Firewall Between SCADA

[flinana 0]

Hi, Iwas wondering if anyone can tell me how to place a Firewall between 2 different SCADAs, i.e 2 different private networks. The idea is that only certain data is read from one SCADA to the other. Currently the firewall is connected behid the switch from one of the LANs and not in between. Basically a LAN B cable is connected to the WAN port of the FW an another cabel from the LAN B switch to the FW, and finally another cable joining both switches from LANA and LANB. Attached is a diagram showing the connections. thanks in advance. Edited 22 Nov 2006 by flinana

[PdL 71]

I don't know what SCADA you use but if you say certain data do you mean part of all data that is available on this SCADA link ? Is the link a proprietary driver ? If possible you could setup a second driver using a specific TCP port for the data that is allowed to go from A to B, and set up a switch/router in between to forward this traffic. By the way wat use do the FW at LAN B have in you picture when the Internet connection is direct to LAN A ?

[flinana 0]

Thanks for the prompt response, Both SCADA are Intouch systems LAN B is a SCADA from Wartsila (Finnish engine supplier) so they set it up so that we could only read certain variables from their engines into another SCADA. I also cannot undertand why the FW is not between both LANs. The data is being passed through, however the communication cuts out very often. not only that but the other day someone connected another ethernet cable between the FW and the switch and all PLCs in the plant went into stop mode, it caused an illegal loop but even Siemens (they are S7 PLCs) cant work it out why this cable caused this havoc.

[PdL 71]

To me it just looks weird. Why does the FW have two ties to the switch ? I asume all these switches have configuration options with acces rules etc. If I remember correctly Wartsila is using Citect. If you know the TCP port no. of the comms between Intouch and Citect this could be set to allow in a firewall. Who is required to have the firewall ? If Wartsila is affraid their system is compromised, they should set their firewall to only allow your traffic. [OT] What type of vessel are you on ? [/OT]

[flinana 0]

Wartsila also uses Intouch and it is no vessel, its a 32 MW cogeneration plant in madrid new airport terminal. Wartsila is afraid of having thei system compromised thats the reason for their. I am no expert in comms but as far as i know they have configured in the FW an IP from our LAN IP range to allow us acces to the intouch variables. Not sure if it makes sense. thanks

[PdL 71]

OK, so if Wartsila have configured their FW to allow your IP, what's the exact problem then ? The connection failing sometimes ? I forgot Wartsila also provides power installations onshore.

[flinana 0]

exactly the connection is failing a fair bit and i have the feeling its the way the physical connections are made. I am sure the FW is in the worng place, cause if i was to find out their local ip addresess i will be able to get all the data i want since the FW is behind their switch.Do u know people from Wartsila?

[PdL 71]

I think you should try to discuss this in detail with Wartsila as we don't have enough details and info on the networks to make a diagnose of the problem. I don't know people at Wartsila I have worked with them once on the rare occasion their engines were installed on a yacht.

[flinana 0]

I am trying to get them off their booty and have a look it. Just one question, since u seem to know quite more than myself about entworks, how would u go about installing/configuring so that Wartsila is proteced from lets say LAN A, FW? Router? thanks

[PdL 71]

Well I know enough on networks to say a router is your best firewall. Read some more on routers here. Advantage is that no party has to rely on a software running on a machine. But still I think Wartsila is the party that needs to host the router.

[flinana 0]

Thanks, the problem is that Wartsila is paranoid with potection. Do u know if thw WAN port in a FW can be used to connect aother LAN. i.e is te WAN port just another ethernet port or is it especial and only DSL line can be conencted to it.

[PdL 71]

I think if it was just another ethernet port they wouldn't call it a WAN port The WAN port is meant for the DSL line. All settings in the router configuration for the DSL line apply to the WAN port. In the easiest configuration the LAN ports are just like a switch, but they can be configured (depending on the router type). All these details should be described in the router manual. If you can catch the name/type of the router you can Google the manual.