Understanding IT Network Security for Wireless and Wired Measurement Applications

1. Understanding IT Network Security for Wireless and Wired Measurement Applications Charlie Stiernberg Product Manager, Remote Data Acquisition National Instruments

2. 2 Agenda • Corporate & engineering networks are converging • Risks & benefits of convergence trend • Network security technologies  IT networking overview  Wired security: Firewall, VLAN, QoS  Wireless security: 802.11i, 802.15.4/ZigBee • Pulling it altogether

3. 3 IT & Engineering Network Convergence Traditional Model – Separate Networks for IT/Corporate & Measurement/Control Converged Model – Shared Network for IT/Corporate & Measurement/Control HMI Sensors Motors PLCPAC Control Network Gateway Back-End Servers Business Logic HMI Sensors Motors Wireless DAQ Ethernet DAQ PAC Back-End Servers Business Logic

4. 4 Benefits of a Merged Network • A merged network provides better visibility into business processes and better system management  Lower Total Cost of Ownership  Faster Time to Market  Better Asset Optimization  Broader Risk Management  COTS  Widely available skills Manufacturing Plantwide Systems Business Enterprise Systems Customer Demand Supply Chain Integration Flexible Manufacturing Suppliers

5. 5 Risks of a Merged Network • The Maroochy Shire sewage treatment plant (Australia)  Between January and April 2000 the sewage system experienced 47 unexplainable faults  Millions of liters of sewage were spilled • On October 31, 2001 Vitek Boden was convicted of:  26 counts of willfully using a computer to cause damage  1 count of causing serious environment harm

6. 6 Security is Key • To realize the benefits of COTS technology and a combined Enterprise / Engineering network, proper security is critical Manufacturing Plantwide Systems Business Enterprise Systems Customer Demand Supply Chain Integration Flexible Manufacturing Suppliers

7. 7 IT 101 for Scientists & Engineers The OSI Model Data Unit Layer Function Host Layers Data 7. Application Network process to application 6. Presentation Data representation and encryption 5. Session Inter-host communication Segment 4. Transport End-to-end connections and reliability Media Layers Packet 3. Network Path determination and logical addressing Frame 2. Data Link Physical addressing Bit 1. Physical Media, signal, and binary transmission

8. 8 IT 101 for Scientists & Engineers • Hub – repeats incoming traffic to all other ports regardless of addressee • Switch – sends packets to an appropriate destination based on MAC address. • Router (Layer 3 Switch) – routes packets traveling between LANs in a corporate network or between a LAN and the Internet • WAP – wireless access point provides a wireless extension to the wired network

9. 9 Security Technologies for Measurement & Control Networks Wired Networks • Firewall • Virtual Local Area Network (VLAN) • Quality of Service (QoS) Wireless Networks • IEEE 802.11i and IEEE 802.1X • IEEE 802.15.4 and ZigBee

10. 10 Firewall • Blocks unauthorized access while permitting outward communication • Can also permit, deny, encrypt, decrypt, or proxy all traffic between different security domains

11. 11 Virtual Local Area Networks (VLANs) • OSI Layer 2 technology • Switch ports assigned to a VLAN • Data is only forwarded to ports within the same VLAN • Broadcasts and multicasts are restricted to their respective VLANs • A Layer 3 device (router or Layer 3 switch) can pass messages between different VLANs 1 2 3 4 5 VLAN 1 VLAN 2 VLAN 3

12. 12 VLAN Best Practices • Logically segment networks (ie, instrumentation VLAN vs enterprise VLAN) • Assign VLANs to devices when traffic patterns are known • Limit the flow of producer/consumer traffic outside of required devices • Use Layer 3 switch or router to exchange data between VLANs

13. 13 Quality of Service (QoS) • Intended to overcome traffic congestion for critical applications • Used heavily in VOIP applications • Not originally designed for network security • Combine with VLANs to help mitigate denial of service (DoS) attacks or other network abnormalities • Packets are “tagged” and routed at the switch level based on priority YouTube Instrumentation Oracle YouTube Instrumentation Oracle Before QoS After QoS Network Bandwidth

14. 14 IEEE 802.11 Overview • “Wireless Ethernet” • High bandwidth for streaming / waveform measurements • 10+ years in the IT sector Version Released Frequency Max PHY Rate Max TCP Rate 802.11 1997 2.4 GHz 2 Mb/s 1 Mbps 802.11b 1999 2.4 GHz 11 Mb/s 14.4 Mbps 802.11a 1999 5 GHz 54 Mb/s 24.4 Mbps 802.11g 2003 2.4 GHz 54 Mb/s 24.4 Mbps 802.11n 2009? 2.4 GHz ~540 Mb/s ~100 Mbps

15. 15 IEEE 802.11 (Wi-Fi) Security • Three levels of IEEE 802.11 security  WEP (weak)  WPA (ok)  WPA2 (best) <IEEE 802.11i> • IEEE 802.11i security has two key components  Encryption = data protection  Authentication = access control

16. 16 Encryption • TKIP = Temporal Key Integrity Protocol (WPA) • AES = Advanced Encryption Standard (WPA2)  NIST-endorsed standard for government agencies  FIPS-approved (FIPS 197) Key size (bits) Number of alternative keys Time required at 1 decryption/us Time required at 106 decryptions/us 32 232 = 4.3 x 109 35.8 minutes 2.15 milliseconds 56 256 = 7.2 x 1016 1,142 years 10 hours 128 2128 = 3.4 x 1038 5.4 x 1024 years 5.4 x 1018 years Time required for exhaustive key search (brute force attack) http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf

17. 18 Authentication • Three players in 802.11i authentication  Supplicant = client trying to access network (Wi-Fi DAQ)  Authenticator = WAP hardwired to secured network  Authentication Server = verifies identity of client Supplicant Authenticator Authentication Sever

18. 19 IEEE 802.1X Port-Controlled Authentication Uncontrolled Port Controlled Port 802.1X Traffic Non-802.1X Traffic (Blocked) Before Authentication After Authentication 802.1X Traffic Non-802.1X Traffic (Blocked)

19. 20 802.1X (EAP-Request Identity) 802.1X (EAP-Response Identity) EAP Transport (EAP-Response Identity) EAP-specific (mutual) authentication EAP Transport (EAP-Success, PMK) 802.1X (EAP-Success) Derive Pairwise Master Key (PMK) Derive Pairwise Master Key (PMK) 802.1X Backend EAP Transport 802.1X Message Flow

20. 21 EAP = Extensible Authentication Protocol • EAP is a framework with different implementations • ~40 different EAP methods • Some require passwords/user credentials (PEAP) • Some require client-side and/or server-side certificates (EAP-TLS) • EAP can provide mutual authentication for the network and the supplicant

21. 22 IEEE 802.15.4 Overview Application ZigBee Application Layer (APL) ZigBee Network Layer (NWK) 802.15.4 Medium Access Control Layer (MAC) 802.15.4 Physical Layer (PHY) ZigBee Security Service Provider End User ZigBee Alliance IEEE 802.15.4

22. 23 IEEE 802.15.4 Security • Security services defined in the MAC layer • Access Control List (ACL) Mode  The MAC maintains a list of hardware devices addresses with which it will communicate • Secured Mode adds…  AES encryption up to 128 bits  Frame integrity with message integrity code (MIC)  Sequential freshness appends values to MAC frame to prevent replay attacks

23. 24 ZigBee Overview • ZigBee Coordinator – starts and controls the network • ZigBee Routers – extend network coverage • ZigBee End Devices – transmit/receive messages Star Tree Mesh ZC ZC ZC ZR ZR ZR ZRZRZR ZR

24. 25 ZigBee Security • ZigBee security builds on IEEE 802.15.4  Application and Network Layer security  Key management for encryption and authentication • ZigBee Trust Center  Authenticates joining devices  Manages key distribution in the network • Standard Security Mode • High Security Mode

25. 26 ZigBee Security Keys Keys are used for encryption & authentication • Network Keys  All devices on a ZigBee network share the same key • Link Keys  Secure unicast messages between two devices • Master Keys  Used as an initial shared secret between two devices to perform SKKE to generate link key

26. 27 ZigBee Commissioning & Security • Standard security  Preconfigured with active network key  Preconfigured with a Trust Center link key and address • High security  Preconfigured with a Trust Center master key and address • Not preconfigured (not recommended)

27. 28 Pulling it All Together • Logically segmented network (NIST SP 800-82) • Firewalls & VLANs • Demilitarized Zone (DMZ) • QoS for reliability • Wireless link encryption & authentication Measurement & Control Network DMZ Enterprise Internet

28. 29 Summary • Common COTS technology shared between IT and engineering departments can realize great cost savings and process efficiency • Standards-based network security is a key component for the viability of any wired or wireless measurement system • Proper planning and communication will lead to long- term gains

29. 30 For More Information Charlie Stiernberg charlie.stiernberg@ni.com ni.com/wifi

Understanding IT Network Security for Wireless and Wired Measurement Applications

Understanding IT Network Security for Wireless and Wired Measurement Applications

Recommandé

Contenu connexe

Tendances

Tendances(20)

En vedette

En vedette(6)

Similaire à Understanding IT Network Security for Wireless and Wired Measurement Applications

Similaire à Understanding IT Network Security for Wireless and Wired Measurement Applications(20)

Dernier

Dernier(20)

Understanding IT Network Security for Wireless and Wired Measurement Applications

Notes de l'éditeur