Thanks for joining!

We will begin in just a few minutes as more people come on line.

IoT Security Talks –Industrial FirewallDeployment Models2016 August 25

Robert Albach – Product Line Manager IoT Security

Sunil Maryala – Technical Marketing Engineer IoT Security

Agenda

:00

Welcome to Tech Talks

:03

Industrial FW

Deployments

@ :45

Question and Answer

Mechanics of Tech TalksStandards & Verticals

Review

Industrial FW Attributes

Configuration

Considerations

Deployment Scenarios

Tech Talk MechanicsHow these events will operate

• With many people on-line we will mute all but the presenters

• We will try to answer questions at the end

• Please use the “Question and Answer” feature for questions

• If we don’t get to your question, we will try to answer them off-line

• The presentation and recording will be placed on the Community support site:

https://supportforums.cisco.com/

Who This Presentation is For:

• Cisco customers, partners, employees

• Assumption:

• Your background is primarily in classic IT environments

• OR

• You are an OT practitioner with security responsibility

• You have SOME amount of firewall basic understanding

• You are likely to have some responsibility in OT in the future or do so already.

Standards / Regulations / Guidelines

ISA 95 / 99

Evolve to Security: Phased Security ArchitectureFirst Phase –

Secured Connectivity

Second Phase –

Secured Visibility &

Control

Third Phase –

Converged Security &

Depth

Level 5

Level 4

Level 3

Level 2

Level 1

Enterprise Network

Site Business Planning & Logistics Network

Enterprise Zone

DMZ

Manufacturing Zone

Cell/Area Zone

Site Manufacturing Operationsand Control

Area Supervisory Control

Basic Control

ProcessSensors Drives Actuators Robots

FactoryTalk

ClientHMI Magelis

HMI

Engineering

Workstation

Operator

Interface

Batch

Control

Discrete

Control

Drive

Control

Continuous

Process

Control

Safety

Control

FactoryTalk

App Server

FactoryTalk

Directory

Engineering

Workstation

Domain

Controller

Terminal Server RDP Server App Server Patch Mgmt.

E-Mail, Intranet, etc.

Zone Segmentation

Controlled Conduits

ISA – 95,99 / IEC 62443

NERC / NIST /

Application Control

Threat Control

ISA – 95,99 / IEC 62443

NERC / NIST /

Policy Driven Response

Deeper Vision / Control

ISO / IEC 27001:2013

Level 0

v v

Use Case Themes

• Secure Connectivity

• Threat Control

• Safe Environment

• Secure Remote Access

• What can connect

• What can talk to what

• What is vulnerable

• Protect the vulnerable

• Network protection

• Device protections

• How to secure access

• What are the controls for access

Cisco / Rockwell Validated Designs

Utilities – Sub-Station Deployment• In-Line

• Between Sub-Station router and “cell” switch boundary

• Transparent or Routed Operation

• Normally an HA pair

• Cisco Validated Designs

• OT operation configurations

• Multi-Function Role

• Operation Control

• Threat Control

• VPN Access

Cisco ValidatedDesigns:SubstationSecurity

Cisco IoT System Security in ActionProtect Critical Infrastructure – Through Network Segmentation

Cisco Connected PipelinesCisco combines its own expertise in oil and gas systems with entities such as Schneider Electric for deployment services.

• An end-to-end smart connected solution based on industry best practices for pipeline infrastructures and network architectures.

• Flexible, modular, approach from assessment, design, and test to deploy install and support.

• Collaborative expertise and service from the leaders in SCADA, network connectivity, and security resulting in cost savings and optimized operations.

Commonality: Segmentation

• Zones / Conduits

• Sub-Nets

• Cells

• Stations

• Distinct Functionality

Registration - Survey Results• Just Below PLC

• 6%

• Between PLC and Zone Switch

• 21%

• On Span Zone Switch

• 7%

• Between Zone and Agg Switch

• 36%

• On Span at Aggregation Switch

• 6%

• Upstream of Aggregation Switch

• 23%

Industrial FireWall Options

ISA 3000

ASA 5506H

ASA 5525X

Configured for OT Configured for IT

ISA 3000 – Hardware Features

RJ Console

Power Input A,

5.0 mm Centers

Reset

Front Serial

Label

Mini USB

Console with

Hazloc Covers

Dual USB-A

With Hazloc

Covers

Power Input B,

5.0 mm Centers

Alarm Connector,

3.81 mm Centers

Chassis Ground

Connection

RJ Management Port

Dual Ethernet Ports

Dual Ethernet Ports

(Copper Bypass)

SD Card Slot

Industrial

Security

Appliance

Features that drive deployment considerations

• Hardware Bypass

• Software Bypass

• Rule Options

• Latency Controls

• Hitless Updates*

• High Availability

• NAT

• VPN

• RDP Access

ISA 3000 – SW Architecture

Industrial

Security

Appliance

ASA Firewall

Access Control – Device / User

VPN

Quality of Service

NAT

FirePower Services

Application FW

Threat Control

Device ID

Behavior Control

ASDM – OnBox Managment

• Interface configurationISA-3000 Default Config (Cont’d)

interface GigabitEthernet1/1

bridge-group 1

nameif outside1

no shutdown

!

interface GigabitEthernet1/2

bridge-group 1

nameif inside1

security-level 100

no shutdown

!

interface GigabitEthernet1/3

bridge-group 1

nameif outside2

no shutdown

!

interface GigabitEthernet1/4

bridge-group 1

nameif inside2

security-level 100

no shutdown

interface BVI 1

no ip address

Management

Computer

ASA Mgmt IP=192.168.1.1/24

FirePOWER Mgmt IP=192.168.1.45/24

Interface Management 1/1

Connecting ISA3000

Interface Gigabit 1/1

Interface Gigabit 1/2

Interface Gigabit 1/3

Interface Gigabit 1/4

Public 1/Outside 1 NetworkPrivate 1/Inside 1 Network

Public 2/Outside 2 Network

Private 2/Inside 2 Network

• By default provide bridge mode transparency with “connectivity over security” paradigm.

ISA-3000 Default Configuration

Firewall Operation Mode

firewall transparent

Traffic flow between Firewall & IPS

Inline

Mode

Passive (monitor-only) Mode

ISA3000 Default

ISA-3000 Default Config – Firewall - ACL

access-list allowAll extended permit ip any any

access-list sfrAccessList extended permit ip any any

!

access-group allowAll in interface outside1

access-group allowAll in interface outside2

!

same-security-traffic permit inter-interface

• FirePower (SFR) Traffic re-direct

ISA-3000 Default Config – Firewall

class-map sfrclass

match access-list sfrAccessList

!

policy-map global_policy

class sfrclass

sfr fail-open monitor-only

!

service-policy global_policy global

ASA Modular Policy Frameworkclass-map sfr

match access-list sfr-access-list

Policy-map sfrpolicy

class sfr

sfr fail-close monitor-only

ciscoasa(config)# show service-policy sfr

Global policy:

Service-policy: global_policy

Class-map: match_all

SFR: card status Up, mode fail-open

packet input 71505, packet output 71563, drop

56, reset-drop 0

• Historically these terms have been used conversely and thus caused confusion

• For Firewall use:

• “Open” means – like an electric switch – no signal

• “Closed” means – electric switch / signal can go through

• For IPS use:

• “Open” means – like a door– signal / packets goes through

• “Closed” means – door is closed – no signal / packets

Fail Open / Fail Close Firewall vs. IPS

Firewalls – deny all unless it matches a rule

IPS – ignore all unless it matches a rule

More OT Centric

• Hardware bypass is useful to maintain connectivity when system loses power. It is available on copper interfaces, and only in transparent mode

Hardware Bypass Overview

Regular data path

(PHY/ MAC/CPU)

Interface

G1/1Interface

G1/2

HW

bypass

enabled

HW

bypass

disabled

Bypass works at layer 1, supported by hardware relay devices

Bypass works on interface pairs

On ISA3000-2C2F, G1/1 and G1/2

On ISA3000-4C, G1/1 and G1/2, G1/3 and G1/4

• Hardware bypass

ISA-3000 Default Config (Cont’d)

no hardware-bypass boot-delay module-up sfr

!

hardware-bypass Gigabit Ethernet 1/1-1/2

hardware-bypass Gigabit Ethernet 1/3-1/4

• Enable bypass at next powerdown

• ciscoasa(config)# hardware-bypass gigabitEthernet 1/1-1/2

• Enable bypass at next powerdown AND powerup

• ciscoasa(config)# hardware-bypass gigabitEthernet 1/1-1/2 sticky

• Disable bypass at next powerdown AND powerup

• ciscoasa(config)# no hardware-bypass gigabitEthernet 1/1-1/2

• Disable bypass only after module sfr is ready

• ciscoasa(config)# hardware-bypass boot-delay module-up sfr

• Manually enable/disable bypass

• ciscoasa# hardware-bypass manual gigabitEthernet 1/1-1/2

• ciscoasa# no hardware-bypass manual gigabitEthernet 1/1-1/2

HW Bypass Configuration Commands

HA (Active / Passive) Configuration Requirements

Be in the same firewall mode

(routed or transparent).

Have the same major and

minor software version. .

Visibility Options: Packet Capture / NetFlow

• Available broad visibility options:

• NetFlow capture

• Packet capture

• (separate from rule driven packet capture)

Know Your Rules – Impact of Inspection Process

Modbus IPS rule options Writing a Modbus rule

Operations Control for UptimeOT Pre-processors – command inspection -Modbus

Latency Controls OptionsPacket and Rule Handling

Deployment Scenarios

Span

• Span off switch

• No “touch” of traffic

• Only see copies

• TCP reset possible

• Visibility only / no traffic control

• Some possible diffs from on-port traffic

• Use Cases:

• Passive ID of devices

• Passive ID of applications

• Passive ID of activity

• Good for transient visibility

• Impossible to detect

• Testing of Rules

Machine #2Machine #1

Catalyst 2960

HMIServer

Catalyst3750-X

Stratix5700

Stratix5900

Stratix5900

Line Controller

ISA3000

Single Up-Stream / Down-Stream Path

Direct in-line Deployment

Can be passive or in-line mode

Bypass should work normally

Can be an HA pair

Possible termination point for VPN (secured comms)

NAT

Remote Desktop Jump Point

Higher potential to impact traffic

Zone / Cell Firewall:Boundary Protection Above Switch

AggegationLayer Firewall

Machine #2Machine #1

Catalyst 2960

HMIServer

Catalyst3750-X

Stratix5700

Stratix5900

Stratix5900

Line Controller

ISA3000 ISA3000

ISA3000Firewall above Aggregation level.

Direct in-line Deployment

Can be passive or in-line mode

High Availability

Broader Visibility

Broader potential impact.

Less Detailed view

VPN termination point

secured comms less close to

equipment

Zone / Cell Firewall:Control Within the Zone

Machine #2Machine #1

Catalyst 2960

HMIServer

Catalyst3750-X

Stratix5700

Stratix5900

Stratix5900

Line Controller

IP enabled devices connect directly to the Firewall and then up to switch

Direct in-line Deployment

Can be passive or in-line mode

Possibly limited bypass capabilities due to port pairings

Highest visibility

NAT capable

VPN termination point (secured comms very close to equipment)

Highest potential for impact.

ISA3000

Zone / Cell Firewall:Control Within the Zone

Firewall participates in ring.

Direct in-line Deployment

Can be passive or in-line mode

Possibly limited bypass capabilities due to port pairings

Highest visibility

NAT capable

VPN termination point (secured comms very close to equipment)

Highest potential for impact.

ISA3000

Phased Deployments of Industrial Firewalls

FirstIT / OT DMZ:

Immediate Control and Visibility

SecondBroad Visibility – Span at Aggregation Levels

NetFlow

Some application level identification

ThirdDetailed Visibility – Span at Cell / Zone Levels

NetFlow / Packet Captures

Application ID / Command levels

Test Rules

FourthIn-Line Passive Visibility – Cell / Zone + Aggregation Levels

FifthIn-Line Control – Cell / Zone + Aggregation Levels

Before the Q&A Session

• Thanks for attending.

• Let us know:

• Was this session worth while to you?

• What future topics would you like to see?

• How might we improve these events?

• Send an email to:

• Sunil Maryala

• smaryala@cisco.com

• Robert Albach

• ralbach@cisco.com

Q&APlease use the Question and Answer section of WebEx

THANKS!