Microwall Gigabyte protects vital dataWritten by Jens Brogaard
Isolation of vital data
If you and your company work with:
- Machine tools
- X-ray machines
- Lift control
this example may be interesting to you.
Microwall Gigabit from Wiesemann & Theis separates systems, such as machine tools, X-ray machines and elevator controls, etc., from the surrounding network. It controls and logs all communications that take place through the Microwall Gigabit unit, that the area - called the island - is protected from extraneous guests.
When investing in Microwall, one can secure 100% against visits by unwanted hackers or some other type of theft of vital data, which in the worst cases can mean great financial losses for the company. The 3000 DKK Microwall cost can be a very good investment to secure the company's vital equipment.
Application Example: Isolation Of A CNC Router In The Network
This application example shows how to isolate a CNC router with 24 open ports behind a Microwall so no ports are visible in the surrounding network. By specifying a single firewall rule, one can still access the production data server and without restricting its function.
Protection Of A CNC Milling Machine
For the production of prototypes and small series, a CNC milling machine is used in our company. On the control computer, which is integrated into our production network, a Windows 7 Embedded Standard runs on current patchstand. As Microsoft interrupts extended support for this operating system by 2020, this router will be extraordinarily challenged. The firewall router "Microwall Gigabit" assigns it to a dedicated network segment and significantly limits communication with a network segment through its filtering rules.
Greater Network Security Through Spoofing
In 2017, the virus WannaCry ate through networks and the media community around the world. Crypto-Trojan exploited a file and printer sharing vulnerability in Windows networks. It was so massive in its impact that Microsoft not only patched the current operating systems, but also provided security updates for the products that had already expired for extended support.
WannaCry showed the impressive potential dangers of being able to manage non-essential network services.
It seems obvious just to disable superfluous services. However, it is not always easy to know what services are needed in the many active sub-components. Likewise, changes can lead to loss of certification and thus transfer of responsibility to the operator.
Therefore, W&T has developed a Firewall device Microwall Gigabit, which is a tailor-made alternative to protecting production systems. It is a simple 2-port firewall that works according to the whitelist principle. This means: All allowed connections must be explicitly defined.
The router is equipped with a Windows control computer that runs the CNC software. It is equipped with two network interfaces: One connects the computer to the router, the other connects to the production network. If a security risk is detected in the current software in the operating system, a timely security update is expected from Microsoft. However, when Microsoft no longer supports an operating system, such as Windows 7 that does not end the extended support by 2020, security updates will usually no longer be delivered. An attacker can try to compromise the control computer and, if successful, threaten the device both the surrounding network.
For this reason, the control of the color management should be otherwise protected. With the help of Microwall Gigabit, the router is outsourced to a separate network segment, and the allowed communication with this network segment is severely limited by firewall rules.
An analysis of the current situation with the port scanner nmap [ Tutorial: Find open ports in the network ] reveals any interference: The control computer displays twelve open ports available through the network, including a web server.
Another intensive scan finds a total of 24 open TCP ports. The web server is an unconfigured Internet Information Server 7.5 that has known vulnerabilities that can lead to data theft. This means that hackers can execute arbitrary programs over the network. A lottery where the winner is the cyber warrior. Piquant detail: The web server does not appear to deliver more than one information page that is likely to be superfluous as the other open ports. We are pleased that we took the time to do an intensive scan and start with the protection immediately.
Step 1: Determine The Operating Method And The Required Firewall Rules
To keep the configuration as simple as possible, we operate Microwall in NAT mode. The router on the router doesn't even see Microwall slipping in its role as a player in the network.
In fact, there is only one case where the router must communicate over the network. To access production data, you must be able to establish a connection to the central Windows file server. All other compounds are prevented.
Since the control computer itself does not provide resources in the network, inbound connections can be completely blocked. In addition, the file server that the CNC software has access to shares is known and unique. Since the IP address of the file server is also known, there is no need for name resolution. Also comfort features such as. Searching for computers and shares over the network is superfluous, as well as Netbio's transport protocols. Ports 137, 138 and 139 can therefore be ignored and thus blocked. For automatic time updates, UDP port 123 can be released for name resolution via the DNS UPD port 53. However, since these functions are not required for the milling function, they also remain closed.
The patch management is done by our IT department, so the ports for an automatic update remain closed. Otherwise, we must allow TCP connections to the WSUS server here.
The control computer only needs the ability to establish an SMB connection to the file server with the known IP address. This is done via the destination port 445. Since this communication is via TCP, the return channel is included directly in the connection. By specifying only one rule, the steering group is secured sustainably. At the same time, their function is guaranteed!
Step 2: Device Configuration
As a router, Microwall connects the surrounding network with an isolated segment. Microwall needs an IP configuration for the interfaces for both networks.
1: The specification of a network name makes it easier for the administrator to assign rules.
2: The original IP configuration of the control computer (ie, 10.10.10.20) is determined for the public interface. Except for the hardware address, nothing changes in the surrounding network.
3: On the island's side, we choose the classic 192.168.1.0/24 network for the sake of simplicity. For this network, Microwall functions as the default gateway and receives the address 192.168.1.1
IP Configuration Of The Control Computer
The control computer receives IP 192.168.1.10. The default gateway is Microwall Gigabit with the IP address 192.168.1.1.
Firewall Rule For Access To File Server
In the last step, we create the necessary firewall rule. The control computer with the IP address 192.168.1.10 must be able to establish a TCP connection via port 445 to the production data server with the IP address 10.10.10.10
Step 3: Test Run
The test operation for several weeks now shows that the milling machine functions as normal.
Using the Microwall, the CNC milling machine could be secured within a few minutes in its own network segment. To ensure that the function was adequate, a single firewall rule was built. In addition, the NetBIOS protocols for file and printer sharing and hidden details about the Microwall router were suppressed.
Latest from Jens Brogaard
Leave a comment
Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.