8.6        Web Server Security

You must use IIS (Microsoft's Internet Information Services).   WebAccess uses ASP (Active Server Pages) that are only supported by Microsoft Web Servers.   Windows Security controls connection to the Project Node.  WebAccess Security controls access to the SCADA node.

WebAccess supports the following security features in a web site:

1.      Anonymous Access - the least secure. If you have many users (for example a college campus or office building), then you may have to use Anonymous Access.

2.      Windows Integrated Security - A user name and password is required to connect to the web sever (project node) to find the address of the SCADA node and download ASP pages. The web server behaves like an intranet computer. This is even more secure than using a firewall. The best way to secure your system is to use Windows Authentication in IIS (the web server software). Your WebAccess Project will act as if it is on an intranet, requiring all users be recognized by the Windows Operating System (as either a local user or Domain User).  User will be asked for User Name, Password (and optionally Domain) just to connect.  Using Windows Authentication in IIS (the Web Server) will reduce load on your web server from spurious requests from malicious users (and viruses) by denying access to unauthorized users.

3.      Firewalls - three TCP ports required. They can be redefined. The defaults are 80 (http), 4592 (file download) and 14592 (real time data).  If no one outside you firewall will access your WebAccess system, then a firewall  can protect your WebAccess System (by using unmapped private IP and or closing the ports used by WebAccess).  If users from outside will access you WebAccess system, consider using Windows Authentication.  Firewalls protect the parts of your system not used by outside users. 

4.      Routers, Proxy Servers and Address and Port Mapping) - Static Port Mapping and Address mapping (NAT) makes it possible to make some internal Project Nodes / Web Servers and SCADA Nodes available to the outside world via inbound mapping, which maps specified TCP ports to specific internal addresses, thus access to an intranet from the internet in a  controlled way.

5.      VPN (Virtual Private Networks) - constructs a private network the "tunnels" through the Internet or other network.

6.      Secure Sockets Layer - Server side certificates and Client side certificates (the most secure)

7.      Restricted distribution of the OCX (Active-X control).  The Client Plug-in is required to view real-time data.  You can restrict how this is distributed.

Only the Project Node is a Web Sever.  SCADA nodes do not need to be Web Servers.