Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Protect Plant Systems from network aware spyware/virus's

Posted on 2009-04-17
8
Medium Priority
?
393 Views
Last Modified: 2012-05-06
Presently I have two network segments, (office)192.168.1.x and (plant)192.168.3.x. Both networks use the same network switches to "talk" to other workstations in their network segment. This was done to protect plant systems from network aware spyware/virus. The plant systems do not have internet access. We do not want to put av on the plant computers because of confilcts with some of the software we run and the performance hit. However, we now have a problem. We have installed wireless in the plant area. This was done so we could collect job data on the plant floor. Now, the supervisor wants to utilize the wireless on the plant network also (some type of portable scales they want to collect data from).
The simple solution is to place all systems, office and plant, in the same network segment. However, to do so increases the risk that some network aware spyware/virus will infect the plant systems. In some cases this could be costly as it could alter a production cycle and product could be underprocessed.  How can I effecively combine these networks and provide virus/spyware protection?
0
Comment
Question by:rodneygray
  • 4
  • 2
7 Comments
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24170948
Depends on how robust you want the boundary to be.  You could go with something as simple as placing vlan acls in the mix to introducing a application layer firewall/proxy with content filtering.  Of course the simplest way to resolve the issue is to make the case for not implementing what the supervisor desires due to the risks you've noted above.  I've worked in a plant environment and I noticed that plant managers/supervisors had a lot of juice until you tell the owner that his idea could lead to the damage of a $500,000 piece of equipment or a few $1000 in processing errors and the headache of a POed customer.
0
 
LVL 1

Expert Comment

by:mwatwe01
ID: 24174778
"We have installed wireless in the plant area. This was done so we could collect job data on the plant floor. Now, the supervisor wants to utilize the wireless on the plant network also (some type of portable scales they want to collect data from)"

I don't understand the problem here. If the supervisor wants to use the plant floor wireless system to access a plant floor system (his scales), how does that compromise security?
0
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24176003
According to this -

"The simple solution is to place all systems, office and plant, in the same network segment. However, to do so increases the risk that some network aware spyware/virus will infect the plant systems. In some cases this could be costly as it could alter a production cycle and product could be underprocessed.  How can I effecively combine these networks and provide virus/spyware protection?"

You already have come to the conclusion of a potential for compromise.

Like I said in my original post.  It all depends on how robust you want the solution to be and what degree of risk you are willing to live with.  Anything from simply using vlan ACLs to an actual boundary control, whether by firewall, proxy, content filtering or some combination thereof.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 1

Author Comment

by:rodneygray
ID: 24217946
Sorry for my delay in responding. I had to think about and research possible solutions offered by atlas. After completing my research, it appears there is no way to accomplish what I need to do. Presently, both network segments (192.168.1.x and 192.168.3.x) exist on the same network infrastructure (cable/switches). Even though packets from both are traveling across the same cables/switches, one does not know the other exists. From what I read, a  VLAN would allow restructure the network. Certain ports would be assigned to 192.168.1.x and other ports would be assigned to 192.168.3.x. This would stop the two segments from "hearing" the others broadcast. While this would reduce chatter across the segments, it does not address my problems.

Problem 1: My wireless network is composed of Symbol AP5131's. They are on the 192.168.1.x network. Only devices in that segment will be able to communicate across the wireless network. This includes office systems such as time clocks. The scale and barcoding system is on segment 192.168.3.x. They will not be able to establish a session with the wireless access points. Is there a wireless access point that will support two segments? ie, 192.168.1.x and 192.168.2.x will be able to establish sessions.
Problem 2: I need to able to print to printers located on the 192.168.1.x segment from computers on the 192.168.3.x segment.
Problem 3: I need to be able to use vnc to open sessions from the 192.168.1.x segment on the 192.168.3.x segment.
Problem 4: I want to be able to transfer data from the 192.168.3.x segment to the 192.168.1.x segment.

I don't see anyway to accomplish these goals without either placing all devices on the same segment or using a router to join the two segments.  But the first and foremost goal is to protect the 192.168.3.x (plant) segment from potential virus/spyware risks posed by the 192.168.1.x (office) segment.

I am trying to find out how other plants have overcome the obstacle of gaining access to plant systems while protecting them at the same time.

0
 
LVL 10

Expert Comment

by:atlas_shuddered
ID: 24219862
Problem 1:  Most APs today support multiple SSID/VLAN capability.  This would give you the ability for two different segments to connect to the same AP.

Problem 2:  Establish your remote printing ports by IP rather than using a set up disk.  This will give you the ability to establish the print port with associated drivers.  PCs don't care about what segment your printers set on as long as they can send the data and receive a confirmation of receipt/print start.

Regarding Problem 3 and 4 as well as how to get your data around in Problem 1 and 2, you are correct, you will need a router or at least a layer 3 switch.  To do what you want to do you are trying to shuffle traffic from one broadcast domain to another.

Given the information you have provided and your desire for malware protection without deploying to the actual plant hosts, you will need to implement either an inline content filter or a proxy.  Either will be a challenge to configure but are doable.  As a point of note, it may be easier to utilize Microsofts ISA server (now Forefront).  Installing it as your router, your proxy and your content filter between the two segments.
0
 
LVL 1

Author Comment

by:rodneygray
ID: 24224020
Atlas,
On the Siemens website I found a device Scalence. This device sits between the office network and the plant network. You can then enable communications either one-way or two-way between the devices. I talked to their tech support and they expalined that this device was created for the very scenario I working on. I am sure the solution will not be inexpensive. However, not protecting the plant systems will be much more expensive. As I research this, I will update this question. Thanks for your expert help. I will award you the points. However, to keep others who might be researching the same situation, I am going to wait to close the question until I have a working solution.
0
 
LVL 10

Accepted Solution

by:
atlas_shuddered earned 2000 total points
ID: 24226256
No worries, appreciate the input.

Before you go in for the money, I would suggest that you get in touch with Sonicwall or Watchguard and see if they have a device that would meet the need.  It'd be a sure bet they are going to be cheaper than Siemens.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question