Practical Solutions & Connected Enterprise - Kendall … Solutions & Connected Enterprise ... •...

PUBLIC

Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 1

Practical Solutions & Connected Enterprise(N) Network & Information Systems - SALON C

John Gajor, Rockwell AutomationRob Rodriguez-Pelizzari, Kendall Electric

PUBLIC Copyright © 2017 Rockwell Automation, Inc. All Rights Reserved. 2

Practical Solutions & Connected Enterprise

• SWITCH SELECTION – Managed vs. UnManaged

• PHYSICAL LAYER – Structured Cabling and CPwE Best Practices

• INDUSTRIAL NETWORK SECURITY – Protocols, Open Port Strategies, ACLs, Firewalls and VPNs

• LOGICAL LAYER – VLANs, NAT & ROUTING

• TOOLS & RESOURCES


SWITCH SELECTION – Managed vs. UnManaged


Network Switch Product Overview

Stratix 8000/8300

Stratix 5400

Stratix 5410

§ Layer 2 firmware§ 6–20 ports§ IP30 and IP67

On-Machine™ platform

§ Integrated DLR§ Integrated NAT§ IEEE1588 PTP§ PoE/PoE+

§ Layer 2 or layer 3 routing firmware

§ 6–26 ports§ Modular platform

for maximum flexibility

§ IEEE1588 PTP§ PoE/PoE+

§ Layer 2 or Layer 3 routing firmware

§ 8–20 ports§ 4 port or all gig port

versions§ IEEE1588 PTP§ Integrated NAT§ Up to 8 PoE/PoE+ ports§ PRP (RedBox)

Feat

ures

AccessAccess

DistributionDistribution

Stratix 2000

§ 5-16 ports§ Fiber port options§ Gig port option§ Plug & play

Unmanaged

Stratix 6000

§ 5–9 port§ Lightly managed§ Gig Fiber option

§ 19 in Rack Mount§ Layer 2 or Layer 3 routing

firmware§ 28 ports§ All gig ports plus four 10

gig ports§ IEEE1588 PTP§ Up to 8 separate integrated

NAT ports§ Up to 12 PoE/PoE+ ports§ PRP (RedBox)§ DC and AC power input

options

Stratix 5700/ ArmorStratix

Stratix 2500

§ 5-port model§ 8-port model§ Basic § Traffic management§ Diagnostics§ Security

100M/1G 1G/10G100M/1G 100M

Lightly Managed

ManagedManaged


SWITCH SELECTION – Stratix 2500 Lightly Managed Switch

Two Installation Methods • Out of the box” installation that prioritizes traffic, or• Configured for specific applications to support security, resiliency and bandwidth optimization features

• Premier Integration to the Rockwell Automation Integrated Architecture ® system

• Minimized downtime by monitoring traffic flow• Improved network resiliency to help uncover errors before the network stops

• Increased network security with port security to control connections to the network when needed

• Reduced overall TCO with logical segmentation

FLEXIBLE & SCALABLE

Features & BenefitsCOMPACT DESIGN

Offered in 5 and 8 10/100 Mbps fast

EtherNet/IP copper


SWITCH SELECTION – ComparisonStratix 2000 Unmanaged

SwitchStratix 2500 Lightly

Managed SwitchStratix 5700 Managed Switch Lite Firmware

Stratix 5700 Managed Switch Full Firmware

REP ü ü

STP, RSTP, MSTP Resiliency Protocols ü ü ü

Basic QoS Macro ü ü

Motion Prioritized QoS Macro ü

Flexlinks ü

EtherChannel (Link Aggregation) ü ü

Access Control Lists, IEEE 802.1X Security ü

MAC ID Port Security ü ü

Crypto (SSH, SNMP), HTTPS Access ü ü ü

Port Thresholds (Storm Control) ü ü

Port Mirroring ü ü ü

Integrated Device Level Ring (DLR) ü* ü

Network Address Translation (NAT) ü*Static and InterVLAN Routing ü


Why Choose a Full Managed switch over a Lightly Managed Switch?§ The Stratix 5700 differentiates itself from the Stratix 2500 through enhanced failure annunciation capabilities, security,

resiliency protocol support, and flexibility.

§ Higher port density (represented by 6, 10, 18 and 20-port catalogs numbers in Lite Firmware and Full Firmware category), support for up to 4 SFP slots for fiber connectivity, up to 2 Gig ports, up to 4 power over Ethernet (PoE) ports

§ DHCP per port (which simplifies Automatic Device Configuration) for automatic end device IP address assignment

§ Internal Flash and SD card for backup and restore capability

§ Support of REP resiliency protocol

§ Select Stratix 5700 catalog numbers offer integrated DLR, NAT, and support of PTP

§ It is built on Cisco IOS, which provides a command line interface (CLI) as a flexible configuration tool that is familiar to IT professionals

§ Stratix 5700 extends on Stratix 2500 security capabilities through – Access Control Lists, IEEE 802.1x Security, Centralized Authentication capability (RADIUS, TACACS+)


SWITCH SELECTION – ArmorStratix 5700

8

ü IP67-rated for dust and washdown protection

8-port 16-port

24-portBasic Offering


8-port 16-port

24-port

SWITCH SELECTION – ArmorStratix 5700ü IP67-rated for dust and

washdown protectionü8,16 and 24 port versions with

rugged M12 (D-coded) Ethernet Connectors

Basic Offering


8-port 16-port

24-port

SWITCH SELECTION – ArmorStratix 5700ü IP67-rated for dust and

washdown protectionü8,16 and 24 port versions

with rugged M12 (D-coded) Ethernet ConnectorsüPanel/machine mount design for

on-machine connectivity outside of the cabinet

Basic Offering


8-port 16-port

24-port

SWITCH SELECTION – ArmorStratix 5700ü IP67-rated for dust and washdown

protectionü8,16 and 24 port versions with

rugged M12 (D-coded) Ethernet ConnectorsüPanel/machine mount design for

on-machine connectivity outside of the cabinetüDual Power Input

Basic Offering


8-port 16-port

24-port

SWITCH SELECTION – ArmorStratix 5700ü IP67-rated for dust and washdown

protectionü8,16 and 24 port versions with

rugged M12 (D-coded) Ethernet ConnectorsüPanel/machine mount design for

on-machine connectivity outside of the cabinetüDual Power InputüConsole port

Basic Offering


SWITCH SELECTION – ArmorStratix 5700

10-port

18-port

You get all of the features of the base offering in a 10 and 18 port version:ü IP67-rated for dust and washdown

protectionüRugged M12 (D-coded) Ethernet

ConnectorsüPanel/machine mount design for on-

machine connectivity outside of the cabinetüDual Power InputüConsole portüSD card for simplified device

replacementBasic Offering


Stratix 5700 Industrial Managed Switch

The Stratix 5700™ is a compact, scalable Layer 2 managed switch for use in applications from small isolated, to complex networks. The switch combines advanced Cisco technology and premier integration into the Integrated Architecture® to provide solutions for both Information Technology (IT) and Operations Technology (OT) professionals


Stratix 5700 Managed Switch Benefits

Simplified Setup & Maintenance§ SD card for easy device replacement§ Default configurations§ Common Smartports§ DHCP per port IP addressing§ Diagnostics and tools

Optimized Integration§ Embedded Cisco technology provides

integration with enterprise network§ FactoryTalk® View Faceplates for

status monitoring and alarming § Predefined Logix tags help diagnostics

retrieval§ Studio 5000® add-on profiles for

configuration and monitoring

Advanced Features§ Power over Ethernet (PoE and PoE+)

delivers power over a single Ethernet cable§ Network Address Translation (NAT)

reduces commissioning time§ Integrated Device Level Ring (DLR)

connectivity helps optimize the network architecture and provide consolidated network diagnostics

Enhanced Security Options§ Application/project based port access for machine protection§ Encrypted administrative traffic and advanced security features such

as centralized authentication for plant protection


Optimized IntegrationIntegrated Architecture System

Studio 5000® Add-on Profile (AOP) for easy

configuration and monitoring

Pre-designed FactoryTalk® View

faceplates for monitoring and alarming

Pre-defined Logix tags for monitoring and port

control


Simplified Setup and Maintenance Common Configuration and Support Tools

Configure, Manage and Diagnose your network with familiar tools§ Automation Operations Technology (OT)

Professionals§ FactoryTalk Services tightly integrate

into the Integrated Architecture system§ Information Technology (IT) Professionals

§ Cisco CNA, CLI, Cisco Prime tightly integrate into joint Cisco and Rockwell Automation® Converged Plant-wide Ethernet (CPwE) Reference Architectures


Simplified Setup and MaintenanceDefault Configurations and Smartports

Easy Switch configuration without being a network expert§ Express Setup

§ Automatically sets switch configuration for typical automation applications§ Smartports

§ Pre-defined port settings for common automation and network devices like Logix Controllers, Desktop devices and Routers§ Optimizes traffic through the port

and network§ Minimizes latency


Stratix Switch PortfolioIndustrial Control Switches (OT)


PHYSICAL LAYER – CPwE & The Connected Enterprise


Converged Plant-wide Ethernet (CPwE)Collaboration that Bridges the Gap Between IT and OT


Converged Plant-wide Ethernet (CPwE)

ZONE LEVEL 0-2

ZONE LEVEL 3ZONE LEVEL 3

ZONE LEVEL 0-2


Telecommunications Standards

• ANSI/TIA-1005 is explicitly supported by the 568-C cabling standard

• TIA/EIA-568-C Defines cabling types, distances, connectors, cable system architectures, cable termination standards and performance characteristics, cable installation requirements and methods of testing installed cable

• C.0 defines the overall premises infrastructure for copper and fiber cabling

• C.2 addresses components of the copper cabling system

• C.3 addresses components of fiber optic cable systems

ANSI/TIA-568-C.0

(Generic)

TIA-569-B(Pathways and

spaces)

ANSI/TIA-606-A(Administrative)

earthing)

ANSI/TIA-607-B(Bonding and grounding / earthing)

ANSI/TIA-758-A(Outside plant)

systems)

ANSI/TIA-862(Building

automation systems)

ANSI/TIA-568-C.1

(Commercial)

ANSI/TIA-570-B(Residential)

ANSI/TIA-942(Data centers)

ANSI/TIA-1005(Industrial)

ANSI/TIA-1179(Healthcare)

-pair)

ANSI/TIA-568-C.2

(Balanced twisted-pair)ANSI/TIA-568-

C.3(Optical fiber)

ANSI/TIA-568-C.4

(Coaxial)

Common Standards Premises Standards Component Standards

Component Standards

Converged Plant-wide Ethernet (CPwE)


The Connected EnterpriseIN-ROOM™

Connecting Enterprise and the Plant Floor

IN-ROUTE™

Distributing Ethernet Machine-to-Machine

IN-PANEL™

Delivering Ethernet to Machine

IN-FIELD™

Deploying Ethernet on Machine

IN-FRASTRUCTURE™

Supporting the Network from the Ground Up


The Connected Enterprise

Level 3: Site Operations IN-ROOM™

Connecting Enterprise and the Plant Floor

MDC- MICRODATA

CENTERS

Cell Zone AreaIN-ROUTE™

Distributing EthernetMachine-to-Machine

IDF - INDUSTRIAL DISTRIBUTIONFRAMES

Cell Zone AreaIN-PANEL™

Delivering Ethernet to Machine

ZONE – CELLAREA ZONE

CONTROL PANEL

Cell Zone AreaIN-FIELD™

Deploying Ethernet on Machine

HARDENED CABLINGFIBER

AND COPPER

Throughout the ArchitectureIN-FRASTRUCTURE™

Supporting the Network from the Ground Up

GROUNDING AND BONDING, SECURITY, SAFETY

Panduit’s Structured Approach to the Industrial Physical Network


The Connected EnterpriseThe Industrial DMZ - MDC – Micro Data Center

The Physical Separation Between IT & OT


Cell Zone AreaIN-ROUTETM

Distributing EthernetMachine-to-Machine

IDF - INDUSTRIAL DISTRIBUTION FRAMES

The Connected Enterprise - IDF

Distribute Ethernet beyond “IN-ROOM” throughout the plant floor, from machine-to-machine with fiber backbone solutions

An architecture that provides a methodology for deploying a high performing, appropriately segmented network, localizing network traffic, reducing traffic overloads

§ Pre-Configured IDF – deploys and protects rack mount Ethernet switches in industrial applications

§ Network Zone System – deploys plant-wide EtherNet/IP™ networks, incorporating all active and passive equipment


Point to Point Cabling

Single cable terminated to plugsMost often stranded conductors for

flexibility § Solid cable prone to break§ De-rated length

Testing can be inaccuratePlugs can be hard to terminate reliably for

the long term, especially for higher bandwidth cable

Cannot plan for the future§ Extra cables are not secure

28The Connected Enterprise


The Connected EnterpriseFlat vs Zone Architecture

IDF

Traditional IT Cable Deployment: IDF to Device “home runs”


The Connected EnterpriseThe Reality of most networks…


So, What can we do to ensure your network doesn’t end up like this?

The Connected Enterprise


The Connected EnterpriseFlat vs Zone Architecture

IDF IDF

Traditional Cable Deployment Node to network room “home runs”

Zone Architecture Reduced installation time Simplified diagnostics


The Connected EnterpriseZONE Layout / The Panduit ZONE Enclosure


The Connected EnterpriseOther Issues You Have to Address


INDUSTRIAL NETWORK SECURITY –Protocols, Open Port Strategies, ACLs, Firewalls & VPNs


SECURITY & PRODUCTSSince the dawn of the internet we have been populating our networks with all kinds of neat equipment.


SECURITY & PRODUCTSWhat do all of these neat things have in common?

They can ALL be exploited if they aren’t secured.


SECURITY & PRODUCTSWhy secure them? To secure them from what?

Some devices like PLCs were created from an open platform. They send and receive clear text data. Often times, usernames and passwords are included.


SECURITY & PRODUCTSWhy you need to think about the security of your devices on the factory floor.

Devices are added to company networks without strong controls from the use of routers and deep packet inspection.

Some devices have remote access, in many cases, it makes them accessible by anyone, anywhere.


SECURITY – OPEN PORTS

The Open Port Search Engine, Shodan, was launched in 2009 by a computer programmer, John Matherly, who in 2003,[4] conceived of the idea to search for devices linked to the Internet. It started as his pet project based on the fact that large numbers of devices and computer systems are connected to the Internet.

Shodan users are able to find systems including traffic lights, security cameras, home heating systems as well as control systems for water parks, gas stations, water plants, power grids, nuclear power plants and particle-accelerating cyclotrons.


OPEN PORTS - MODBUS


OPEN PORTS - ETHERNET/IP - WORLD


OPEN PORTS - ETHERNET/IP - US


OPEN PORTS - ETHERNET/IP – MICHIGAN


SECURITY & PRODUCTS

Why is it such a big deal if you have a few open ports?


SECURITY & PRODUCTSHaving an open port on any device makes you vulnerable to attacks.


LOGICAL LAYER – VLANs, NAT & ROUTING

Operator Interface

Camera

ControllerCamera Drive


LOGICAL LAYER – Today’s OT NetworkLinear network example


LOGICAL LAYER – Layers 2 & 3

• NAT: Network Address Translation (NAT) provides, • Remote support capabilities of control systems • Flexibility to allow the placement of identical machines on a Ethernet network without network setting changes • Ability to apply consistent configurations to control systems on a network, allowing for exact duplications of

machines / processes• Reduces the need for “public” IP addresses

• Routing/VLAN Routing Provides,• Ability to converge two or more distinct IP scheme into the same network• Ability to converge two or more distinct VLANs into the same network

• Access Control Lists Provide• Grant or restrict access to any of the 65535 destination ports of a TCP/IP Address

• Firewalls Provide• DeMilitarized Zone (DMZ) between the internet and controls network• DeMilitarized Zone (DMZ) between the IT and OT network


LOGICAL LAYER – NAT SOLUTION4 Networks same IP Scheme


LOGICAL LAYER – Routing Solution


LOGICAL LAYER - ACL

Cell/Area Zone - Levels 0–2Star Topology

(Lines, Machines, Skids, Equipment)

Operator Interface

Camera

Controller

Stratix 5410 Distribution Switch

Camera Drive

• Filtering can be done by examining such things as:

- Source IP, MAC ID, or port- Destination IP, MAC ID, or port - Upper layer protocol

• ACLs are implemented the same way in all Stratix™ switches with ACL capabilities

• Only applies to inbound traffic on an interface


LOGICAL LAYER – Firewalls

Firewalls keep track of “legitimate” connections (syn, syn ack, ack)Firewalls reject attempted connections from sources without a syn, syn ack, ack connection historyIf a packet crafting tool is used in an attempt to gain access through the firewall, the firewall will reject packets who’s

sequence numbers are out of range

Firewall10.10.30.10 192.168.10.100

SYN

SYN ACK

ACK

10.10.30.06 Destination 192.168.10.100 Seq # 123456

InsideInterface

OutsideInterface


LOGICAL LAYER – Firewalls

IFW

InlineTransparent Mode

Traffic Traffic

IFW

InlineRouted Mode

Traffic Traffic

IFW

Packet

Packet

Copy of the Packet

Network A Network A

Same Network Addresses on Ingress and Egress Interfaces Different Network Addresses on Ingress and Egress Interfaces(Think “router”)

Network A Network B

Passive Monitor Mode


LOGICAL LAYER – Rockwell NAT Options

9300-ENALayer 3 / VPN

1783-BMS10CGNLayer 2

1783-5950Layer 2/3

1783-BMS20CGNLayer 2

STRATIX 5700 STRATIX 5950ENANATR

1783-NATRLayer 3


LOGICAL LAYER – Rockwell Options

5700

ENA

NATR

5950

WHEN?


LOGICAL LAYER – NAT SOLUTION• How many work cells are involved?

ANSWER: 1 to 4

• How many devices (nodes) do you have in the work cell?

1 to 32 = 1783-NATR

32 to 128 = 9300-ENA 9300-ENA /w VPN

ENANATR1783-NATR


LOGICAL LAYER – Configuration Questions

58

• How many work cells are involved? ANSWER: 4 or more

• Do all of the work cells have unique private IP addresses? ANSWER: 2 or more similar or dissimilar IP’s

• How many devices (nodes) are in the work cell?ANSWER: The 5700 configuration can support an almost limitless amount of nodes. It’s true limit is the switch processor utilization and the amount of data the needs to flow between the private and public networks.

• Are you planning on using a single appliance?ANSWER: If YES, The 5700 configuration can support multiple NAT Tables, meaning it is able to bring multiple work cells together into one public address .

57001783-BMS10CGN1783-BMS20CGN


LOGICAL LAYER – Stratix 5950

• Do all of the work cells have unique private IP addresses?

• With which public network are you converging?

• Are you creating a DMZ between the OT and IT networks?

• Are you creating a firewall between a work cell and the rest of the network?

5950


LOGICAL LAYER – Stratix 5950


SECURITY & PRODUCTS

The following products are available to mitigate the security threats using NAT, ACL & Firewall on an OT network.


LOGICAL LAYER – Summary

1783-NATR = NAT SOLUTION(1 – 4) work cells, (1 – 32) NAT translations, 1 NAT TABLE

9300-ENA = NAT SOLUTION & VPN(1 – 4) work cells, (1 – 128) NAT translations, 1 NAT TABLE

1783-BMS10CGN1783-BMS20CGN = NAT & ACL SOLUTION(4 or more) work cells, 2 or more NAT tables

1783-SAD2T2SPK9 = NAT, ACL, FIREWALL SOLUTION & VPNRouter (DMZ control), Firewall (DMZ control), NAT


TOOLS & RESOURCES

Join www.industrial-ip.org for the latest trends, developments, and implementation advice on the use of IP in industrial applications, don’t leave without registering.

Join www.bicsi.org for the latest ANSI/TIA Standards

Other definitions:TCP Transmission Control ProtocolUDP User Datagram Protocol

Other resourcesSubscribe to www.shodan.io for an open port search engine

http://www.industrial-ip.org

http://www.bicsi.org

http://www.shodan.io

Practical Solutions & Connected Enterprise - Kendall … Solutions & Connected Enterprise ... •...

Documents

Transcript of Practical Solutions & Connected Enterprise - Kendall … Solutions & Connected Enterprise ... •...