• No results found

Scalable Secure Remote Access Solutions

N/A
N/A
Protected

Academic year: 2021

Share "Scalable Secure Remote Access Solutions"

Copied!
52
0
0

Loading.... (view fulltext now)

Full text

(1)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Rev 5058-CO900C

Scalable Secure Remote Access Solutions

Jeffrey A. Shearer, CISSP, PMP Principal Security Consultant jashearer@ra.rockwell.com Jason Dely, CISSP

Principal Security Consultant jdely@ra.rockwell.com

Scott Friberg

(2)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Agenda and Topic List

What is Remote Access? What are the requirements?

Secured remote Access Architectures

DMZ Architectures

Remote Desktop Protocol (RDP) Discussion &

Demonstrations

Secured File Transfer & Reverse Web Proxy

Demonstrations

(3)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Reference Material

(4)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Reference Material

(5)
(6)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Reference Material

 Buy and read operating

system reference materials

(7)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

What is remote access?

 In order to answer this question you need to define the requirements

 What problems are you trying to solve and identify who has the

problem?

 Requirements generation makes the designer consider

 Users / User Personas

 Problem Statements (i.e. what problem are we trying to solve?)  Use Cases

OEM,

System Integrator Engineering

Users / User Personas Problem Statements Use Cases

Use Case : Remote Access from Hotel Room An OEM, SI Engineer is in a hotel and must help the customer troubleshoot a PLC or HMI program. The engineer uses the hotel internet connection and connects security to the machine at the customer site and is able to view PLC or HMI code.

Help

(8)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Remote Access Requirements (1)

 Required to view a machine’s ControlLogix processor from a hotel room to

help troubleshoot the system

8

OEM, SI, Engineer

Factory

(9)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Remote Access Requirements (2)

 Required to transfer a file containing ControlLogix code from a laptop to a

manufacturing workstation.

9

OEM, SI, Engineer

Factory

(10)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Remote Access Requirements (3)

 View manufacturing data from FactoryTalk VantagePoint to decision

makers who are located in the enterprise (office) zone

Data Center

Processing Filling Material Handling

FactoryTalk

(11)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Remote Access Challenges

 Industrial Automation and Control System (IACS) applications are often

managed by plant personnel, while enterprise-level remote access solutions such as VPNs are the responsibility of the IT organization.

 Remote access can expose critical IACS applications to viruses, malware

and other risks that may be present when using remote or partner computers, potentially impacting manufacturing

 Limiting the accessibility to only functions that are appropriate for remote users

(12)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Agenda and Topic List

What is Remote Access? What are the requirements?

Secured remote Access Architectures

DMZ Architectures

Remote Desktop Protocol (RDP) Discussion &

Demonstrations

Secured File Transfer & Reverse Web Proxy

Demonstrations

(13)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Controlling Access to

the Manufacturing Zone

No Direct Traffic Flow from Enterprise to Manufacturing Zone

Level 5 Level 4 Level 3 Level 2 Level 1 Level 0

Terminal Services Patch Management AV Server Historian Mirror Web Services Operations Application

Server

Router Enterprise Network

Site Business Planning and Logistics Network E-Mail, Intranet, etc.

FactoryTalk Application Server

FactoryTalk

Directory Engineering Workstation Domain Controller FactoryTalk Client Operator Interface FactoryTalk Client Engineering

Workstation Operator Interface

Batch

Control Discrete Control Drive Control

Continuous

Process Control Safety Control

Sensors Drives Actuators Robots

Enterprise Zone DMZ Manufacturing Zone Cell/Area Zone Web E-Mail CIP Firewall Firewall Site Manufacturing Operations and

Control Area Supervisory

Control

Basic Control

(14)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

High Level Architecture Review

 Remote access involves

cooperation between:

 Enterprise Zone

 Information Technologies

(IT) and infrastructure of the facility

 Automation Demilitarized

Zone (Automation DMZ)

 To design it requires

knowledge of data that must move from the plant to enterprise systems

 Manufacturing Zone

(15)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Enterprise Zone

 Enterprise Zone

 “Levels” 4 & 5 owned by

Information Technologies (IT)  Traditionally some VLAN’s in place  Campus to Campus communications  IT knowledgeable with

routing and firewalls

 IT will provide VPN Services

for remote access

 You need to work with the IT

(16)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Automation DMZ

 Automation DMZ

 Shared ownership by IT and

Manufacturing professionals

 Designed to replicate services

and data

 Remote Access Services

(Terminal Services) located here

 “Typically”

 IT owns firewalls

 IT configures the switches on

behalf of Manufacturing professionals

 Manufacturing professionals own

DMZ terminal servers, application servers, patch management

(17)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Manufacturing Zone

 Divide plant into functional areas

for secured access

 ISA-SP99 “Zones and

Conduit” model

 OEM’s / System Integrator /

Engineering Participation Required

 IP Address  VLAN ID’s

 Access layer to Distribution

layer cooperation

 System design requires full

(18)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Agenda and Topic List

What is Remote Access? What are the requirements?

Secured remote Access Architectures

DMZ Architectures

Remote Desktop Protocol (RDP) Discussion &

Demonstrations

Secured File Transfer & Reverse Web Proxy

Demonstrations

(19)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Demilitarized Zone (DMZ)

 Sometimes referred to a perimeter network that exposes an

organizations external services to an untrusted network. The purpose of the DMZ is to add an additional layer of security to the trusted network

(20)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

DMZ Topology

 Firewall(s)  Enterprise Interface  DMZ Interface  Manufacturing Interface

 Firewalls are used to

block or allow access to devices on these

interfaces based on a set of rules

 There will be assets like switches and servers that are part of the DMZ

(21)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Agenda and Topic List

What is Remote Access? What are the requirements?

Secured remote Access Architectures

DMZ Architectures

Remote Desktop Protocol (RDP) Discussion &

Demonstrations

Secured File Transfer & Reverse Web Proxy

Demonstrations

(22)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Remote Desktop Technologies

 Two options of Remote Desktop Technologies being discussed today

 Option 1 – Host a Remote Desktop Session from the Cisco Firewall  Option 2 – Host a Remote Desktop Session from a Microsoft

Windows Server 2008 R2 Computer

22

Allows user to remotely view and control another computer. The user will see the remote computer’s screen while sending keystrokes and mouse movements to the remote computer .

(23)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Remote Desktop Protocol

Via Cisco Firewall

• Remote Desktop Gateway

functionality hosted from the Cisco ASA Firewall

• Same user experience as

Microsoft Remote Desktop Gateway

• Configure Firewall to host

the RDP session

(24)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

(25)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

(26)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

(27)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

(28)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Copyright © 2011 Rockwell Automation, Inc. All rights reserved.

(29)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

• Connect to the outside of the Cisco firewall via a web browser (SSL)

session by opening a web browser.

• Continue to inside assets via Remote Desktop Protocol

(30)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 30

(31)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

(32)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Remote Desktop Gateway

 Remote Desktop Gateway (RD Gateway), formerly

Terminal Services Gateway is a role service in the Remote Desktop Services server role included with Windows Server® 2008 R2.

 Enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client.

 RD Gateway uses the Remote Desktop Protocol

(RDP) over HTTPS to establish a secure, encrypted connection between remote users and internal

(33)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

(34)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Remote Desktop Session Host CALs

 Anyone who wants to connect to a Remote Desktop Session Host

(Terminal Server) must have a Client Access License (CAL)

(35)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

(36)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Remote Desktop Gateway Configuration

Add Remote Desktop Role

Connection Authorization Policies (Users)

Resource Authorization Policies (Computers)

(37)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 37

(38)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 38

(39)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 39

(40)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 40

(41)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

Agenda and Topic List

What is Remote Access? What are the requirements?

Secured remote Access Architectures

DMZ Architectures

Remote Desktop Protocol (RDP) Discussion &

Demonstrations

Secured File Transfer & Reverse Web Proxy

(42)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

(43)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 43

Secured Shell (SSH)

• Secure Shell (SSH) is a network protocol for secure data communication,

remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network

• This demo is running OpenSSH server on Linux

(44)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 44

(45)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 45

(46)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 46

(47)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 47

(48)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 48

Reverse Web Proxy Evolution

Web Server Router Web Server Reverse Proxy Pre 1996 Post 1996

• Website servers required protection from web users without depriving

them of those services.

• In the summer of 1996, the Apache HTTP project wrote an add-on

module in the Apache 1.1 web server

• Retrieves resources on behalf of a client from one or more servers.

• Hide the existence and characteristics of the origin server(s).

(49)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 49

Reverse Web Proxy

• During the early years of the Internet, website administrators recognized

the need to prevent their servers from being accessible to web users without depriving them of those services. In the summer of 1996, the Apache HTTP project wrote an add-on module called mod_proxy in the Apache 1.1 web server that allowed it to act like a reverse proxy server.

• A reverse proxy is a type of proxy server that retrieves resources on

behalf of a client from one or more servers. These resources are then returned to the client as though it originated from the reverse proxy itself.

• Reverse proxies can hide the existence and characteristics of the origin

(50)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 50

(51)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 51

Summary

• Remote Access involves requirements generation

– Identifying users and support systems that require access from the enterprise to the manufacturing zone

– Identifying data flow, source and destination for firewall rule creation

• Often times minimal remote access strategies involving visibility and file transfer

• DMZ’s for separation of enterprise and manufacturing zones

recommended

(52)

Copyright © 2012 Rockwell Automation, Inc. All rights reserved.

www.rockwellautomation.com

Follow ROKAutomation on Facebook & Twitter. Connect with us on LinkedIn.

Rev 5058-CO900C 52

Please remember to tidy up your work area for the

next session.

We want your feedback! Please complete the

session survey!

References

Related documents

• Aspects of packaging RemoteApp programs – Defining location where package will be saved – Selecting Remote Desktop Session Host settings – Selecting Remote Desktop

Array AG Series secure access gateways integrate SSL VPN, remote desktop access (DesktopDirect) and secure mobile access to deliver scalable and flexible secure access for both

• Other methods of remote access provided through: • Terminal Services / Remote Desktop Protocol (RDP) • Virtual Network Computing (VNC). • Secure Shell

The network contains a Remote Desktop Session Host Server that runs Windows Server 2008 R2, and client computers that run Windows 7.. All computers are members of

One of the new features started with Windows Server 2008 is the Remote Desktop Gateway which allows Remote Desktop clients to establish a RDP connection trough HTTPS with the

  INTRODUCTION 

Remote Desktop Connection is a client application that allows you to view or even control the desktop session on another machine that is running a compatible server.. VNC and RDP

Remote Desktop uses Windows RDP (Remote Desktop Protocol) and can only be used to access Host PCs running Windows Server 2003/2008, XP Professional,