Building a secure Ethernet environment

The trend toward using Ethernet as the sole communications network for business and industry has raised concerns about security. While proprietary networks for building or factory automation have major drawbacks in terms of limiting information flow and higher cost, the separation of these networks from other systems provides a measure of protection against unauthorized access.

By Frank Prendergast, Schneider Electric, North Andover, MA February 15, 2003
Key Concepts
  • Enclosing devices in a lockable cabinet and limiting access to authorized persons can prevent tampering or accidental decoupling of a device link

  • A firewall provides security from potential intruders.

  • •Physical security and password protection are essential to any security program.

    Sections:
    Logical and physical security
    Routing and switching security
    Virtual LANs
    Firewall technologies
    Authentication technologies
    Secure remote access

    The trend toward using Ethernet as the sole communications network for business and industry has raised concerns about security. While proprietary networks for building or factory automation have major drawbacks in terms of limiting information flow and higher cost, the separation of these networks from other systems provides a measure of protection against unauthorized access. So how do you take advantage of the benefits of Ethernet connectivity within a secure environment?

    A comprehensive security plan must protect against unauthorized access from both internal and external sources. Methods of security can range from technologies based within the infrastructure itself, such as physical connection paths and virtual local area networks (VLANs), to hardware and software-based devices, such as firewalls and security management servers.

    Logical and physical security

    The most secure network, of course, is one that has no connections to other systems. But that defeats the major advantage of Ethernet in the plant — its easy connectivity to other Ethernet networks or the internet for information sharing.

    A frequently overlooked security measure is physically securing switches and wiring closets. Enclosing devices in a lockable cabinet or closet and limiting access to authorized persons can prevent tampering or accidental decoupling of a device link. It also makes sense to secure a backup copy of switch configurations using trivial file transfer protocol (TFTP), a feature found in many switches, each time a change is made. This is not only a security measure, but also a recovery method in case a device fails and requires replacement.

    Another method of easily securing infrastructure devices, such as switches, is password protection. Out of the box, most switches can be accessed using a serial DB-9 console connection. This management interface is used to assign an IP address for remote TCP/IP-based telnet management.

    Default passwords for switches may be standardized across a manufacturer’s entire product line and are published in product documentation and on the web. Many users, including IT organizations, fail to change the default passwords and permissions. If an unauthorized user reaches an unsecured switch, he or she could be in complete command of the switch, with the ability to change configurations or disable ports. Therefore, it is essential that even without an Ethernet connection to the corporate LAN or internet connection that physical security and password protection be part of any security program.

    Web-enabled devices such as switches and modules for programmable logic controllers (PLCs) have extended functionality with graphical interfaces, web hosting, and Java/ActiveX controls (Fig. 1). Once installed on a network, the default password on each device should be changed and additional user IDs created as necessary to restrict services to authorized users only.

    PLC programming tools and SCADA programs can also be configured to have varying levels of access to user logic and other components. CPUs in many PLCs are equipped with keys to allow the CPU to be started or stopped and to protect the internal memory. These keys should be removed and distributed to authorized personnel.

    Particularly in large environments, documenting code changes, device and infrastructure changes, and cabling identification is the key to maintaining the security of devices and programs that may be serviced infrequently.

    Routing and switching security

    As the sophistication of an Ethernet network for building or factory automation grows, features once found only in enterprise-class devices are finding their way into daily use at the workgroup level. Access control features can be configured in some switches and routers to allow only specific workstations to access a device or pass through to a target. These features include “virtual LAN” implementation, port security, password implementation, and access control list filtering on supported switches and routers.

    These special features may not be available on some manufacturers’ products or models, so it is important to check each vendor’s capabilities before specifying or purchasing a particular product. These features may also require specialized skills to configure, administer, and maintain.

    Physical security

    Physical security is crucial to a secure operating environment. Switches and routers must be held in place in a secure and sturdy fashion, preferably installed in a rack or enclosure in a secure area. Network equipment is usually equipped to be restored to factory defaults in case a password is forgotten. For this reason, all ports, including console and auxiliary ports, should be secured by a lock or located in a locked enclosure to prevent unauthorized access.

    Port-based security

    Port security on a switch can prevent unauthorized users from plugging in devices, such as workstations or printers. Devices like these could disrupt network operations by introducing excessive amounts of traffic and errors. Administratively disabling unused ports prevents traffic from entering the network if an unauthorized device is plugged in.

    Port-based hardware address (MAC address) management may be used on a switch in order to deny access to a nonauthorized device. Service is not provided if a nonconfigured MAC address is sensed. This can also be used as a precaution against connecting more than the allotted number of workstations or devices to a port. If a device is replaced with one having a different MAC address, the port assignment must be appropriately reassigned by the network administrator.

    Access lists can also be used on supported switches and routers to permit or deny users from gaining access to specific network devices or specific resources on network devices. This is known as packet and service filtering and is placed on certain interfaces. Using access lists ties up processor resources and must be locally administered on each interface within each routing device. As a result, access lists are not always the most optimal way to secure resources. Proper setup by a professional is crucial when using these filtering devices, since improper setup could render the network inoperable.

    Access control lists

    An example of access control list implementation is to allow a programmer to program a device but to restrict the programmer from accessing the device from a web browser. An access control list is used to accomplish this. The list would allow the programmer to access the device via his workstation, but would prevent the destination port from being port 80, the port a web browser would use to connect to any http host.

    Virtual LANs

    A virtual LAN (VLAN) is a grouping of Ethernet ports on an IEEE 802.1Q-compliant switch or a grouping of switches. A VLAN may be used to help isolate packet and broadcast traffic on a factory automation network, for example, from the IT network. Measures like this are generally reserved for isolating extraneous traffic, such as broadcasts, that may interfere with control communications, but can also be implemented as security tools.

    Switches can be divided into VLANs that could render devices on separate VLANs unreachable. The downside to switch port-based VLANs as a security strategy is management, since a port can belong to multiple VLANs extending across multiple switches.

    Multilayered VLANs can be challenging to administer. For multiple VLANs to span multiple switches, the spanning tree protocol (STP) may have to be disabled as well. For example, if two VLANs exist on each of two switches, each VLAN needs a connection to the corresponding VLAN on the other switch, requiring two links between each switch. STP will disallow multiple links between devices to prevent loops.

    VLANs can also be used to segment broadcast domains within a network. Since VLANs are logically segmented LANs, physical areas do not restrict them. Using VLANs reclaims network bandwidth by breaking down broadcast domains and segments one network of devices from another within the same switch.

    VLAN segmentation is accomplished by assigning the ports of a device into separate VLAN memberships. For example, ports 1 and 2 may be assigned to VLAN1. Ports 3 and 4 may be assigned to VLAN2. Ports 1 and 2 will not see broadcasts or traffic from ports 3 and 4, and vice versa. This separation is accomplished at OSI layer 2. If a third VLAN were created using ports 1, 2, 3, 4, and 5, then a device on port 5 would see all broadcast traffic from ports 1, 2, 3, and 4.

    An example of this type of implementation is when the network administrator separates office computer traffic from PLC or SCADA devices. As these devices may not normally communicate with each other, separating them with a VLAN would allow the two networks to coexist on the same switch.

    Other configurations can be implemented in order to conserve bandwidth for automation or other control devices. These settings include whether or not to pass or block multicasts and rate-limit broadcasts. Other technologies, such as quality of service (QoS) IEEE 802.3p, can prioritize packets on seven levels by setting three bits in the packet header. This allows traffic types or port assignments to have a higher priority if a bottleneck occurs, and can be very useful to prioritize automation traffic. Though not specifically a security measure, it does preserve the integrity of an automation network.

    Firewall technologies

    A firewall is a device that is implemented on a network to provide security from potential intruders. It has more granular control over what can and cannot be accessed from outside the secure network than an access list can provide. A firewall can be a network appliance; a piece of software on a stand-alone server; or router equipped with multiple network adapters or interfaces. A firewall provides this granular control by using its own protocol stack and, depending on the firewall, checks each level of the stack for erroneous information.

    A network appliance firewall is a bundled, ready-to-run, single-purpose computer that provides an operating system and firewall application. The device is tuned for service as a firewall and is managed from a secure workstation “inside” the firewall. A network appliance firewall may be helpful to enterprises as a self-contained solution.

    Other firewall manufacturers provide software that installs onto an existing PC or UNIX workstation with multiple network adapters dedicated to this task. In both cases, some providers offer add-on software and hardware modules for remote authentication and encryption/decryption accelerators for improved performance. These configurations may be helpful to enterprises that require scalability, more interfaces, or other features.

    A firewall works by examining each packet that passes between the two adapters and comparing access rules at several different levels before allowing that packet to pass (Fig. 2). Once a packet has been validated by all of the requirements to pass through, the firewall applies network address translation (NAT). NAT is used to hide the internal network IP addresses by substituting the actual source address with the outside address of the firewall. This acts to hide the original internal addresses of the senders inside the firewall.

    Firewalls allow filtering on MAC and IP addresses, port numbers, or even certain commands and services. Each firewall offers a different level of security depending on the vendor, features, and costs. Selecting and implementing a firewall into any infrastructure requires research, planning and feature/cost comparison.

    Every vendor offers a different set of features, such as authentication support, logging, additional memory, and performance classes. The more security checks performed, for example, the slower transactions will take place. Some firewall management suites also allow rules to be downloaded and applied to other network devices such as routers that may be internal or external.

    Authentication technologies

    Password management for devices can also be an issue. Server platforms are available to centrally administer passwords. These services include remote authentication dial-in user service (RADIUS) and terminal access controller/access controller system (TACACS/TACACS+). These services allow the secure centralized maintenance of logins and passwords. Access to a device, network, or resource such as a server can be centrally administered on such a server. When users request access to a device, the user’s credentials are checked against a database on the server for permission.

    Authentication is the process where a network user establishes an identity. Verifying the identity of a user requires at least one of three authentication factors: a password, a smart card or token with hardware or software, and biometrics. Each of these approaches has different advantages and drawbacks.

    Passwords can be forgotten or shared, compromising the original goal of security. In addition, passwords can be stolen by monitoring keyboard keystrokes or network traffic, by tricking individuals into revealing their password, or with brute force methods such as dictionary attack utilities.

    Smart cards or tokens work in conjunction with hardware or software on the host, so each generated response is unique for every login. While providing strong security measures, smart cards and tokens can be lost or stolen or forgotten, and must be issued and tracked, so they are more expensive than passwords to implement and manage.

    The strongest single approach is biometric authorization, such as fingerprint, retinal or iris scans, voice, or facial recognition. Although it achieves a higher level of security, users also face more inconvenience as a consequence.

    Secure remote access

    As more employees find themselves on assignment outside the office, the need for remote access continues to increase. Remote access servers (RAS) and virtual private network (VPN) are two technologies that offer remote access service.

    With RAS, a remote access client uses the telecommunications infrastructure to create a temporary physical circuit with a port on a remote access server. With VPN, a VPN client uses the internet to create a virtual point-to-point connection with a remote VPN server.

    Although RAS has proven popular, many businesses are looking at low-cost VPN to perform the same functions and reduce telecommunications costs. A VPN can be defined as a means for using the public network infrastructure, such as the internet, to provide private, secure access to applications and corporate network resources for remote employees, business partners, and customers. With a VPN deployed across the internet, virtual private connections can be established from almost anywhere in the world, providing secure access to a central network without having to dial directly into the corporate network.

    VPNs reduce telecommunications costs since the remote user need only connect to a local internet access point rather than dial long distance. A VPN uses a secure tunneled connection, allowing only authenticated users access to the corporate intranet (Fig. 3). With tunneling, each message packet is encapsulated or “wrapped” within an IP packet for transmission across the public network via an encrypted “tunnel.” Encapsulation is presented at the security server or firewall. Upon authentication, the packet is then decoded and unwrapped for forwarding to the destination host.

    There are a number of widely used VPN protocols, including L2TP, IPSec, and SOCKS5. These protocols are the building blocks used to create VPN links. Some of the protocols overlap in functionality and offer similar but complementary capabilities.

    Virtual private networking solutions may be a combination of many different technologies such as encryption, user, and data authentication and access control techniques working together to deliver a VPN solution that protects data privacy and ensures appropriate access control. The technologies that comprise the security component of a VPN are authentication, data encryption, user access control, and event logging.

    The most important differences between VPN and RAS are the client/server software and the communications access. VPN is a much less costly approach in terms of telecommunications, equipment, and personnel costs. Administration can easily be handled by midlevel IT personnel. It is also a more secure approach since user and data authentication and encryption capabilities are inherent in the software.

    More Info: The author is available to answer questions about this article. He can be reached at 978-975-9122, or at frank.prendergast@modicon.com . For more information on this topic, visit our website at plantengineering.com. Article edited by Jack Smith, Senior Editor, 630-288-8783, jsmith@reedbusiness.com