Transcript WEBs-AX Security - Victor Distributing Controls Department
WEBs-AX
Tridium- Niagara Framework IT Overview
2
Niagara Framework IT Overview
Roger Rebennack
WEBs-AX
Security
3
Today’s Disparate Systems
• Buildings have Many Systems • Devices Networked into Systems • Silos of Systems
WEBs-AX
Security
4
What is the Niagara Framework?
•
The Tridium based Framework uses a common tool for programming devices and generating graphics. This helps reduce training cost by only having to learn one tool.
•
An automation infrastructure not just a control system
•
Advanced, web based framework for control, management and integration of intelligent automation devices
•
OWE Framework exposes and connects intelligent devices to the internet and much more
WEBs-AX
Security
5
Tridium Overview
An Java-based automation framework enabling real-time, two way control over the Internet
WEBs -AX
A Niagara
AX
powered suite of enterprise applications for energy management, facility management, system integration and security
WEBs-AX
Security
6
The WEBs-Ax Solution
WEBs-AX systems are completely Open
• • • • Open and legacy protocols integrated into one Automation Infrastructure Open to Enterprise Applications Open Distribution Open Systems through “Best of Breed” Systems Integrators
WEBs-AX
Security
7
Architecture
WEBs -AX Utility DR Server Web Browsers LON JACE Web Supervisor Vykon Energy Suite LAN, WAN VPN
X
Modbus RS-485 JACE Wireless Protocols Security
Remote Reader Remote I/O
Ethernet Protocols LON Devices MSTP RS-485 MSTP Devices Modbus Devices IP Controllers Modbus TCP, OPC and others
WEBs-AX
Security
8
Network Integration
All of Tridium 's Niagara products can co-exist on your Windows infrastructure. Your AX Supervisor software will most likely be on a PC (Wintel or Linux) that is already a member of your Domain or Active Directory. Security access to the Niagara AX system is provided by local authentication on the Web Supervisor Workstation or JACE It can but does not need to participate in the Domain or Active Directory authentication, so there will be no additional security burden on your existing Domain or Active Directory infrastructure.
WEBs-AX
Security
9
Network Integration
Request for Compliance support?
NiagaraAX uses HTTP, HTTPS, SMTP and SNMP (optional) protocols. Implementation of these protocols complies with their associated RFCs.
WEBs-AX
Security
10
Network Integration
Does Niagara support DHCP?
DHCP is supported, however static IP addresses provide the most reliable connectivity. Niagara does not support dynamic native DNS so you must link your DHCP server to your DNS server or use HOSTS files on each station. To reliably use DHCP it is recommended that you: Reserve a static DHCP address for the MAC address of each Niagara device. The device can be set for DCHP and whenever it requests a DHCP address it will be assigned the same one.
WEBs-AX
Security
11
Network Integration
What about network traffic and bandwidth?
There are four categories of traffic that will affect network bandwidth: Configuration This is traffic that is associated with the initial setup and commissioning of a Niagara implementation During system commissioning bandwidth varies depending on the number and type of objects being configured.
WEBs-AX
Security
12
Network Integration
What about network traffic and bandwidth?
There are four categories of traffic that will affect network bandwidth: Configuration Logging This is the scheduled bulk transfer of historical data being passed from the JACE to the Web Supervisor. Binary encoded Boolean – 13 bytes / record Enum and single precision numeric – 16 bytes / record Double precision numeric – 20 bytes /record String – variable depending on the length of the string being stored Assuming a typical (single precision) numeric history being logged at a 15 minute interval, you can calculate the number of bytes that need to be transferred daily.
96 records * 16 bytes/record = 1152 bytes = 1.13 kb
WEBs-AX
Security
13
Network Integration
What about network traffic and bandwidth?
There are four categories of traffic that will affect network bandwidth: Configuration Logging Real Time Data/Interstation Link This is data that is transferred from station to station for operational and GUI purposes. Niagara Network proxy point subscription is ~75 bytes Given 100 linked points from a JACE; that all happened to update during the same 1 minute period expected bandwidth utilization would be approximately 0.125 kbps. (75 X 100 / 60 seconds = 125 bps) Bandwidth due to GUIs consumes more bandwidth for initial image file loading.
WEBs-AX
Security
14
Network Integration
What about network traffic and bandwidth?
There are four categories of traffic that will affect network bandwidth: Configuration Logging Real Time Data/Interstation Link Alarm and Exception Traffic This is data that is sent during alarm conditions, and cannot be predicted The size of a typical alarm message is approximately 256 bytes.
WEBs-AX
Security
15
Network Integration
How secure is Niagara?
Do any existing IT security measures have to be compromised to allow the Niagara system to work?
If you are accessing JACEs over the Internet you will need to open up:
Port 80
for HTTP access to allow users to view web pages
Port 1911
for thick client GUIs
Port 3011
used for remote access/administration These are the default port numbers; they can be changed to fit your individual security requirements.
WEBs-AX
Security
16
Network Integration
How secure is Niagara?
Niagara-AX provides the following additional features related to security: Digest authentication LDAP support HTTPS support Single sign on from a web browser if using DNS configuration User-friendly graphical tools to manage security in a Niagara AX system
WEBs-AX
Security
17
Network Integration
How is the JACE protected from viruses?
JACEs use proprietary Web servers, not typical client machines.
Embedded JACES use QNX as their OS As part of normal station operations, they do not download any files. Virus protection for a Web Supervisor PC is advisable if it is used for other (non Niagara Framework) functions.
J
ava
A
pplication
C
ontrol
E
ngine Java Virtual Machine OS (Win/Linux/QNX)
WEBs-AX
Security
18
Network Integration
What network management tools do I use to manage system controllers?
The Niagara application provides all the tools required to manage JACEs. JACEs can also support SNMP.
This allows them to be managed by standard enterprise network management tools such as HP Open View, Unicenter TNG, etc.
WEBs-AX
Security
19
Network Integration
Firewalls?
JACEs and Web Supervisors can use NAT (name/address translation) through a firewall to expose them to the Internet. Settings in the firewall should be used to control the type of traffic that can be passed to the device. We use Cisco PIX firewalls at all of our Tridium facilities and are working behind various firewalls at our client locations.
WEBs-AX
Security
20
Tridium Profile
Founded 1997
100+ Employees An independent business entity of Honeywell International Inc.
−
Automation and Control Solutions Business
Headquarters
Richmond, Virginia Administration, Engineering, Sales, Technical Support, Training, Product Assembly North American Offices Richmond Charlotte Atlanta Minneapolis International Offices London Singapore Japan Australia
WEBs-AX
Security
Niagara Framework Profile
•
1998 – First integrated system (LON, BACnet, Modbus) delivered for real time control and monitoring
•
Today well over 250,000 instances of software in thousands of systems in many markets
•
Over 900 authorized outlets to delivery the technology
-
WEBs-Ax Systems Distributors and Integrators Partner delivery channels
•
Over 15,000 certified Niagara-AX professionals
WEBs-AX
Security
21
22
Thanks
For more information, visit: www.tridium.com
www.niagara-central.com
Or contact: Your local Webs-AX System Integrator Factory representative:
Roger Rebennack [email protected]
317-694-1904
WEBs-AX
Security