Security Framework
9 : Protecting Communications and Connectivity
A device requesting access to the network must implement a supplicant . A switch , router or wireless access point implements the authenticating counterpart , the authenticator . In some cases , network equipment may implement both the authenticator and the supplicant feature .
A supplicant requests access from an authenticator that forwards the access request to an authentication server for review . After authentication , the switch or the wireless access point enables the port or the wireless connection for traffic other than just the IEEE 802.1X authentication frames . The authentication server can be integrated into the device itself .
Authentication servers can also be made available as a centralized resource to the whole network , implemented through a Remote authentication dial-in user service ( RADIUS ) server . Access credentials such as user names and passwords can then be administrated centrally and accessed by all network devices are acting as authenticators . Also , user-specific configuration information can be rolled out via RADIUS and assigned via IEEE 802.1X , such as membership to specific VLAN .
9.2.8 USING SECURITY GATEWAYS TO PROTECT LEGACY ENDPOINTS , COMMUNICATION AND CONNECTIVITY
‘ Industrial Internet Reference Architecture ’ 1 suggests use of gateways to integrate multiple connectivity technologies , for example protecting legacy endpoints and communication links while enabling interoperability of brownfield and greenfield deployments in IIoT systems with a secured gateway acting as a mediator , as shown in Figure 9-7 . A similar approach should be used to integrate legacy endpoints with limited support for security functions into modern IIoT systems .
An IIoT gateway enacts proxies to one or more legacy endpoints and transforms the legacy protocol expected by the legacy endpoint to the modern interoperability protocols used by new endpoints . It prevents exposure of legacy endpoint attack surfaces to networks . It can also mediate between IIoT systems with support for both per-user authentication and role-based authorizations , and legacy systems with no such support . In addition , the IIoT gateway can normalize the information into a few selected interoperability protocols so that applications can interoperate without having to support all of them . This can reduce the attack surface .
The link between the IIoT gateway and each of the legacy endpoints may also be protected using technologies transparent to the legacy protocols . For example , in LAN , VLAN technology may be used to separate devices on a legacy network segment , when those devices need to communicate to the IIoT gateway and have no need to communicate with each other . In WAN , vulnerable legacy communications protocols may be tunneled transparently through VPN that are implemented in firewalls deployed at IIoT / WAN network boundaries .
1
See [ IIC-IIRA2016 ] IIC : PUB : G4 : V1.0 : PB : 20160926 - 94 -