WEBs-AX Security - Victor Distributing Controls Department

advertisement
WEBs-AX
Tridium- Niagara
Framework IT Overview
Niagara Framework IT Overview
Roger Rebennack
WEBs-AX Security
2
Today’s Disparate Systems
• Buildings have Many Systems
Elevators
Video
Card Access
Electrical
Lighting
HVAC
• Silos of Systems
One Platform
• Devices Networked
into Systems
WEBs-AX Security
3
What is the Niagara Framework?
• The Tridium based Framework uses
a common tool for programming
devices and generating graphics.
This helps reduce training cost by
only having to learn one tool.
• An automation infrastructure not
just a control system
• Advanced, web based framework for
control, management and
integration of intelligent automation
devices
• OWE Framework exposes and
connects intelligent devices to the
internet and much more
WEBs-AX Security
4
Tridium Overview
WEBs-AX
An Java-based
automation framework
enabling real-time, two
way control over the
Internet
A Niagara AX powered
suite of enterprise
applications for energy
management, facility
management, system
integration and security
WEBs-AX Security
5
The WEBs-Ax Solution
WEBs-AX systems are completely Open
•
Open and legacy protocols integrated into one Automation
Infrastructure
•
Open to Enterprise Applications
•
Open Distribution
•
Open Systems through “Best of Breed” Systems Integrators
WEBs-AX Security
6
WEBs-AX
Architecture
Utility
DR Server
Web Supervisor
Vykon Energy
Suite
Web Browsers
LAN, WAN VPN
JACE
X
LON
Security
JACE
Remote Reader
Wireless Protocols
Remote I/O
Modbus RS-485
LON Devices
Ethernet Protocols
MSTP
RS-485
MSTP Devices Modbus Devices
Modbus TCP, OPC and others
IP Controllers
WEBs-AX Security
7
Network Integration
All of Tridium 's Niagara products can co-exist on your Windows
infrastructure.
Your AX Supervisor software will most likely be on a PC (Wintel or Linux) that
is already a member of your Domain or Active Directory.
Security access to the Niagara AX system is provided by local authentication
on the Web Supervisor Workstation or JACE
It can but does not need to participate in the Domain or Active Directory
authentication, so there will be no additional security burden on your
existing Domain or Active Directory infrastructure.
WEBs-AX Security
8
Network Integration
Request for Compliance support?
NiagaraAX uses HTTP, HTTPS, SMTP and SNMP (optional) protocols.
Implementation of these protocols complies with their associated RFCs.
WEBs-AX Security
9
Network Integration
Does Niagara support DHCP?
DHCP is supported, however static IP addresses provide the most reliable
connectivity.
Niagara does not support dynamic native DNS so you must link your DHCP server
to your DNS server or use HOSTS files on each station.
To reliably use DHCP it is recommended that you:
Reserve a static DHCP address for the MAC address of each
Niagara device. The device can be set for DCHP and whenever it
requests a DHCP address it will be assigned the same one.
WEBs-AX Security
10
Network Integration
What about network traffic and bandwidth?
There are four categories of traffic that will affect network bandwidth:
Configuration
This is traffic that is associated with the initial setup and commissioning of a
Niagara implementation
During system commissioning bandwidth varies depending on the number
and type of objects being configured.
WEBs-AX Security
11
Network Integration
What about network traffic and bandwidth?
There are four categories of traffic that will affect network bandwidth:
Configuration
Logging
This is the scheduled bulk transfer of historical data being
passed from the JACE to the Web Supervisor.
Binary encoded Boolean – 13 bytes / record
Enum and single precision numeric – 16 bytes / record
Double precision numeric – 20 bytes /record
String – variable depending on the length of the string being
stored
Assuming a typical (single precision) numeric history being
logged at a 15 minute interval, you can calculate the
number of bytes that need to be transferred daily.
96 records * 16 bytes/record = 1152 bytes = 1.13 kb
WEBs-AX Security
12
Network Integration
What about network traffic and bandwidth?
There are four categories of traffic that will affect network bandwidth:
Configuration
Logging
Real Time Data/Interstation Link
This is data that is transferred from station to station for
operational and GUI purposes.
Niagara Network proxy point subscription is ~75 bytes
Given 100 linked points from a JACE; that all happened to update
during the same 1 minute period expected bandwidth
utilization would be approximately 0.125 kbps.
(75 X 100 / 60 seconds = 125 bps)
Bandwidth due to GUIs consumes more bandwidth for initial
image file loading.
WEBs-AX Security
13
Network Integration
What about network traffic and bandwidth?
There are four categories of traffic that will affect network bandwidth:
Configuration
Logging
Real Time Data/Interstation Link
Alarm and Exception Traffic
This is data that is sent during alarm conditions, and cannot
be predicted
The size of a typical alarm message is approximately 256
bytes.
WEBs-AX Security
14
Network Integration
How secure is Niagara?
Do any existing IT security measures have to be compromised to allow the
Niagara system to work?
If you are accessing JACEs over the Internet you will need to open up:
Port 80 for HTTP access to allow users to view web pages
Port 1911 for thick client GUIs
Port 3011 used for remote access/administration
These are the default port numbers; they can be changed to fit
your individual security requirements.
WEBs-AX Security
15
Network Integration
How secure is Niagara?
Niagara-AX provides the following additional features related to security:
Digest authentication
LDAP support
HTTPS support
Single sign on from a web browser if using DNS configuration
User-friendly graphical tools to manage security in a Niagara AX system
WEBs-AX Security
16
Network Integration
How is the JACE protected from viruses?
JACEs use proprietary Web servers, not typical client machines.
Embedded JACES use QNX as their OS
As part of normal station operations, they do not download any files.
Virus protection for a Web Supervisor PC is advisable if it is used for other (nonNiagara Framework) functions.
Java Application Control Engine
Java Virtual Machine
OS (Win/Linux/QNX)
WEBs-AX Security
17
Network Integration
What network management tools do I use to manage system
controllers?
The Niagara application provides all the tools required to manage JACEs.
JACEs can also support SNMP.
This allows them to be managed by standard enterprise network
management tools such as HP Open View, Unicenter TNG, etc.
WEBs-AX Security
18
Network Integration
Firewalls?
JACEs and Web Supervisors can use NAT (name/address translation) through a
firewall to expose them to the Internet.
Settings in the firewall should be used to control the type of traffic that can be passed
to the device.
We use Cisco PIX firewalls at all of our Tridium facilities and are working behind
various firewalls at our client locations.
WEBs-AX Security
19
Tridium Profile
Founded 1997
100+ Employees
An independent business entity of Honeywell International Inc.
− Automation and Control Solutions Business
Headquarters
Richmond, Virginia
Administration, Engineering, Sales, Technical Support, Training,
Product Assembly
North American Offices
Richmond
Charlotte
Atlanta
Minneapolis
International Offices
London
Singapore
Japan
Australia
WEBs-AX Security
20
Niagara Framework Profile
• 1998 – First integrated system (LON, BACnet, Modbus)
delivered for real time control and monitoring
• Today well over 250,000 instances of software in
thousands of systems in many markets
• Over 900 authorized outlets to delivery the technology
- WEBs-Ax Systems Distributors and Integrators
- Partner delivery channels
• Over 15,000 certified Niagara-AX professionals
WEBs-AX Security
21
Thanks
For more information, visit:
www.tridium.com
www.niagara-central.com
Or contact:
Your local Webs-AX System Integrator
Factory representative:
Roger Rebennack
Roger.rebennack@honeywell.com
317-694-1904
WEBs-AX Security
22
Download