Problem Analysis of Industrial Ethernet

⑴In traditional industrial Ethernet, the upper and lower network segments use different protocols and cannot interoperate, so a layer of firewall is used to prevent illegal access from the outside, but industrial Ethernet connects the control layer and management layer , the upper and lower network segments use the same protocol and are interoperable, so a two-level firewall is used. The second-level firewall is used to shield illegal access to the internal network and assign different authorizations to legitimate users with different permissions. It is also possible to adjust filtering and login policies based on log records.

Strict permission management measures must be taken, and permissions can be assigned according to departments or operations. Since factory applications are highly professional, permission management can effectively prevent unauthorized operations. At the same time, access to the operating system of critical workstations must be restricted. The built-in device management system must have a record review function. The database automatically records device parameter modification events: who modified it, the reason for the modification, and the parameters before and after the modification, so that it can It’s well documented.

⑵In industrial Ethernet applications, encryption can be used to prevent key information theft. There are mainly two cryptosystems: symmetric cryptography and asymmetric cryptography. In the symmetric cryptography system, both encryption and decryption parties use the same key and the key is kept secret. Since the distribution of the key must be completed before communication, this link in the system is unsafe. Therefore, an asymmetric encryption system is adopted. Since most of the short messages sent by Industrial Ethernet are periodic short messages, this encryption method is relatively fast. This is possible for Industrial Ethernet. The access of external nodes must also be prevented.

⑶The real-time performance of industrial Ethernet is mainly guaranteed by the following points: limiting the communication load of industrial Ethernet, using 100M fast Ethernet technology to increase bandwidth, using switched Ethernet technology and full-duplex The communication method blocks the inherent CSMA/CD mechanism. With the open interconnection of networks and the introduction of a large number of IT technologies in automation systems, coupled with the openness of the TCP/IP protocol itself and the endless emergence of network viruses and attack methods, network security can become a prominent issue affecting the real-time performance of industrial Ethernet.

1) Virus attacks

The Internet is flooded with attacks by worms such as Slammer and "Shockwave" and other network viruses. Take worms as an example. Although the direct targets of these worm attacks are usually PCs and servers in the information layer network, the attacks are carried out through the network. Therefore, when these worms break out on a large scale, switches and routers will be implicated first. . Only by restarting the switching routing device and reconfiguring the access control list can the user eliminate the impact of the worm virus on network devices. Worm virus attacks can cause route flapping across the entire network, which may cause some traffic from the upper information layer network to flow into the industrial Ethernet, increasing its communication load and affecting its real-time performance. There are also many computer terminals connected to industrial Ethernet switches at the control layer. Once a terminal is infected with a virus, even if the virus attack does not cause network paralysis, it may consume bandwidth and switch resources.

2) MAC attack

Industrial Ethernet switches are usually Layer 2 switches, and MAC addresses are the basis for the work of Layer 2 switches. The network relies on MAC addresses to ensure normal forwarding of data. The dynamic layer 2 address table will be updated after a certain period of time (AGE TIME). If a port never receives a data packet whose source address is a certain MAC address, the mapping relationship between the MAC address and the port will become invalid. At this time, when the switch receives data packets whose destination address is the MAC address, it will be flooded, which will affect the overall performance of the switch and cause the table lookup speed of the switch to decrease. Moreover, if an attacker generates a large number of data packets with different source MAC addresses, the MAC address table space of the switch will be filled, causing the real data flow to be flooded when it reaches the switch. There have been many examples of this way of invading networks through complex attacks and deceiving switches. Once the mapping information between the MAC address and the network segment in the table is destroyed, forcing the switch to dump its own MAC address table and start failure recovery, the switch will stop network transmission filtering. Its function is similar to a shared media device or Hub, CSMA/CD mechanism will re-act to affect the real-time performance of industrial Ethernet.

Switch security technology

The switch security technologies used in information layer networks mainly include the following.

Flow control technology limits the abnormal traffic flowing through the port within a certain range. Access Control List (ACL) technology. ACL controls access input and output to network resources to ensure that network devices are not illegally accessed or used as a springboard for attacks. Secure Sockets Layer (SSL) encrypts all HTTP traffic, allowing access to the browser-based management GUI on the switch. 802.1x and RADIUS network login Control port-based access for authentication and accountability. Source port filtering allows only specified ports to communicate with each other. Secure Shell (SSHv1/SSHv2) encrypts all data transmission to ensure secure CLI remote access over IP networks. Secure FTP enables secure file transfer to and from the switch, preventing unwanted file downloads or unauthorized copying of switch configuration files. However, there are still many practical problems in applying these security functions. For example, the traffic control function of the switch can only perform simple rate limits on various types of traffic passing through the port, and limit abnormal broadcast and multicast traffic within a certain range, but cannot Distinguish what is normal traffic and what is abnormal traffic. At the same time, it is also difficult to set an appropriate threshold. Some switches have ACLs, but this is still useless if the ASIC supports few ACLs. Generally, switches cannot perform special processing on illegal ARP (the source and destination MAC are broadcast addresses). Whether there will be routing fraud, spanning tree fraud attacks, 802.1x DoS attacks, DoS attacks on the switch network management system, etc. in the network are all potential threats faced by the switch.

In the control layer, industrial Ethernet switches can learn from these security technologies on the one hand, but they must also realize that industrial Ethernet switches are mainly used for fast forwarding of data packets, emphasizing forwarding performance to improve real-time performance. When applying these security technologies, you will face great difficulties in real-time performance and cost. The application and design of Ethernet are mainly based on engineering practice and experience. The network mainly includes control systems and operating stations, optimization system workstations, advanced control workstations, and database servers. For data transmission between devices, the network load is stable and has a certain periodicity. However, with the need for system integration and expansion, the vigorous application of IT technology in automation system components, the popularization of B/S monitoring methods, etc., it is necessary to study the availability of network security factors, such as industrial Ethernet under burst traffic. The problem of buffer capacity of network switches and the impact of changing from full-duplex switching mode to full-duplex switching mode on existing network performance. So, on the other hand, Industrial Ethernet must start with its own architecture to deal with it.