Pro-tips are posts dedicated to helping you stand out in your automation career.
Networking is an ever more important part of automation. When I say "networking," I do not mean cocktail hour at the Country Club. I mean switches, routers and firewalls. There are a whole lot of ethernet enabled devices and the size seems to increase every day. IoT is here, consultants are trying to get everything on "the Cloud" (with or without those pesky firewalls) and corporate wants to try remote operation of the plants.
Compare this to a few years ago, when you had DeviceNet and Profibus everywhere. Networks were naturally segmented. Go back further and remote access was automatically limited by the speed of a telephone line. Things were simple and systems integrators did not need to configure complex networks.
To meet this "crisis" in automation, vendors have come up with the brilliant idea of adding webservers to configure your switches. While this is a way to configure a network, this does not look professional. Why? Stratix switches have a lot of options inside. They are exceptionally close to normal Cisco switches. The biggest difference I have found is with some trunking behaviors.
However, the configuration will open you up to adversaries by misconfiguration. The webpages set up a bunch of configurations that may (or may not) play well with your other gear. For instance, check the native VLAN of a switch configured by the webpage. Or try Rockwell's NAT option to set up routing without a router, then call up your local whitehat for a pentest. (Hint: it will not go well. Rockwell's NAT is designed for setting up canned systems with the same IP addresses, as it says on the documentation.)
If you are looking to do a professional install...
Read a CCNA or Network+ book. Local community colleges often have affordable courses on the CCNA, with hands-on labs. Even if you do not pass, you should try to sign up!
You only configure with Putty. Never, never the web browser
Encrypt your passwords.
Put a banner in each switch. The legal defense of many hackers is "I didn't know this was an industrial switch! I was just clicking around and happened to break in!"
Back up your switch configurations. (Putty will let you record parts of sessions, do this at a minimum.)
Encrypt your passwords. If someone does get your switch configuration, make them work for it.
I have seen advertisements for data diodes and similar installations. I do not trust them. If I had one, I would still use a DMZ. Remember, networks are nothing like relationships. You work on little / no trust.
Keep up the good work!
Comments