Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Rev 5058-CO900C
Scalable Secure Remote Access Solutions
Jeffrey A. Shearer, CISSP, PMP Principal Security Consultant jashearer@ra.rockwell.com Jason Dely, CISSP
Principal Security Consultant jdely@ra.rockwell.com
Scott Friberg
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Agenda and Topic List
What is Remote Access? What are the requirements?
Secured remote Access Architectures
DMZ Architectures
Remote Desktop Protocol (RDP) Discussion &
Demonstrations
Secured File Transfer & Reverse Web Proxy
Demonstrations
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Reference Material
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Reference Material
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Reference Material
Buy and read operating
system reference materials
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
What is remote access?
In order to answer this question you need to define the requirements
What problems are you trying to solve and identify who has the
problem?
Requirements generation makes the designer consider
Users / User Personas
Problem Statements (i.e. what problem are we trying to solve?) Use Cases
OEM,
System Integrator Engineering
Users / User Personas Problem Statements Use Cases
Use Case : Remote Access from Hotel Room An OEM, SI Engineer is in a hotel and must help the customer troubleshoot a PLC or HMI program. The engineer uses the hotel internet connection and connects security to the machine at the customer site and is able to view PLC or HMI code.
Help
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Access Requirements (1)
Required to view a machine’s ControlLogix processor from a hotel room to
help troubleshoot the system
8
OEM, SI, Engineer
Factory
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Access Requirements (2)
Required to transfer a file containing ControlLogix code from a laptop to a
manufacturing workstation.
9
OEM, SI, Engineer
Factory
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Access Requirements (3)
View manufacturing data from FactoryTalk VantagePoint to decision
makers who are located in the enterprise (office) zone
Data Center
Processing Filling Material Handling
FactoryTalk
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Access Challenges
Industrial Automation and Control System (IACS) applications are often
managed by plant personnel, while enterprise-level remote access solutions such as VPNs are the responsibility of the IT organization.
Remote access can expose critical IACS applications to viruses, malware
and other risks that may be present when using remote or partner computers, potentially impacting manufacturing
Limiting the accessibility to only functions that are appropriate for remote users
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Agenda and Topic List
What is Remote Access? What are the requirements?
Secured remote Access Architectures
DMZ Architectures
Remote Desktop Protocol (RDP) Discussion &
Demonstrations
Secured File Transfer & Reverse Web Proxy
Demonstrations
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Controlling Access to
the Manufacturing Zone
No Direct Traffic Flow from Enterprise to Manufacturing Zone
Level 5 Level 4 Level 3 Level 2 Level 1 Level 0
Terminal Services Patch Management AV Server Historian Mirror Web Services Operations Application
Server
Router Enterprise Network
Site Business Planning and Logistics Network E-Mail, Intranet, etc.
FactoryTalk Application Server
FactoryTalk
Directory Engineering Workstation Domain Controller FactoryTalk Client Operator Interface FactoryTalk Client Engineering
Workstation Operator Interface
Batch
Control Discrete Control Drive Control
Continuous
Process Control Safety Control
Sensors Drives Actuators Robots
Enterprise Zone DMZ Manufacturing Zone Cell/Area Zone Web E-Mail CIP Firewall Firewall Site Manufacturing Operations and
Control Area Supervisory
Control
Basic Control
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
High Level Architecture Review
Remote access involves
cooperation between:
Enterprise Zone
Information Technologies
(IT) and infrastructure of the facility
Automation Demilitarized
Zone (Automation DMZ)
To design it requires
knowledge of data that must move from the plant to enterprise systems
Manufacturing Zone
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Enterprise Zone
Enterprise Zone
“Levels” 4 & 5 owned by
Information Technologies (IT) Traditionally some VLAN’s in place Campus to Campus communications IT knowledgeable with
routing and firewalls
IT will provide VPN Services
for remote access
You need to work with the IT
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Automation DMZ
Automation DMZ
Shared ownership by IT and
Manufacturing professionals
Designed to replicate services
and data
Remote Access Services
(Terminal Services) located here
“Typically”
IT owns firewalls
IT configures the switches on
behalf of Manufacturing professionals
Manufacturing professionals own
DMZ terminal servers, application servers, patch management
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Manufacturing Zone
Divide plant into functional areas
for secured access
ISA-SP99 “Zones and
Conduit” model
OEM’s / System Integrator /
Engineering Participation Required
IP Address VLAN ID’s
Access layer to Distribution
layer cooperation
System design requires full
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Agenda and Topic List
What is Remote Access? What are the requirements?
Secured remote Access Architectures
DMZ Architectures
Remote Desktop Protocol (RDP) Discussion &
Demonstrations
Secured File Transfer & Reverse Web Proxy
Demonstrations
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Demilitarized Zone (DMZ)
Sometimes referred to a perimeter network that exposes an
organizations external services to an untrusted network. The purpose of the DMZ is to add an additional layer of security to the trusted network
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
DMZ Topology
Firewall(s) Enterprise Interface DMZ Interface Manufacturing Interface Firewalls are used to
block or allow access to devices on these
interfaces based on a set of rules
There will be assets like switches and servers that are part of the DMZ
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Agenda and Topic List
What is Remote Access? What are the requirements?
Secured remote Access Architectures
DMZ Architectures
Remote Desktop Protocol (RDP) Discussion &
Demonstrations
Secured File Transfer & Reverse Web Proxy
Demonstrations
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Desktop Technologies
Two options of Remote Desktop Technologies being discussed today
Option 1 – Host a Remote Desktop Session from the Cisco Firewall Option 2 – Host a Remote Desktop Session from a Microsoft
Windows Server 2008 R2 Computer
22
Allows user to remotely view and control another computer. The user will see the remote computer’s screen while sending keystrokes and mouse movements to the remote computer .
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Desktop Protocol
Via Cisco Firewall
• Remote Desktop Gateway
functionality hosted from the Cisco ASA Firewall
• Same user experience as
Microsoft Remote Desktop Gateway
• Configure Firewall to host
the RDP session
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Copyright © 2011 Rockwell Automation, Inc. All rights reserved.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Copyright © 2011 Rockwell Automation, Inc. All rights reserved.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Copyright © 2011 Rockwell Automation, Inc. All rights reserved.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
• Connect to the outside of the Cisco firewall via a web browser (SSL)
session by opening a web browser.
• Continue to inside assets via Remote Desktop Protocol
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 30
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Desktop Gateway
Remote Desktop Gateway (RD Gateway), formerly
Terminal Services Gateway is a role service in the Remote Desktop Services server role included with Windows Server® 2008 R2.
Enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client.
RD Gateway uses the Remote Desktop Protocol
(RDP) over HTTPS to establish a secure, encrypted connection between remote users and internal
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Desktop Session Host CALs
Anyone who wants to connect to a Remote Desktop Session Host
(Terminal Server) must have a Client Access License (CAL)
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Remote Desktop Gateway Configuration
Add Remote Desktop Role
Connection Authorization Policies (Users)
Resource Authorization Policies (Computers)
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 37
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 38
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 39
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 40
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Agenda and Topic List
What is Remote Access? What are the requirements?
Secured remote Access Architectures
DMZ Architectures
Remote Desktop Protocol (RDP) Discussion &
Demonstrations
Secured File Transfer & Reverse Web Proxy
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 43
Secured Shell (SSH)
• Secure Shell (SSH) is a network protocol for secure data communication,
remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network
• This demo is running OpenSSH server on Linux
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 44
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 45
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 46
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 47
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 48
Reverse Web Proxy Evolution
Web Server Router Web Server Reverse Proxy Pre 1996 Post 1996
• Website servers required protection from web users without depriving
them of those services.
• In the summer of 1996, the Apache HTTP project wrote an add-on
module in the Apache 1.1 web server
• Retrieves resources on behalf of a client from one or more servers.
• Hide the existence and characteristics of the origin server(s).
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 49
Reverse Web Proxy
• During the early years of the Internet, website administrators recognized
the need to prevent their servers from being accessible to web users without depriving them of those services. In the summer of 1996, the Apache HTTP project wrote an add-on module called mod_proxy in the Apache 1.1 web server that allowed it to act like a reverse proxy server.
• A reverse proxy is a type of proxy server that retrieves resources on
behalf of a client from one or more servers. These resources are then returned to the client as though it originated from the reverse proxy itself.
• Reverse proxies can hide the existence and characteristics of the origin
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 50
Copyright © 2012 Rockwell Automation, Inc. All rights reserved. 51
Summary
• Remote Access involves requirements generation
– Identifying users and support systems that require access from the enterprise to the manufacturing zone
– Identifying data flow, source and destination for firewall rule creation
• Often times minimal remote access strategies involving visibility and file transfer
• DMZ’s for separation of enterprise and manufacturing zones
recommended
Copyright © 2012 Rockwell Automation, Inc. All rights reserved.
www.rockwellautomation.com
Follow ROKAutomation on Facebook & Twitter. Connect with us on LinkedIn.
Rev 5058-CO900C 52