October 26, 2009 by Jeremy Pollard
Cyber security and rogue plant floor applications are made for each other. One tries to get to places while the other tries to stop them. Sounds like parents with teenagers.
But I assure you it is more than that.
A proxy server is a software application that resides on a computer in your network. Previous proxy “servers” — a word that can be misinterpreted because it can mean hardware or software — needed to be run on a server-based operating system platform. In this case, the FreeProxy software can run on any Windows-based operating system, although it hasn’t been tested on Vista — but then, I ask, why would you want to?
A proxy service provides a method of connecting a computer or computers on a network to that network, but with supervision. Its main use is to connect networked computers to the Internet so that each computer is not directly connected to the Internet as such. While there is typically a router involved on both the Internet side and network side, the browser and e-mail clients access the resources directly. This can cause all sorts of issues with security and access control. In this column, I will focus on concerns surrounding access control.
Typically when a computer is on a network, it has access to shared resources, access to “ports” and, therefore, access to digital assets. Ports are used to allocate connectivity to resources using the TCP/IP communication protocol using a function called Sockets, or Winsock. This function allows two computers to communicate in a similar fashion to a phone operator in the “early days.”
So why could this be important? It has long been an argument that the control network should be different than the “office” network. FreeProxy can run on any operating system, which means that any computer on the network can host this server software.
Having said that, you would need to pick a computer on which to install the software. For me, the installation went very smoothly, and I must say the help file is very complete. The software has not been updated since 2006, and version 4.0 is still in beta, so its future support may be in question, but it is still a great product for use right now.
Configuring the server is easy, if you understand the network protocols of TCP/IP, etc.
The purpose of the software is to serve up Web pages and to allow access to resources such as HMI or programming nodes.
The software also allows the administrator to assign users, groups and access options. When you create a user, who would log into the server (setup of the client is done by the administrator as well), a policy is retrieved indicating to the user what assets are available to them. If you have multiple users for the same use, then you can apply the restrictions to a group. Setting this up is pretty easy.
You shouldn’t have multiple machines logging in with the same user name and password. This may be a move away from your current norm, but it allows for the restrictions to be better defined.
For example, you can set up the software to allow Joe_1 to access the PLC on the calendar (a paper-machine section) but not allow access to the PLC on the winder. Betty, however, could access the complete paper machine.
Rockwell Ethernet PLCs that reside on a network should use TCP Port 2222 for packet initiation from a client application, such as RSLogix programming software, and TCP Port 2223 for reply. You can set the server up to block the IP address of the PLC, or simply the port for the user or the group. This means that any software that would use that port (such as RSLogix5) would be blocked if that user tried to access a Rockwell PLC. This would also work for Modbus devices assuming that the default ports were used. If the ports were changed then the port number would need to be identified. This resource definition takes place within the proxy server so that only authorized people can access the assets the administrator deems proper.
The server can be set up as a Web server, as well, so if you have applications or applets that can serve up HTTP information, this server can manage that domain for you. Other options can include FTP file transfer, Web-based e-mail and instant messaging.
This proxy is the network management manager you’ve been looking for — and the cost is perfect.
While this review acted more as a primer for proxy software than as a full-blown review the software itself, FreeProxy is a program that can make our lives much easier by being a network traffic cop and can be easily implemented by control guys like us.
Jeremy Pollard is a 25-year veteran of the industrial automation industry. He has worked as a systems integrator, consultant and educator in the field. You can reach Jeremy at firstname.lastname@example.org.