Industrial Ethernet Security Design

Industrial Ethernet application security issues analysis

(1) In the traditional industrial Industrial Ethernet segments up and down using different protocols can not interoperate, so use a layer of a firewall to prevent unauthorized access from the outside, but the industrial Ethernet control and management layer to connect the upper and lower segments use the same protocol interoperability, so the use of two firewalls, the second stage of the authorization for a different firewall shield the internal network from unauthorized access and assign different permissions to legitimate users. You may also log in by filtration and adjusted according to policy logging.

Permission to take strict management measures, according to the department to assign permissions to be assigned according to the operating authority. Since the application of highly specialized factories, rights management can effectively prevent unauthorized operation. At the same time you want to access critical workstation’s operating system limitations, use the built-in device management system must have a record review function, the database automatically records device parameters modify events: Who modified reason for the modification, the parameters before and after the modification, which can well documented.

(2) Industrial Ethernet applications can be used to encrypt the key ways to prevent information theft. Currently there are two main cryptography: symmetric and asymmetric cryptography cryptography. Symmetric Cryptography encryption and decryption both use the same key and secret key, since the communication must be completed before the distribution key, which in this part of the system is unsafe. So the use of asymmetric cryptography, since industrial Ethernet transmission, mostly cyclical short messages, so use this encryption method is quite rapid. It is feasible for industrial Ethernet,. But also to prevent the access of external nodes.

Real-time (3) Industrial Ethernet is currently being provided by the following guarantees: Industrial Ethernet communication load limit, using 100M Fast Ethernet technology to increase the bandwidth, the use of switched Ethernet technology and full-duplex communication inherent shielding the CSMA / CD mechanism. With the large scale introduction of IT technology, network interconnection and open automation system, coupled with TCP / IP protocol itself openness and emerging viruses and network attacks, network security has become a prominent issue can affect real-time Industrial Ethernet.

1) virus attack. On the Internet is full of similar Slammer, “Blaster” worm and other viruses and other network attacks. In worms, for example, the direct target of these attacks, although worms generally is the information layer of the network PC and server, but the attack was carried out by the network, so when these large-scale worm outbreak, switches, routers will first be implicated . Only users by restarting the exchange of routing equipment, re-configure the access control list to eliminate the effects of the worm on the network equipment caused. Worm attacks can cause the entire network routing shock, which could make the information layer network traffic upper part of the inflow of industrial Ethernet, increased its traffic load, when in fact the impact. In the control layer also has many computer terminals connected to industrial Ethernet switches, terminal once infected with the virus, network virus outbreak caused paralysis if not, may also consume bandwidth and switch resources.

2) MAC attack. Industrial Ethernet switches are usually Layer 2 switches and MAC address is the basis for the work of the switcher, network-dependent MAC address to ensure the normal data forwarding. Dynamics of MAC address table after a certain time (AGE TIME) will update occurs. If a port does not receive packets from the source address of a MAC address, then the mapping between the MAC address and the port will fail. In this case, the switch receives packets destined to the MAC address will be flooding process, the overall impact performance of the switch, the switch can cause the lookup speed of decline. Moreover, if an attacker to generate a lot of data packets, the source MAC address of the packet is not the same, will be filled with the switch MAC address table space, lead to real data stream reaches the switch is flooded out. This sophisticated attacks and fraud by switch network intrusion way, there are many recent examples. Once the table mapping information between the MAC address and network segment is broken, forcing the switch to dump its own MAC address table, start failover, the switch will stop the network transmission filter, its role is similar to shared media device or hub, CSMA / CD mechanism will re-action which affects the real-time industrial Ethernet.

Currently, the switch layer network information security technologies adopted include the following. Flow control technology, the abnormal traffic flowing through the port is limited within a certain range. Access Control List (ACL) technology, ACL access network resources through the input and output controls to ensure that unauthorized access to the network device is not used as an attack or a springboard. Secure Sockets Layer (SSL) to encrypt all HTTP traffic, allowing access to the switch on the browser-based management GUI. 802.1x and RADIUS network login port-based access control, authentication and responsibilities clear. Source port filtering allows only specified ports to communicate with each other. Secure Shell (SSHv1 / SSHv2) encrypts all transmitted data over IP networks to ensure secure CLI remote access. Secure FTP allows secure file transfer between switches, to avoid unwanted file downloads or unauthorized copying of switch configuration file. However, the application of these security features are still many practical issues, such as flow control switch can only flow through the ports of various types of simple rate limiting, the abnormal broadcast, multicast traffic is limited to a certain range, but can not distinguish between what is normal traffic, which is the abnormal traffic. At the same time, how to set an appropriate threshold value is also more difficult. Some switches have ACL, but if ASIC supports ACL less still to no avail. Usually the switch can not yet illegal ARP (source and destination MAC broadcast address) special handling. Whether there will be a network routing fraud, fraud spanning attack, 802.1x DoS attack, the switch network management system DoS attacks, potential threats are facing the switch.

At the control level, industrial Ethernet switches, one can learn from these security technologies, but also must be aware of the industrial Ethernet switch is mainly used for fast packet forwarding, emphasizing forwarding performance to improve real-time. Will face when applying these security technologies very difficult real-time and cost, the current Industrial Ethernet applications and design is mainly based on engineering practice and experience, the network operating system and the main control station, workstation system optimization, advanced control station, data transmission between the database servers and other equipment, stable network load, with a certain periodicity. However, with the system integration and expansion needs, IT technology with the strong application of automation system components, B / S mode to monitor the spread and so on, on the availability of network security factor under study has been very necessary, such as industrial Ethernet traffic burst under buffer capacity issues and network switches shift from full-duplex switching mode to shared mode on the existing network performance. So, on the other hand, industrial Ethernet architecture must start from their own, to deal with.