Securing the Connected Enterprise

(1)

Securing the Connected Enterprise

ABID ALI,

(2)

Why Infrastructure Matters

Rapidly Growing Markets

Global Network Infrastructure and Security Markets

• 13.7% CAGR over the next five years • 2012 $1.7B market for Industrial Security • NIST 800 cyber security framework

• Internet of Things – over $3T in Manufacturing

• 12.1% CAGR over the next five years

• 2012 $8.3B market ($900M industrial switches) • Shift to Ethernet, Virtualization and COTS

(3)

Basic Network Parameters

Basic business requirements:

Confidentiality Integrity

Availability

Secure usability and manageability requirements:

Low end-user or end-device impact and high end-user transparency Manageability

Low performance impact

Authentication, authorization, and auditing

Support integration with enterprise applications and remote users

Integrity

Confidentiality

(4)

Assets to Protect

Endpoints Infrastructure Network infrastructure Systems infrastructure Applications

(5)

Threats

Malicious code (malware)

Distributed denial-of-service (DDoS) attack Eavesdropping attacks

Collateral damage

Unauthorized access attacks

(6)

Security Approach

Assess the network Security Policy

Security enforcement techniques Identification

Mitigation

(7)

Assess the Network

Network devices and topology:

Switches, routers, firewalls

End-points:

Servers, PCs, HMIs, Programmable Controllers

Protocols:

CIP, PROFINET, SCADA, MODBUS, PTP, HTTPS, SSH, SNMP

Applications:

Studio 5000, TIA Portal, Factory Talk

Organization structure:

(8)

Security Policy

Organizations should have a security policy.

The security policy enables an organization to follow a consistent program for maintaining an acceptable level

of security.

The security policy defines and constrains behaviors by both personnel and components within the system.

The security policy identifies vulnerability mitigation.

The security policy components are as follows:

(9)

Network Device Threats

Remote access threats:

Unauthorized remote access

Local access and physical threats:

Damage to equipment Password recovery Device theft

(10)

Network Device Security Components

Access control lists (ACLs) to control remote access to a switch Switch-based authentication to manage network security

VLANs for Layer 2 segmentation in the network Secure management and monitoring:

Secure Shell (SSH) and HTTPS switch access

SNMPv3 support for encryption of important protocol used to manage and

monitor the network infrastructure

Port-based security to prevent access from unauthorized devices,

including the following:

Limited number of allowed MAC addresses on a physical port Limited allowance of MAC address range on a switch port MAC address notification

(11)

Software Updates

Network devices:

The Cisco Product Security Incident Response Team (PSIRT) addresses security issues in Cisco products.

http://www.cisco.com/go/psirt

The Cisco PSIRT publishes:

Cisco Security Advisories

Cisco Security Responses

Cisco Security Notices

Cisco Notification Service

Cisco IOS upgrade to fix security issues

Caution: The Cisco IOS upgrade requires downtime. Schedule a maintenance window to

perform upgrades.

HMI, servers, and computers OS:

Patch OS to fix security issues

Disable automatic updates

(12)

Device-Based Authentication

Password protection:

Enable secret password Enable secret password Line password

Username and password:

(13)

Switch-Based Authentication (Cont.)

Configuring the Enable Secret Password

IE2K-1(config)# enable secret <password>

IE2K-1(config)# service password-encryption

1

2

3

(14)

Switch-Based Authentication (Cont.)

Configuring the Username and Password Pairs

IE2K-1(config)# username STUDENT password 0 cisco123

IE2K-1(config)# aaa new-model

IE2K-1(config)# aaa authentication login default local

3

2

(15)

Remote Device Management

Remote access to CLI:

Telnet

SSH

Remote access to GUI:

(16)

Remote Device Management (Cont.)

Configuring the SSH Server

switch(config)# hostname IE2K-1

IE2K-1(config)# ip domain-name cisco.com

IE2K-1(config)# crypto key generate rsa

The name for the keys will be: IE2K-1.cisco.com

Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes.

How many bits in the modulus [512]: 1024

% Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 5 seconds)

IE2K-1(config)# ip ssh version 2

IE2K-1(config)# line vty 0 15

IE2K-1(config-line)# transport input ssh

IE2K-1# show ip ssh

SSH Enabled - version 2.0

Authentication timeout: 120 secs; Authentication retries: 3 Minimum expected Diffie Hellman key size : 1024 bits

IOS Keys in SECSH format(ssh-rsa, base64 encoded):

(17)

Remote Device Management (Cont.)

PuTTY Terminal Emulator Settings – SSH connection

1

2 3

(18)

Remote Device Management (Cont.)

(19)

Remote Device Management (Cont.)

(20)

The SNMP provides a message format for communication between network devices and network management.

SNMP Versions: SNMPv1 SNMPv2C SNMPv3 Most secure Username authentication Encrypted communication

Remote Device Management (Cont.)

Simple Network Management Protocol

SNMP Manager

(21)

Port Security

Port security allows you to configure interfaces to allow inbound traffic only from a restricted set of MAC addresses.

IE2K-1(config)# interface FastEthernet1/4

IE2K-1(config-if)# switchport mode access

IE2K-1(config-if)# switchport access vlan 21

IE2K-1(config-if)# switchport port-security

IE2K-1(config-if)# switchport port-security mac-address 0000.02000.0004

IE2K-1(config)# interface FastEthernet1/5

IE2K-1(config-if)# switchport mode access

IE2K-1(config-if)# switchport access vlan 21

IE2K-1(config-if)# switchport port-security

IE2K-1(config-if)# switchport port-security mac-address 0000.02000.0005

0000.02000.0005

Nonsecure MAC address

0000.1111.5555

(22)

VLAN Design Considerations

Always use a dedicated

native VLAN ID for all trunk ports.

Disable all unused ports

and put them in an unused VLAN.

Do not use VLAN 1

for anything.

Configure all end

device-facing ports as nontrunking (DTP off).

Explicitly configure

trunking on infrastructure ports.

Set the default port status

Nontrunking

Cisco Catalyst 3750 Switch Stack

Nontrunking

(23)

Traffic Filtering with ACLs

An ACL is a list of permit and deny statements.

An ACL identifies traffic based on the information within the packet.

After traffic is identified, different actions can be taken.

ACLs can be used on routers switches, firewalls, and other network devices.

Traffic Filtering with ACLs:

Inbound Outbound

IE2K-1(config)# ip access-list extended REMOTE_MGMT

IE2K-1(config-ext-nacl)# permit ip 10.2.2.0 0.0.0.255 10.1.1.0 0.0.0.255

IE2K-1(config-ext-nacl)# exit

IE2K-1(config)# interface Gigabit Ethernet1/1

IE2K-1(config-if)# ip access-group REMOTE_MGMT in

(24)

Firewalls

Firewalls control traffic flow:

Isolate interfaces from each other Control connections with security

and translation policies

Firewalls provide:

Inter-zone traffic segmentation Access Control Lists (ACLs)

(25)

Intrusion Prevention System

The IPS prevents attacks against devices:

Standalone or integrated in

Cisco ASA

Inline versus promiscuous mode

Enterprise Network DMZ

Site Manufacturing Operations and Control

(26)

VPNs and Benefits

VPN usage:

Connecting headquarters,

plant, and business partners

VPN characteristics:

Virtual – information within

a private network is

transported over a public network.

Private – traffic is

(27)

IPsec

IPsec acts at the network layer, protecting, and authenticating IP packets.

IPsec is a framework of open standards that is algorithm-independent.

IPsec services provide four critical functions:

(28)

Cisco SSL VPN Solutions

Cisco Catalyst 3750 Switch Stack

Internet

(29)

Identify Security Incidents

Port mirroring on routers and switches that feed IPS Cisco IOS NetFlow from routers to flow collectors Network Management System

Selected security event types to log

Event Type Source Events

Attribution DHCP server IP assignments to machine, MAC address VPN server IP assignments to user, WAN address NAT gateway IP assignment translation to RFC 1918 802.1x auth IP assignment to user, MAC address System activity Server syslog • Authentication and authorization

• Services starting and stopping • Configuration changes

• Security events

(30)

Identify Security Incidents (Cont.)

You can use the port mirroring to identify security incidents.

The SPAN feature allows traffic to be copied from one or more source ports or source VLANs to one or more destination ports on the same switch for capture and analysis.

SPAN sources: Fast Ethernet Gigabit Ethernet EtherChannel

VLANs

Switched Port Analyzer

Switch

Copies Are Received Here

SPAN Destination Port

(31)

Identify Security Incidents (Cont.)

Configure SPAN to identify security incidents – CLI example:

You suspect attempt to DoS attack. Attack comes from outside.

IE2K-1(config)# monitor session 1 source interface GigabitEthernet 1/1

IE2K-1(config)# monitor session 1 filter vlan 105

IE2K-1(config)# monitor session 1 destination interface FastEthernet 1/3

IE2K-1 # show monitor session 1

Session 1

---Type : Local Session Source Ports :

Both : Gi1/1

Destination Ports : Fa1/3 Encapsulation : Native Ingress : Disabled

Filter VLANs : 105

(32)

Identify Security Incidents (Cont.)

Configure SPAN to identify security incidents – Device Manager:

Configure > Smartports

2

(33)

Identify Security Incidents (Cont.)

(34)

Document Security Incidents

Who? IP Address Host Group Country Who? IP Address Host Group Country When?

Active Duration 3 minutes 30 seconds Total Duration 2 days 5 hours 56 minutes

(35)

Summary

As industrial applications become connected to enterprise systems, industrial

applications are exposed to the same types of threats as traditional IT networks.

Maintaining up to date IOS and firmware revisions increases

device security.

Username and passwords are used to prevent unauthorized access to switches

and routers.

SSH and HTTPS provide secure remote management.

VLAN security measures prevent unauthorized access to the network. ACLs are used to control traffic to the network.

Firewalls and IPS are used to protect the control network from threats that could

come from the enterprise network.

VPNs are used to protect sensitive data sent over public networks. Traffic monitoring can provide information about attacks.

Certain information, such as the source IP addresses and target applications,

(36)

Network Security Service Offerings

Converged Plant-wide Ethernet (CPwE) Reference Architectures

Structured and Hardened IACS Network Infrastructure

Industrial security policy

Pervasive security, not a bolt-on component

Security framework utilizing defense-in-depth approach

Industrial DMZ implementation

Remote partner access

policy, with robust & secure implementation Enterprise WAN Catalyst 3750 StackWise Switch Stack Firewall (Active) Firewall (Standby) HMI Industrial Demilitarized Zone (IDMZ) Enterprise Zone Levels 4-5 Cisco ASA 5500 Controllers, I/O, Drives Catalyst 6500/4500

Physical or Virtualized Servers

• Patch Management

• Remote Gateway Services

• Application Mirror

• AV Server

Network Device Resiliency VLANs

Standard DMZ Design Best Practices

Network Infrastructure Access Control and

Hardening

Physical Port Security Plant Firewall:

Inter-zone traffic segmentation ACLs, IPS and IDS VPN Services Portal and Terminal

Server proxy

VLANs, Segmenting Domains of Trust AAA - Application

Authentication Server, Active Directory (AD),

Remote Access Server

Client Hardening

Level 3 – Site Operations

Network Status and Monitoring

This image This image cannot

currently be display ed.

Level 2 – Area Supervisory Control

(37)

Global Solutions

Bringing you a world of experience

37

Consistent methodology deployed in all locations

The right team for your project from our worldwide talent

All major industries

Any production environment

Combining technology & application knowledge

Based on PMI®_PMBOK®

Certified project managers

Repeatable, measurable, auditable Risk management Domain Expertise Global Execution

Project Management

(38)

Follow ROKAutomation on Facebook & Twitter.

Thank you for participating!

Your feedback is valuable!

Please complete the session survey.