practical solutions & connected enterprise - kendall … solutions & connected enterprise...

PUBLIC

Practical Solutions & Connected Enterprise(N) Network & Information Systems - SALON C

John Gajor, Rockwell AutomationRob Rodriguez-Pelizzari, Kendall Electric

Practical Solutions & Connected Enterprise

• SWITCH SELECTION – Managed vs. UnManaged

• PHYSICAL LAYER – Structured Cabling and CPwE Best Practices

• INDUSTRIAL NETWORK SECURITY – Protocols, Open Port Strategies, ACLs, Firewalls and VPNs

• LOGICAL LAYER – VLANs, NAT & ROUTING

• TOOLS & RESOURCES

SWITCH SELECTION – Managed vs. UnManaged

Network Switch Product Overview

Stratix 8000/8300

Stratix 5400

Stratix 5410

§ Layer 2 firmware§ 6–20 ports§ IP30 and IP67

On-Machine™ platform

§ Integrated DLR§ Integrated NAT§ IEEE1588 PTP§ PoE/PoE+

§ Layer 2 or layer 3 routing firmware

§ 6–26 ports§ Modular platform

for maximum flexibility

§ IEEE1588 PTP§ PoE/PoE+

§ Layer 2 or Layer 3 routing firmware

§ 8–20 ports§ 4 port or all gig port

versions§ IEEE1588 PTP§ Integrated NAT§ Up to 8 PoE/PoE+ ports§ PRP (RedBox)

AccessAccess

DistributionDistribution

Stratix 2000

§ 5-16 ports§ Fiber port options§ Gig port option§ Plug & play

Unmanaged

Stratix 6000

§ 5–9 port§ Lightly managed§ Gig Fiber option

§ 19 in Rack Mount§ Layer 2 or Layer 3 routing

firmware§ 28 ports§ All gig ports plus four 10

gig ports§ IEEE1588 PTP§ Up to 8 separate integrated

NAT ports§ Up to 12 PoE/PoE+ ports§ PRP (RedBox)§ DC and AC power input

options

Stratix 5700/ ArmorStratix

Stratix 2500

§ 5-port model§ 8-port model§ Basic § Traffic management§ Diagnostics§ Security

100M/1G 1G/10G100M/1G 100M

Lightly Managed

ManagedManaged

SWITCH SELECTION – Stratix 2500 Lightly Managed Switch

Two Installation Methods • Out of the box” installation that prioritizes traffic, or• Configured for specific applications to support security, resiliency and bandwidth optimization features

• Premier Integration to the Rockwell Automation Integrated Architecture ® system

• Minimized downtime by monitoring traffic flow• Improved network resiliency to help uncover errors before the network stops

• Increased network security with port security to control connections to the network when needed

• Reduced overall TCO with logical segmentation

FLEXIBLE & SCALABLE

Features & BenefitsCOMPACT DESIGN

Offered in 5 and 8 10/100 Mbps fast

EtherNet/IP copper

SWITCH SELECTION – ComparisonStratix 2000 Unmanaged

SwitchStratix 2500 Lightly

Managed SwitchStratix 5700 Managed Switch Lite Firmware

Stratix 5700 Managed Switch Full Firmware

REP ü ü

STP, RSTP, MSTP Resiliency Protocols ü ü ü

Basic QoS Macro ü ü

Motion Prioritized QoS Macro ü

Flexlinks ü

EtherChannel (Link Aggregation) ü ü

Access Control Lists, IEEE 802.1X Security ü

MAC ID Port Security ü ü

Crypto (SSH, SNMP), HTTPS Access ü ü ü

Port Thresholds (Storm Control) ü ü

Port Mirroring ü ü ü

Integrated Device Level Ring (DLR) ü* ü

Network Address Translation (NAT) ü*Static and InterVLAN Routing ü

Why Choose a Full Managed switch over a Lightly Managed Switch?§ The Stratix 5700 differentiates itself from the Stratix 2500 through enhanced failure annunciation capabilities, security,

resiliency protocol support, and flexibility.

§ Higher port density (represented by 6, 10, 18 and 20-port catalogs numbers in Lite Firmware and Full Firmware category), support for up to 4 SFP slots for fiber connectivity, up to 2 Gig ports, up to 4 power over Ethernet (PoE) ports

§ DHCP per port (which simplifies Automatic Device Configuration) for automatic end device IP address assignment

§ Internal Flash and SD card for backup and restore capability

§ Support of REP resiliency protocol

§ Select Stratix 5700 catalog numbers offer integrated DLR, NAT, and support of PTP

§ It is built on Cisco IOS, which provides a command line interface (CLI) as a flexible configuration tool that is familiar to IT professionals

§ Stratix 5700 extends on Stratix 2500 security capabilities through – Access Control Lists, IEEE 802.1x Security, Centralized Authentication capability (RADIUS, TACACS+)

SWITCH SELECTION – ArmorStratix 5700

ü IP67-rated for dust and washdown protection

8-port 16-port

24-portBasic Offering

8-port 16-port

24-port

SWITCH SELECTION – ArmorStratix 5700ü IP67-rated for dust and

washdown protectionü8,16 and 24 port versions with

rugged M12 (D-coded) Ethernet Connectors

Basic Offering

8-port 16-port

24-port

SWITCH SELECTION – ArmorStratix 5700ü IP67-rated for dust and

washdown protectionü8,16 and 24 port versions

with rugged M12 (D-coded) Ethernet ConnectorsüPanel/machine mount design for

on-machine connectivity outside of the cabinet

Basic Offering

8-port 16-port

24-port

SWITCH SELECTION – ArmorStratix 5700ü IP67-rated for dust and washdown

protectionü8,16 and 24 port versions with

rugged M12 (D-coded) Ethernet ConnectorsüPanel/machine mount design for

on-machine connectivity outside of the cabinetüDual Power Input

Basic Offering

8-port 16-port

24-port

SWITCH SELECTION – ArmorStratix 5700ü IP67-rated for dust and washdown

protectionü8,16 and 24 port versions with

rugged M12 (D-coded) Ethernet ConnectorsüPanel/machine mount design for

on-machine connectivity outside of the cabinetüDual Power InputüConsole port

Basic Offering

SWITCH SELECTION – ArmorStratix 5700

10-port

18-port

You get all of the features of the base offering in a 10 and 18 port version:ü IP67-rated for dust and washdown

protectionüRugged M12 (D-coded) Ethernet

ConnectorsüPanel/machine mount design for on-

machine connectivity outside of the cabinetüDual Power InputüConsole portüSD card for simplified device

replacementBasic Offering

Stratix 5700 Industrial Managed Switch

The Stratix 5700™ is a compact, scalable Layer 2 managed switch for use in applications from small isolated, to complex networks. The switch combines advanced Cisco technology and premier integration into the Integrated Architecture® to provide solutions for both Information Technology (IT) and Operations Technology (OT) professionals

Stratix 5700 Managed Switch Benefits

Simplified Setup & Maintenance§ SD card for easy device replacement§ Default configurations§ Common Smartports§ DHCP per port IP addressing§ Diagnostics and tools

Optimized Integration§ Embedded Cisco technology provides

integration with enterprise network§ FactoryTalk® View Faceplates for

status monitoring and alarming § Predefined Logix tags help diagnostics

retrieval§ Studio 5000® add-on profiles for

configuration and monitoring

Advanced Features§ Power over Ethernet (PoE and PoE+)

delivers power over a single Ethernet cable§ Network Address Translation (NAT)

reduces commissioning time§ Integrated Device Level Ring (DLR)

connectivity helps optimize the network architecture and provide consolidated network diagnostics

Enhanced Security Options§ Application/project based port access for machine protection§ Encrypted administrative traffic and advanced security features such

as centralized authentication for plant protection

Optimized IntegrationIntegrated Architecture System

Studio 5000® Add-on Profile (AOP) for easy

configuration and monitoring

Pre-designed FactoryTalk® View

faceplates for monitoring and alarming

Pre-defined Logix tags for monitoring and port

control

Simplified Setup and Maintenance Common Configuration and Support Tools

Configure, Manage and Diagnose your network with familiar tools§ Automation Operations Technology (OT)

Professionals§ FactoryTalk Services tightly integrate

into the Integrated Architecture system§ Information Technology (IT) Professionals

§ Cisco CNA, CLI, Cisco Prime tightly integrate into joint Cisco and Rockwell Automation® Converged Plant-wide Ethernet (CPwE) Reference Architectures

Simplified Setup and MaintenanceDefault Configurations and Smartports

Easy Switch configuration without being a network expert§ Express Setup

§ Automatically sets switch configuration for typical automation applications§ Smartports

§ Pre-defined port settings for common automation and network devices like Logix Controllers, Desktop devices and Routers§ Optimizes traffic through the port

and network§ Minimizes latency

Stratix Switch PortfolioIndustrial Control Switches (OT)

PHYSICAL LAYER – CPwE & The Connected Enterprise

Converged Plant-wide Ethernet (CPwE)Collaboration that Bridges the Gap Between IT and OT

Converged Plant-wide Ethernet (CPwE)

ZONE LEVEL 0-2

ZONE LEVEL 3ZONE LEVEL 3

ZONE LEVEL 0-2

Telecommunications Standards

• ANSI/TIA-1005 is explicitly supported by the 568-C cabling standard

• TIA/EIA-568-C Defines cabling types, distances, connectors, cable system architectures, cable termination standards and performance characteristics, cable installation requirements and methods of testing installed cable

• C.0 defines the overall premises infrastructure for copper and fiber cabling

• C.2 addresses components of the copper cabling system

• C.3 addresses components of fiber optic cable systems

ANSI/TIA-568-C.0

(Generic)

TIA-569-B(Pathways and

spaces)

ANSI/TIA-606-A(Administrative)

earthing)

ANSI/TIA-607-B(Bonding and grounding / earthing)

ANSI/TIA-758-A(Outside plant)

systems)

ANSI/TIA-862(Building

automation systems)

ANSI/TIA-568-C.1

(Commercial)

ANSI/TIA-570-B(Residential)

ANSI/TIA-942(Data centers)

ANSI/TIA-1005(Industrial)

ANSI/TIA-1179(Healthcare)

-pair)

ANSI/TIA-568-C.2

(Balanced twisted-pair)ANSI/TIA-568-

C.3(Optical fiber)

ANSI/TIA-568-C.4

(Coaxial)

Common Standards Premises Standards Component Standards

Component Standards

Converged Plant-wide Ethernet (CPwE)

The Connected EnterpriseIN-ROOM™

Connecting Enterprise and the Plant Floor

IN-ROUTE™

Distributing Ethernet Machine-to-Machine

IN-PANEL™

Delivering Ethernet to Machine

IN-FIELD™

Deploying Ethernet on Machine

IN-FRASTRUCTURE™

Supporting the Network from the Ground Up

The Connected Enterprise

Level 3: Site Operations IN-ROOM™

Connecting Enterprise and the Plant Floor

MDC- MICRODATA

CENTERS

Cell Zone AreaIN-ROUTE™

Distributing EthernetMachine-to-Machine

IDF - INDUSTRIAL DISTRIBUTIONFRAMES

Cell Zone AreaIN-PANEL™

Delivering Ethernet to Machine

ZONE – CELLAREA ZONE

CONTROL PANEL

Cell Zone AreaIN-FIELD™

Deploying Ethernet on Machine

HARDENED CABLINGFIBER

AND COPPER

Throughout the ArchitectureIN-FRASTRUCTURE™

Supporting the Network from the Ground Up

GROUNDING AND BONDING, SECURITY, SAFETY

Panduit’s Structured Approach to the Industrial Physical Network

The Connected EnterpriseThe Industrial DMZ - MDC – Micro Data Center

The Physical Separation Between IT & OT

Cell Zone AreaIN-ROUTETM

Distributing EthernetMachine-to-Machine

IDF - INDUSTRIAL DISTRIBUTION FRAMES

The Connected Enterprise - IDF

Distribute Ethernet beyond “IN-ROOM” throughout the plant floor, from machine-to-machine with fiber backbone solutions

An architecture that provides a methodology for deploying a high performing, appropriately segmented network, localizing network traffic, reducing traffic overloads

§ Pre-Configured IDF – deploys and protects rack mount Ethernet switches in industrial applications

§ Network Zone System – deploys plant-wide EtherNet/IP™ networks, incorporating all active and passive equipment

Point to Point Cabling

Single cable terminated to plugsMost often stranded conductors for

flexibility § Solid cable prone to break§ De-rated length

Testing can be inaccuratePlugs can be hard to terminate reliably for

the long term, especially for higher bandwidth cable

Cannot plan for the future§ Extra cables are not secure

28The Connected Enterprise

The Connected EnterpriseFlat vs Zone Architecture

Traditional IT Cable Deployment: IDF to Device “home runs”

The Connected EnterpriseThe Reality of most networks…

So, What can we do to ensure your network doesn’t end up like this?

The Connected Enterprise

The Connected EnterpriseFlat vs Zone Architecture

IDF IDF

Traditional Cable Deployment Node to network room “home runs”

Zone Architecture Reduced installation time Simplified diagnostics

The Connected EnterpriseZONE Layout / The Panduit ZONE Enclosure

The Connected EnterpriseOther Issues You Have to Address

INDUSTRIAL NETWORK SECURITY –Protocols, Open Port Strategies, ACLs, Firewalls & VPNs

SECURITY & PRODUCTSSince the dawn of the internet we have been populating our networks with all kinds of neat equipment.

SECURITY & PRODUCTSWhat do all of these neat things have in common?

They can ALL be exploited if they aren’t secured.

SECURITY & PRODUCTSWhy secure them? To secure them from what?

Some devices like PLCs were created from an open platform. They send and receive clear text data. Often times, usernames and passwords are included.

SECURITY & PRODUCTSWhy you need to think about the security of your devices on the factory floor.

Devices are added to company networks without strong controls from the use of routers and deep packet inspection.

Some devices have remote access, in many cases, it makes them accessible by anyone, anywhere.

SECURITY – OPEN PORTS

The Open Port Search Engine, Shodan, was launched in 2009 by a computer programmer, John Matherly, who in 2003,[4] conceived of the idea to search for devices linked to the Internet. It started as his pet project based on the fact that large numbers of devices and computer systems are connected to the Internet.

Shodan users are able to find systems including traffic lights, security cameras, home heating systems as well as control systems for water parks, gas stations, water plants, power grids, nuclear power plants and particle-accelerating cyclotrons.

OPEN PORTS - MODBUS

OPEN PORTS - ETHERNET/IP - WORLD

OPEN PORTS - ETHERNET/IP - US

OPEN PORTS - ETHERNET/IP – MICHIGAN

SECURITY & PRODUCTS

Why is it such a big deal if you have a few open ports?

SECURITY & PRODUCTSHaving an open port on any device makes you vulnerable to attacks.

LOGICAL LAYER – VLANs, NAT & ROUTING

Operator Interface

Camera

ControllerCamera Drive

LOGICAL LAYER – Today’s OT NetworkLinear network example

LOGICAL LAYER – Layers 2 & 3

• NAT: Network Address Translation (NAT) provides, • Remote support capabilities of control systems • Flexibility to allow the placement of identical machines on a Ethernet network without network setting changes • Ability to apply consistent configurations to control systems on a network, allowing for exact duplications of

machines / processes• Reduces the need for “public” IP addresses

• Routing/VLAN Routing Provides,• Ability to converge two or more distinct IP scheme into the same network• Ability to converge two or more distinct VLANs into the same network

• Access Control Lists Provide• Grant or restrict access to any of the 65535 destination ports of a TCP/IP Address

• Firewalls Provide• DeMilitarized Zone (DMZ) between the internet and controls network• DeMilitarized Zone (DMZ) between the IT and OT network

LOGICAL LAYER – NAT SOLUTION4 Networks same IP Scheme

LOGICAL LAYER – Routing Solution

LOGICAL LAYER - ACL

Cell/Area Zone - Levels 0–2Star Topology

(Lines, Machines, Skids, Equipment)

Operator Interface

Camera

Controller

Stratix 5410 Distribution Switch

Camera Drive

• Filtering can be done by examining such things as:

- Source IP, MAC ID, or port- Destination IP, MAC ID, or port - Upper layer protocol

• ACLs are implemented the same way in all Stratix™ switches with ACL capabilities

• Only applies to inbound traffic on an interface

LOGICAL LAYER – Firewalls

Firewalls keep track of “legitimate” connections (syn, syn ack, ack)Firewalls reject attempted connections from sources without a syn, syn ack, ack connection historyIf a packet crafting tool is used in an attempt to gain access through the firewall, the firewall will reject packets who’s

sequence numbers are out of range

Firewall10.10.30.10 192.168.10.100

SYN ACK

10.10.30.06 Destination 192.168.10.100 Seq # 123456

InsideInterface

OutsideInterface

LOGICAL LAYER – Firewalls

InlineTransparent Mode

Traffic Traffic

InlineRouted Mode

Traffic Traffic

Packet

Copy of the Packet

Network A Network A

Same Network Addresses on Ingress and Egress Interfaces Different Network Addresses on Ingress and Egress Interfaces(Think “router”)

Network A Network B

Passive Monitor Mode

LOGICAL LAYER – Rockwell NAT Options

9300-ENALayer 3 / VPN

1783-BMS10CGNLayer 2

1783-5950Layer 2/3

1783-BMS20CGNLayer 2

STRATIX 5700 STRATIX 5950ENANATR

1783-NATRLayer 3

LOGICAL LAYER – Rockwell Options

LOGICAL LAYER – NAT SOLUTION• How many work cells are involved?

ANSWER: 1 to 4

• How many devices (nodes) do you have in the work cell?

1 to 32 = 1783-NATR

32 to 128 = 9300-ENA 9300-ENA /w VPN

ENANATR1783-NATR

LOGICAL LAYER – Configuration Questions

• How many work cells are involved? ANSWER: 4 or more

• Do all of the work cells have unique private IP addresses? ANSWER: 2 or more similar or dissimilar IP’s

• How many devices (nodes) are in the work cell?ANSWER: The 5700 configuration can support an almost limitless amount of nodes. It’s true limit is the switch processor utilization and the amount of data the needs to flow between the private and public networks.

• Are you planning on using a single appliance?ANSWER: If YES, The 5700 configuration can support multiple NAT Tables, meaning it is able to bring multiple work cells together into one public address .

57001783-BMS10CGN1783-BMS20CGN

LOGICAL LAYER – Stratix 5950

• Do all of the work cells have unique private IP addresses?

• With which public network are you converging?

• Are you creating a DMZ between the OT and IT networks?

• Are you creating a firewall between a work cell and the rest of the network?

LOGICAL LAYER – Stratix 5950

SECURITY & PRODUCTS

The following products are available to mitigate the security threats using NAT, ACL & Firewall on an OT network.

LOGICAL LAYER – Summary

1783-NATR = NAT SOLUTION(1 – 4) work cells, (1 – 32) NAT translations, 1 NAT TABLE

9300-ENA = NAT SOLUTION & VPN(1 – 4) work cells, (1 – 128) NAT translations, 1 NAT TABLE

1783-BMS10CGN1783-BMS20CGN = NAT & ACL SOLUTION(4 or more) work cells, 2 or more NAT tables

1783-SAD2T2SPK9 = NAT, ACL, FIREWALL SOLUTION & VPNRouter (DMZ control), Firewall (DMZ control), NAT

TOOLS & RESOURCES

Join www.industrial-ip.org for the latest trends, developments, and implementation advice on the use of IP in industrial applications, don’t leave without registering.

Join www.bicsi.org for the latest ANSI/TIA Standards

Other definitions:TCP Transmission Control ProtocolUDP User Datagram Protocol

Other resourcesSubscribe to www.shodan.io for an open port search engine

www.rockwellautomation.com

PUBLIC

Thank you

practical solutions & connected enterprise - kendall … solutions & connected enterprise...

Documents

ansi tia eia-222-g

the university of toronto · ansi/tia-568.3-d optical fiber...

no slide title · ansi/tia. ansi/tia standardi - kabelski....

ansi-tia-eia 568 b

passive’op*cal’lan’and’fiber’ … (fiber) itu-t...

ansi-tia-1057 final for publication

interconexion_clase 6_estandares ansi tia eia

02 - normas ansi-tia - sce

cabling standard - ansi-tia-eia 568 b

ansi tia eia 606a

ansi tia 570 a

appendix 3e cable infrastructure standard · 2012. 10....

design and construction standards cornell university ·...

building blocks to the connected enterprise bbe … blocks...

ansi/tia-968-a-2002 tia approved: october 29, 2002 … ·...

tia/eia telecommunications systems...

chapter 296-46b wac electrical safety … · electrical...

ation - trctechfiles.com · ansi/tia-1179 (healthcare)...

norma ansi eia-tia 568

norma ansi eia tia 942