machine LAN Zone from Factory LAN Zone is NOT ALLOWED by default Access to IP addresses or other Zones (such as Factory LAN) thru remote connection NOT ALLOWED ewon devices requires valid user NAME and PASSWORD to make any configuration changes. Optional requesting IP address security can be implemented on the ewon (login must be from specific machine IP) for greater security in addition to USER NAME and PASSWORD for configuration changes Unlike many other VPN schemes, all connections are monitored and reports can be generated by the Talk2M account manager that shows who made a connection to each device, for how long and how much data was transferred. Individual ewon access is controlled by the Talk2M account administrator(s). Below is a sample report initiated by the Talk2M account administrator. SAMPLE REPORT of ewon Access ewon Security 3_2014 rev. e Page 3

4. INDUSTRIAL NETWORKING DESIGN Early adopters of Ethernet implantation in industrial control and smaller factory systems may have started with and continue to use a single IP subnet address range that all equipment was/is tied to (referred to as a Flat Network ). While this made it easy to access any device within the facility from a single connection, severe security and virus spreading concerns are now a reality as anyone or any device with access to this network (including outside breach of network or other remote access schemes such as PC remote viewers) may have unintended access to everything in the facility. Current industrial Ethernet design refers to industry standards such as ANSI/ISA-99.02.01 and IEC-63443. These standards recommend zone-based network segmentation and secure conduits. The ewon by design REQUIRES that the Machine LAN or Zone (local ewon LAN IP range) and the Factory LAN (or LAN used to access the internet) be a different IP subnet range. This requires even the facilities with a Flat Network, to start the process of limited access and Machine LAN Zoning. The ewon creates an Encrypted and Secure Conduit from the Talk2M Server direct to the designated Machine LAN or Zone. Access to other devices or networks within the facility from the ewon remote connection is NOT ALLOWED. (Refer to system diagram on page 1.) If secured local Factory LAN access to the Machine LAN is required (Short Haul or southbound traffic), the ewon s local firewall can be disabled, and several routing options exist to use the ewon as a host or as a local gateway. Access to other devices on the Factory LAN remains blocked from the ewon s remote connection. More complex networking layouts work with ewon as well. Creating special encrypted tunnels or conduit from the public zone direct to the designated zone level using VLAN s, while not necessary, can be optionally utilized for additional segmentation of network access. 5. Additional Access Control and Security. With the ewon for Remote Access and the release of ecatcher 4 (the Talk2M Client software), many additional features have been added related to the security and access to remote devices. Extended Password Syntax. In ecatcher 4, password character length, special character requirements and expiration time (number of days before password expires) can be optionally set by the Talk2M account administrator(s). This gives flexibility to comply with specific password policies that may be required. Enhanced Firewall Capabilities. Prior to ecatcher 4, ALL devices connected to the ewon LAN (Machine Sub-Net) were reachable by a connected Talk2M user. Now it is possible to allow connections to specific LAN devices (IP addresses) and on specific ports. In addition, each LAN device can be restricted to a specific protocol. Security levels can also be assigned on each ewon LAN for level of firewall access from all devices on the LAN to declared LAN devices only. Also, specific protocols (HTTP,FTP, SNMP, etc.) can be declared as well by device. LAN Devices Display. For easier linking to specific devices (defined with the firewall), each LAN device can be named and displayed on the ecatcher access page and optionally on the M2Web page for directed access to specific devices. ewon Security 3_2014 rev. e Page 4

6. Summary and Review In summary, when an ewon is utilized for remote access, many of the principles for both modern industrial Ethernet design and remote access security are implemented. Easy to implement and secure Access is directed to ONLY the Machine LAN. Some of the highlights are: Special software required for Talk2M Server access (ecatcher) Encrypted (Open VPN) Connection Authentication required. Each user has unique user USER NAME and PASSWORD Site-side implementation REQUIRES separate Machine LAN or ZONE ewon setup or configuration changes requires an additional device user NAME and PASSWORD ewon only responds to requests from Talk2M server (not pingable) Talk2M utilization reports for ALL activity If we were to review what would be required to breach an ewon implementation at a site, several layers of protection exist, such as: Access to Talk2M by unauthorized personnel: DENIED requires both ecatcher software and a valid USER NAME, PASWORD and ACCOUNT NAME for Talk2M access. Access to ewon from other valid Talk2M account login: DENIED only the Talk2M account that the ewon is registered to has access. Access to ewon directly from OUTSIDE site: DENIED in addition to local firewalls, ewon is NOT pingable and will not respond to anything but Talk2M server. Access to ewon directly from INSIDE site: DENIED ewon is NOT pingable and will not respond to anything but Talk2M server. Unauthorized changes to ewon device: DENIED proper user NAME and PASSWORD and ACCESS Level permissions (ewon has 10 levels of ACCESS) required to make changes. Access to ALL devices on the ewon LAN: DENIED if optional device firewall(s) and access levels are set by the Talk2M administrator. Additional questions and comments about the ewon can be directed to our engineering support team www.standardelectricsupply.com/support or call 1-800-318-4618. ewon Security 3_2014 rev. e Page 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback