Security Framework
9: Protecting Communications and Connectivity
A device requesting access to the network must implement a supplicant. A switch, router or wireless access point implements the authenticating counterpart, the authenticator. In some cases, network equipment may implement both the authenticator and the supplicant feature.
A supplicant requests access from an authenticator that forwards the access request to an authentication server for review. After authentication, the switch or the wireless access point enables the port or the wireless connection for traffic other than just the IEEE 802.1X authentication frames. The authentication server can be integrated into the device itself.
Authentication servers can also be made available as a centralized resource to the whole network, implemented through a Remote authentication dial-in user service( RADIUS) server. Access credentials such as user names and passwords can then be administrated centrally and accessed by all network devices are acting as authenticators. Also, user-specific configuration information can be rolled out via RADIUS and assigned via IEEE 802.1X, such as membership to specific VLAN.
9.2.8 USING SECURITY GATEWAYS TO PROTECT LEGACY ENDPOINTS, COMMUNICATION AND CONNECTIVITY
‘ Industrial Internet Reference Architecture’ 1 suggests use of gateways to integrate multiple connectivity technologies, for example protecting legacy endpoints and communication links while enabling interoperability of brownfield and greenfield deployments in IIoT systems with a secured gateway acting as a mediator, as shown in Figure 9-7. A similar approach should be used to integrate legacy endpoints with limited support for security functions into modern IIoT systems.
An IIoT gateway enacts proxies to one or more legacy endpoints and transforms the legacy protocol expected by the legacy endpoint to the modern interoperability protocols used by new endpoints. It prevents exposure of legacy endpoint attack surfaces to networks. It can also mediate between IIoT systems with support for both per-user authentication and role-based authorizations, and legacy systems with no such support. In addition, the IIoT gateway can normalize the information into a few selected interoperability protocols so that applications can interoperate without having to support all of them. This can reduce the attack surface.
The link between the IIoT gateway and each of the legacy endpoints may also be protected using technologies transparent to the legacy protocols. For example, in LAN, VLAN technology may be used to separate devices on a legacy network segment, when those devices need to communicate to the IIoT gateway and have no need to communicate with each other. In WAN, vulnerable legacy communications protocols may be tunneled transparently through VPN that are implemented in firewalls deployed at IIoT / WAN network boundaries.
1
See [ IIC-IIRA2016 ] IIC: PUB: G4: V1.0: PB: 20160926- 94-