Networking Production Appliance Boards

[Farrar]

We now have eleven {11} Vorne Production Appliances {Model XL600-4R} at our Winfield facility as well as two more of the same model at our Salyersville, KY facility. My goal has been to network the eleven boards here in Winfield so they may be accessed on the plant floor by supervision as well as in our offices by me and management. We have encountered resistance to connecting these boards wirelessly to the existing wireless network on our shop floor with the main concern being security and the alternate solution offered by our corporate networking department as wired fiber optic. These boards connect to the equipment via PLC and I connect to them now via the only communication port on the board by attaching a CAT5 cable ran from my laptop.
We have 11 boards separate by a distances ranging from 100’ to 400’ with the 2 boards farthest apart being 1200’ from each other. These 11 boards are scattered between our 3 connected buildings. Each of the 3 buildings has desktop PCs connecting to our network wirelessly. These PCs are all contained within locked work stations. At one time, we did have routers/switches both in the shop and offices which were easily accessible but these have either been moved above the ceilings or removed. Due to security concerns
The main issue our networking department has is with security. We have recommended connecting a wireless bridge to the boards and connecting any boards with the 300’ limitation of CAT5 cable to the same bridge. This bridge would then communicate with our existing wireless network. The problem is that our networking department feels this is not secure in that someone could possibly plug a CAT5 cable into the wireless bridge and gain access. Other than the simplest solution of placing these bridges next to the boards, which are 15-20 feet above the floor, what other secure methods could be used to satisfy these concerns? The manufacturer has said that MAC address filter could be used on the wired ports of the wireless bridge. Intrusion to our wireless network is not a concern – just the fact that a switch/bridge would be out on the shop floor {even if it was 20’ in the air OR in a lock-box} where someone could gain physical access.
Any ideas would be helpful as I will be scheduling a phone conference for all concerned parties and I’d like to have some “ammo” so to speak, to support my point. I was an MCSE {Microsoft Certified Systems Engineer} back in 2001 albeit the OS then was NT 4.0} at one time but now have just enough knowledge to look silly in a discussion.

Thanks!

[CeeBee]

If you have a decent switch you can set per-port MAC filtering and only allow specific MACs to talk on that port.
Not that MACs cannot be cloned...

[Farrar]

Thanks for the info!

[slgrieb]

Perhaps I'm missing something here, but I'd always be concerned about a WLAN being compromised; much more so than a wired LAN that's physically secured. I'm also unclear on why network equipment in a production environment is apparently considered more at risk than the equivalent equipment in an office environment. I'd think that office personnel are much more likely to have sophisticated computer skills than your line employees.

Of course with wireless you are not only exposed to more potential external (and probably undetected) intrusion attempts, but the performance of the network is both lower than a wired LAN and much more subject to interruption from external sources: you can't control all external sources of RF interference. I just can't see why a wired connection that incorporates MAC based port filtering isn't perfectly adequate. Hardware solutions that can overcome the distance limitations of wired networks are relatively cheap and easy to implement. Here's an example: http://www.bb-elec.com/product_multi...=Sub&Trail=935

[Farrar]

I could not agree more!

You can walk through our offices and see many open ports to plug into or someone could simply unplug a CAT5 from the back of a desktop PC in our office and plug their own device in.

Or, many folks walk away from their work stations w/o logging off. There is no automatic desktop locking any longer so anyone could log on.

The board vendor was aghast at what he called "completely illogical" concerns".

Thanks for confirming what I suspected.

[slgrieb]

You are welcome. As an independent contractor who frequently deals with small banks and credit unions, it's surprising how often security concerns focus on mouseholes, and ignore the open doors on the loading dock. So to speak.

[MobilePCPhysician]

You are welcome. As an independent contractor who frequently deals with small banks and credit unions, it's surprising how often security concerns focus on mouseholes, and ignore the open doors on the loading dock. So to speak.

Wow. Someone who understands me.

[slgrieb]

One of the funniest/scary things I ever saw happened at a large financial planning firm. Big outfit. Anyway, one of my clients purchased a controlling interest from a couple of partners who wanted to retire, and he asked me to take a look at their setup because he wasn't too comfortable with the guy who did their computer work. The leading cause for concern was that the office manager wasn't sure if their server was being backed up correctly.

When I spoke to her, she said that every morning there was an error message displayed on the server, but their computer guy told her that it could be ignored 'cause the backup was really working. I asked her to show me the server.

Which turned out to be sitting on a counter in the break room next to the coffee maker. No surge suppressor, no UPS. Well, that surprised me! But it was only the beginning. Told her I wanted to look at the backup logs, and asked for the password for the server, only to be told that it wasn't password protected (old Compaq, NT 4.0). So, it turned out that the server hadn't been backed up in 8 months (the backup was too big to fit on a single tape cartridge without compression, which was disabled). and so it went during the entire audit. No passwords on the workstations, missing OS and software installation disks, you know the drill.

Anyway, at the end of the tour, the 3 senior partners asked for some recommendations. First and foremost I said was password protect everything, get the server out of the break room and lock it up, and did I mention a password? Oh, and one of those battery backup thingies would be nice too. After I explained my rationale, one of the partners said, "well, we don't have that much trouble with the power, and it seems awkward to move the server, and all". "I can't imagine that we'd ever have an employee that would erase or steal our client data. But I think we really need a formal disaster recovery plan."

I said, "If you aren't willing to practice due diligence, a disaster recovery plan isn't going to be useful. I'd say that if client data on the server is lost or compromised due to your negligence, you should just go up on the roof and jump. It'll hurt less than the lawsuits." Ah, the joy of having a friend who controlled the company, so I could say what I thought! A once-in-a-lifetime chance not to be wasted.

Of course, they did make the changes, I wrote a recovery plan, and for several years thereafter, I handled their routine little problems via LogMein, and showed up every month to do an onsite check where I was always made to feel as welcome as fecal matter in the punch bowl.