1.6.1   Firewalls

A firewall is highly recommended if your WebAccess Project and SCADA nodes are exposed to the Internet (i.e. you are using Public IP Addresses). This will increase the security of your system.

A firewall appliance is recommended.  Do not use firewall software installed on the SCADA or Project Node. Firewall software can interfere with the RPC service in Windows 2000 and XP. Further, our experience is that Firewall software does not protect against hackers who constantly discover new vulnerabilities.  Firewall software seems to be a backward looking solution, where vulnerabilities are fixed after the firewall software is hacked.

Use a firewall appliance!  A firewall appliance (like a Netgear FR114P) can be purchased for under $100 and is more secure than firewall software, based on our experience.

A Firewall restricts the flow of data onto a network; it is a method of network security. Many corporations use firewalls.  The firewall is used to restrict hackers and malicious software from communicating with the Windows Operating system running on the SCADA nodes and the Project Node. By limiting access to only the WebAccess software and a single web server port, you greatly reduce the risk of hackers or malicious software interacting with the control system.  By using a Firewall appliance, you close all the ports that are normally open in the Windows Operating system, without having to discover what the ports are or shutting down the Windows Services which use those ports.

If you do not have a Firewall appliance, then at least use a Router with port mapping.

Note - Always use a Firewall or Router to connect a new PC using a Public IP Address, especially if you have not downloaded Windows Service Packs and installed Virus scan software. A new PC is vulnerable to viruses and malicious software until the latest security updates are downloaded from Microsoft.  Always use a Firewall or a Router when first setting up a new PC.

Firewalls also can be restricted to a range of Addresses that are allowed to access the ports you open.  If your WebAccess SCADA nodes use a public IP address yet are accessed by only one location (for example central control room or a single facility) limiting the port access to this single range of addresses will effectively hide your control system from everyone else.

If your connection is through a firewall, you will need to have your network administrator open two TCP ports for you to use the DRAW or VIEW features in WebAccess.   WebAccess need two TCP ports, one to download files and another to exchange live data, per SCADA node.  You will need to know these TCP ports to install software on each SCADA node.  You will also have to enter these port numbers into the Node Properties in the Project Manager .  This will create a deploy file to inform clients outside the firewall of these two TCP/Ports for them to access your SCADA nodes.

If you are using a firewall (or multiple firewalls) and Public IP Address, then you will have to use NAT on the Firewall  and Address Mapping in WebAccess (on the private IP addressed clients, Project Node and SCADA nodes) to allow both Private Network users and Internet users to connect to the Clients, Project and SCADA Nodes behind the firewall.

NAT (Network Address Translation) redirects communications to the Public IP Address to Private Addresses on the Network on a Port by Port basis. By opening only those few ports to the Public Internet, you greatly reduce the vulnerability of your SCADA Node or Project Node to hackers and malicious software. The Windows Operating SYstem has many TCP Ports opened by default for administrative and other features.  A Firewall appliance is the easiest and least expensive way to close these ports to the public Internet. You configure your Firewall to map ports on the incoming Public Side to Private IP Addresses (and associated ports) used by WebAccess.

The SCADA Nodes need on two TCP Ports (default are 4592 and 14592). If you have multiple SCADA nodes behind the same Firewall that must each be accessed Publicly, then you will have to have a unique pair of TCP ports for each publicly addressed SCADA node.

The Project Node needs at least a third port (Port 80) plus whatever ports the SCADA Nodes use. If email is sent, then a port must be opened for email (typically port 25).

Address Mapping in WebAccess allows a Public IP address and port to be substituted with a Private IP Address and port (or vice versa).  This is done by editing the bwclient.ini file on the clients, Project Node and SCADA nodes.

Usually, if there are many more Public IP users than private users, then the Public IP addresses and ports are entered in the WebAccess Project Manager.  The private users have the bwclient.ini file modified to map the Public IP addresses and ports back to private IP addresses and ports.

 

Figure 1.6.1 - Firewall with access to SCADA Nodes using Public IP Address - use Address Mapping on Nodes and Private Clients

In the above networking drawing (Figure 1.6.1), the Project Node and SCADA nodes are behind a single firewall.

If public clients must access both SCADA Nodes, then 5 TCP ports must be opened, Port 80 (or another for the HTTP protocol used by the Project Node), and two pairs for the Primary and Secondary TCP ports used by the SCADA Nodes (for example 4592, 14592, 4593 and 14593).  If the clients are to receive email, then port 25 should be opened (making 6 ports).  

Figure 1.6.2 -Firewall for Project Node requires Address Mapping  -  optionally use Address Mapping on SCADA Nodes

Using a dedicated firewall for each SCADA Node and Project node, Address Mapping in WebAccess is not needed.

In the above configuration (Figure 1.6.2) only the Central Control Room Project Node, SCADA Node and clients need to use Address Mapping in WebAccess.  The NAT in the Firewalls handles all the redirection of the Public IP addresses to the Private IP Addresses for the SCADA Nodes with dedicated firewalls.  

The Control Room clients and the Project Node and SCADA node behind the same firewall must use private IP addresses to communicate.  This is because most firewalls do not allow Private Users to address each other using their Public IP address (note- most routers do allow this). In the above configuration (Figure 1.6.2), the Control Room Clients and the Project Node and SCADA Node need to use Address Mapping in WebAccess to substitute the Private IP Address when the Public IP address is seen.

To Review:

If you are using a dedicated firewall for a Project node and a Public IP Address, then you must use Address Mapping in WebAccess to allow the Project Node to connect to itself via a private address and to allow users to connect via the Public IP Address.

If you are using a dedicated firewall for each SCADA Node, you don't need to use Address Mapping if you use ViewDAQ on the SCADA node.

If you want to use a web browser to view the local SCADA node or another SCADA Node behind a firewall that is made viewable using a Public IP Address, then you will need to use Address Mapping which modifies the bwclient.ini file on C:\WebAccess\Client on the Private IP Clients (and, optionally, the SCADA Nodes).  

If you have multiple SCADA nodes behind the same firewall, that are viewed using a Public IP Address, then you will need to use Address Mapping which modifies the bwclient.ini file in C:\WebAccess\Node to allow the SCADA nodes to see tags on other SCADA nodes

See 8.7.5 Address Mapping for Firewalls and mixed Private & Public Users for more information on Address Mapping by editing the bwclient.ini file on the SCADA and Project Nodes.

See  8.7.3 Routers, Proxy_Servers, Port_Mapping and_NAT.htm for more information about configuring your firewall.