How to build resilient industrial networks
Download as PPTX, PDF0 likes436 views
This document discusses how to build a resilient network through various methods like hardware redundancy, microsegmentation, and configuration backups. It introduces Westermo and defines network resiliency. It describes using hardware redundancy through layer 2 protocols like FRNT rings and layer 3 protocols like OSPF. Microsegmentation is achieved through a hybrid L2/L3 network with firewalls separating different network zones. The importance of configuration backups for maintaining control of network assets is also covered.
How to build resilient industrial networks
- 2. Agenda Introductions Who is Westermo Defining Network Resiliency Hardware Redundancy Microsegmentation Configuration Backups
- 3. 3 Introductions Dakota Diehl Network Application Engineer dakota.diehl@westermo.us 847.453.3899 Benjamin Campbell Technical Support Engineer benjamin.campbell@westermo.us 847.453.3896
- 4. 4 Westermo Group 2020 Founded in 1975 Industry leading software and hardware development force Own production in Sweden with state of the art process control Own sales and support units in 12 key countries, distribution partners in many others
- 5. How To Build a Resilient Network
- 6. 6 Resilience in computer networks is the “ability to provide and maintain an acceptable level of service in the face of faults and challenges to normal operation.” This is a very wide definition, as it covers everything from packet loss to complete failure of a node or link. Also includes the ability to defend against and respond to cybersecurity attacks, whether malicious or unintended misconfigurations. The more resilient a network is, the more tolerant it is to faults or errors across the network and can maintain uptime. Because of the wide definition, there are also a multitude of ways to improve your network’s resilience. Resiliency – What is it?
- 8. 8 One of the most straightforward ways to improve resiliency is to add redundancy If one node or link suffers a catastrophic failure, redundant connections keep the network running without impacting performance. Unfortunately, not as simple as just dropping in another switch to the network! Layer 2 protocols such as FRNT or RSTP manage ring topologies, adding extra paths to nodes without causing debilitating Broadcast Storms. Layer 3 protocols such as OSPF and VRRP can automatically designate a route between networks and failover in the event of broken links. Hardware Redundancy
- 9. 9 Built in functions to avoid uncontrolled broadcast storms. Link integrity control. Non-FRNT ports are not allowed to communicate with FRNT ports. Default FRNT alarm signaling via SNMP, LED, Digital-Out and Syslog. Very fast fail-over of Multicast traffic, no need to wait for IGMP timeouts. Supports different medias fiber optic, copper and SHDSL, although fiber optic links allows for best fail- over performance. Extremely fast convergence time of 20ms means little impact to network in the event of a link failure. This translates to high resilience! Layer 2 Redundancy FRNT
- 10. 10 Layer 2 Redundancy: FRNT Ring Coupling FRNT Master Ring FRNT Sub Ring FRNT Sub Ring FRNT Sub Ring
- 11. 11 Layer 2 Redundancy: FRNT Ring Coupling X X X FRNT Master Ring FRNT Sub Ring FRNT Sub Ring
- 12. 12 Within the Network Layer, there are many options to add resiliency to a network: RIP OSPF VRRP RIP and OSPF are what are called “Dynamic Routing Protocols” which can automatically determine best paths between networks, for automatic convergence in the event of a network outage. VRRP or “Virtual Router Redundancy Protocol” will automatically designate a router as a default gateway, with multiple routers configured as backups. Layer 3 Resiliency: Routing Protocols
- 13. 13 Routing Protocols create resiliency on L3, between L2 Networks Dynamic Routing Protocols FRNT VRRP VRRP VRRP FRNT FRNT OSPF OSPF OSPFOSPF
- 14. 14 Combining Layer 2 and Layer 3 resilience functionality allows for extremly high availablity. FRNT Super Ring FRNT Sub Ring FRNT Sub Ring RiCo Node RiCo Node RiCo Node RiCo Node CORE-Network X X X Link Failure FRNT Ring Failover Link Failure Ring Coupling Failover X X Link Failure FRNT Ring Failover Link Failure Ring Coupling Failover FRNT Ring Failover Distribution Layer, Rack/Control rooms Layer 3 Layer 2 XOSPF Failover OSPF Routing Protocol
- 16. 16 Hybrid L2/L3 Network L2 ring topology 20-30ms re-convergence time L3 routing and FW at each node creates a Zone X Dynamic routing protocol (OSPF) used to advertise location of subnets only, not used for re-convergence
- 17. 17 Efficient Routing to Minimize Network Delay Network backbone Router firewall Router firewall Router firewall Messages are only ever routed twice • Once into the backbone • Second time when leaving backbone • Messages pass though the FW when entering and leaving the network backbone
- 18. 18 Multiple Zones Backbone Fibre ZONE 1 10.10.10.0/28 ZONE 2 10.20.20.0/28 Traffic cannot pass between zones unless it is allowed to do so XObject controller /smart IO
- 19. 19 Maintainer’s Sandbox Connection Backbone Fibre ZONE 1 10.10.10.0/28 ZONE 2 10.20.20.0/28 Traffic cannot pass between zones unless it is allowed to do so XObject controller /smart IO ZONE 3 192.20.20.0/28 Maintainers sandbox entry point, access to network is FW, if 802.1x configured only valid users/machines can join the network
- 21. 21 Getting Control of the Assets Using common UN and PW are an open door to cyber actors Maintainers leave taking the common credentials with them Almost impossible to change UN and PW across a large user population Maintaining a large user DB on each device is equally difficult Solution is to use RADIUS or TACACS+ User Authentication Effort required initially, much tighter control and lower ownership cost long- term Authentication server
- 22. 22