Allen-Bradley Stratix 5950 User Manual
  1. Manuals
  2. Brands
  3. Allen-Bradley Manuals
  4. Security System
  5. Stratix 5950
  6. User manual
Allen-Bradley Stratix 5950 User Manual

Allen-Bradley Stratix 5950 User Manual

Security appliance
Hide thumbs
Table of Contents

Advertisement

Quick Links

User Manual
Original Instructions
Stratix 5950 Security Appliance
Catalog Numbers 1783-SAD4T0SBK9, 1783-SAD4T0SPK9, 1783-SAD2T2SBK9, 1783-SAD2T2SPK9

Advertisement

Table of Contents
loading

Summary of Contents for Allen-Bradley Stratix 5950

  • Page 1 User Manual Original Instructions Stratix 5950 Security Appliance Catalog Numbers 1783-SAD4T0SBK9, 1783-SAD4T0SPK9, 1783-SAD2T2SBK9, 1783-SAD2T2SPK9...
  • Page 2 Important User Information Read this document and the documents listed in the additional resources section about installation, configuration, and operation of this equipment before you install, configure, operate, or maintain this product. Users are required to familiarize themselves with installation and wiring instructions in addition to requirements of all applicable codes, laws, and standards.

  • Page 3: Table Of Contents

    Table of Contents Preface Summary of Changes ........8 Additional Resources .
  • Page 4 Table of Contents Configure FirePOWER Administrative Settings ... . . 49 Configure the HTTPS Certificate Information ....51 Configure a Test Policy to Block CIP Administrative Traffic .
  • Page 5 Table of Contents Redundant Star Cell/Area Zone Protection....99 Ring Cell/Area Zone Protection ......100 Cell/Area Zone Monitoring .
  • Page 6 Table of Contents Notes: Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...
  • Page 7 • Proficient with CLI command-line programming language This manual is intended for users of the appliance. We assume that you are familiar with the procedures in the Stratix 5950 Security Appliance Installation Instructions, publication 1783-IN002. The publication, Deploying Industrial Firewalls within a Converged Plantwide...

  • Page 8: Preface

    These documents contain additional information concerning related products Additional Resources from Rockwell Automation. Resource Description Stratix 5950 Security Appliance Installation Instructions, publication 1783-IN002 Provides detailed specifications and information that is related to installation of the security appliance. Stratix Ethernet Device Specifications Technical Data, publication...
  • Page 9 Preface You can view or download publications at http://www.rockwellautomation.com/global/literature-library/overview.page. To order paper copies of technical documentation, contact your local Allen-Bradley distributor or Rockwell Automation sales representative. Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...
  • Page 10 Preface Notes: Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...

  • Page 11: About The Security Appliance

    A DIN Rail is a standard metal rail that is widely used for mounting circuit breakers and industrial control equipment inside equipment racks. The Stratix 5950 Security Appliance is low power, fan-less, with a dedicated Gigabit Ethernet management port.

  • Page 12: Hardware Features

    Chapter 1 About the Security Appliance The following are the hardware features of the Stratix 5950 Security Appliance. Hardware Features • Dedicated management-only Gigabit Ethernet port • Mini-USB and RJ45 Console port • Bypass Relay (only available on copper ports). Bypass relay is used when there is a loss of power or under software control.
  • Page 13 About the Security Appliance Chapter 1 Figure 1 - Stratix 5959 Security Appliance Copper 32593-M Figure 2 - Stratix 5950 Security Appliance Fiber 32604-M Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...
  • Page 14 Chapter 1 About the Security Appliance Figure 3 - Stratix 5950 Security Appliance Fiber Front Panel ® 1783-SAD2T2S 32592-M Item Description Item Description Express Setup pinhole Access DC Power connection B Console, Management RJ45 10/100/100 BaseT Connectors 1 & 2 EIP ModStatus On the Stratix 5950 Fiber SKU, the SFP sockets.

  • Page 15: Status Indicators

    About the Security Appliance Chapter 1 Figure 4 - Stratix 5950 Security Appliance Copper Front Panel ® 1783-SAD4T0S Item Description Item Description Express Setup pinhole Access DC Power connection B Console, Management RJ45 10/100/100 BaseT Connectors 1&2 EIP ModStatus On the Stratix 5950 Copper SKU, the RJ45 10/100/100 BaseT Connectors 3&4...

  • Page 16: Installation Of The Security Appliance

    Chapter 1 About the Security Appliance To install the Stratix 5950 Security Appliance, follow the introductions in the Installation of the Security Stratix 5950 Security Appliance Installation Instructions, Appliance publication 1783-IN002. Express Setup resets the security appliance ASA configuration to the default Express Setup Button configuration set by the factory.

  • Page 17: Power Supply

    1000LX SFP Fiber Transceiver PN-29265 GLC-LX-SM-RGD The Stratix 5950 security appliance has 8 GB of DRAM. It also has two Memory and Storage storage devices, a 50 GB SSD and a 15 GB update device. All memory components are factory default and not upgradeable by the end user.

  • Page 18: Management Ethernet Port

    This port is Management1/1 in the ASA configuration. You can configure the Stratix 5950 security appliance through a web interface, Console Port or through the console port. The console port is either an RJ45 or a Mini USB connector.

  • Page 19: Alarm Ports

    When either condition is met, the alarm status indicator turns red, and a syslog message and SNMP trap is triggered. The Stratix 5950 security appliance has alarm relay contacts that can be used for an external alert system. The alarm condition of a missing/failed power supply, when ‘power-supply dual’...

  • Page 20: Temperature Sensor

    • ASDM Bundled Version 7.12.1 (including ASA FirePOWER) • CSM version 4.11 and FireSIGHT Management Center version 5.4.1.6 TIP The Stratix 5950 security appliance is a joint technology collaboration with Cisco. You can leverage the CSM and FireSIGHT Management Center Cisco software bundles with this device.

  • Page 21: Industrial Firewall Use Cases

    • Cisco Adaptive Security Appliance (ASA) • Intrusion Prevention and Detection (Cisco FirePOWER) • Deep packet inspection (DPI) Industrial firewall (IFW) • The Allen-Bradley® Stratix® 5950 Industrial Network Security Appliance • Cisco Industrial Security Appliance (ISA) Application Use Cases • Equipment/Machine/Skid Protection •...
  • Page 22 Chapter 2 Industrial Firewall Use Cases Figure 5 - Plant-wide Industrial Firewall Deployments Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...

  • Page 23: Logical Framework

    Industrial Firewall Use Cases Chapter 2 Figure 6 provides a logical overview of the industrial firewall (IFW). The IFW Logical Framework has two components: • Adaptive Security Appliance (ASA) • FirePOWER module The ASA provides the firewall functionality, which can allow or deny traffic based on configured rules.
  • Page 24 Chapter 2 Industrial Firewall Use Cases Figure 7 shows how the security zones depicted can be applied to the CPwE network architecture to create DMZs and other types of segmentation. Figure 7 - Security Zones within CPwE Architecture Firewalls are normally positioned either as a node, where the network splits into multiple paths, or inline with one network path.

  • Page 25: Intrusion Prevention And Detection (Firepower)

    Industrial Firewall Use Cases Chapter 2 Deep packet inspection (DPI) views the packet past the basic header Intrusion Prevention and information at the protocol level. DPI determines the contents of a particular Detection (FirePOWER) packet, and then either records that information for statistical purposes or performs an action on the packet such as permit or discard.

  • Page 26: Routed Mode

    Chapter 2 Industrial Firewall Use Cases Figure 8 - Industrial Firewall Placement for Machine/Skid Protection Routed Mode The ASAFirePOWER module supports the use of NAT in both transparent and routed mode. In most IACS environments, NAT is only be applied when the IFW is configured for routed mode, which is used when the interfaces are assigned to different networks.
  • Page 27 Industrial Firewall Use Cases Chapter 2 • Ingress and egress traffic-source and destination-host communications. For example, IP addresses of controllers, HMI, engineering workstations, and all communications that enter or leave the machine/skid must be known so firewall and DPI security policies can be configured.

  • Page 28: Redundant Star Cell/Area Zone Protection

    Chapter 2 Industrial Firewall Use Cases When a redundant star network configuration is required to meet redundancy Redundant Star Cell/Area requirements, the IFW can be built in a manner to support redundant Layer 2 Zone Protection EtherChannel links. In Figure 9, the IFW is placed between the distribution switch and the plant floor equipment.

  • Page 29: Ring Cell/Area Zone Protection

    Industrial Firewall Use Cases Chapter 2 • Redundancy and availability requirements. For example, when the IFW is configured with trunk ports, then hardware bypass mode is not available in this architecture. • Hardware bypass is only supported when the IFW is placed inline with an access link.

  • Page 30: Considerations

    Chapter 2 Industrial Firewall Use Cases Considerations IMPORTANT While it is a valid use case, ring cell/area zone protection implementation with the IFW as described in this section is not recommended due to architectural limitations of this deployment. Since active/standby pairing of the IFWs is not supported in this use case, when one IFW is disrupted, its connection state information is lost.

  • Page 31: Cell/Area Zone Monitoring

    Industrial Firewall Use Cases Chapter 2 The cell/area zone monitoring mode use case in Figure 11 monitors traffic Cell/Area Zone Monitoring without placing the IFW directly inline of a controller, skid, machine, or cell/area zone of interest. The IFW is connected to a switch that has visibility to the traffic that is required to be monitored.

  • Page 32: Time Synchronization

    Chapter 2 Industrial Firewall Use Cases Along with the initial setup steps, the IFW must be configured with Time Synchronization information on where to obtain its time synchronization data. The firewall and FirePOWER components of the IFW have separate settings for time, and both must be configured independently.
  • Page 33 Industrial Firewall Use Cases Chapter 2 Figure 13 - Firewall NTP Server Configuration Table 4. Once synchronization is complete, in the Device Setup pane, select System Time>Clock and check the Time section to confirm that the firewall is receiving accurate time from the NTP server. Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...
  • Page 34 Chapter 2 Industrial Firewall Use Cases Figure 14 - Firewall Clock Settings Window The equivalent CLI for this interface configuration is: ntp server 192.168.254.20 prefer To configure time synchronization for the FirePOWER component, complete the following steps: 1. Click Configuration at the top left, then ASA FirePOWER Configuration at the bottom left.
  • Page 35 Industrial Firewall Use Cases Chapter 2 After the process is complete, a small window appears at the top, labeled Success. Figure 15 - FirePOWER Time Synchronization Settings Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...
  • Page 36 Chapter 2 Industrial Firewall Use Cases Figure 16 - FirePOWER Initial System Policy Applied Changes 8. To confirm that time synchronization is working properly, in the ASA FirePOWER Configuration pane, select Local > Configuration > Time. The NTP server is listed here with a status of ‘Being Used’ . Figure 17 - FirePOWER Time Settings Window Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...

  • Page 37: Configure The Security Appliance

    Chapter Configure the Security Appliance IMPORTANT Every step that is described in this chapter must be followed for the security appliance to work as expected. If the steps are not followed as described, the appliance can appear to be working properly when it is not. Deviation from the prescribed steps can cause the appliance not to behave as expected.

  • Page 38: Prerequisites

    Go to https://www.java.com 3. Install a Terminal Emulator, such as PuTTY. 4. Obtain the Stratix 5950 security appliance from the factory, no cables connected. 5. Obtain the cable, DB9-to-RJ45 that is shipped with the appliance. 6. Determine the Management network for the device, for example: 10.0.1.0.24...

  • Page 39: Device Setup

    Device Setup 1. Set NIC on your computer to DHCP. Next, you must connect the Management interface on the Stratix 5950 security appliance to the NIC on your computer. 2. Connect the serial cable from Console port on the security appliance to the serial port on your computer.
  • Page 40 11. Leave the Username/Password field blank. 12. Select OK. 13. Ignore certificate warnings, click continue. 14. ASDM launches. Stratix 5950 ASDM 7.6(2) for ASA - 169.226.0.2 - Startup Wizard The Startup Wizard launches automatically. Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...

  • Page 41: Startup Wizard

    Be sure to complete all screens. 1. Choose a starting point and click Next. Stratix 5950 ASDM 7.6(2) for ASA - 169.226.0.2 - Startup Wizard 2. Enter the host name and the domain name of the ASA. Stratix 5950 ASDM 7.6(2) for ASA - 169.226.0.2 - Startup Wizard...
  • Page 42 Chapter 3 Configure the Security Appliance 3. Provide password information. Stratix 5950 ASDM 7.6(2) for ASA - 169.226.0.2 - Startup Wizard 4. On the Management IP address Configuration dialog box (Step 2of 13). a. Inline Mode Only: Enter the IP address and Subnet Mask from the range of the network you want to monitor.
  • Page 43 Configure the Security Appliance Chapter 3 5. On the Interface Configuration dialog box, edit the Management1/1 interface. Stratix 5950 ASDM 7.6(2) for ASA - 169.226.0.2 - Startup Wizard 6. Enter the ASA Management IP address that you obtained from your network administrator. 1xx.1xx.xx.xx 7.
  • Page 44 Configure the Security Appliance 8. Decide to enable or not enable DHCP. Stratix 5950 ASDM 7.6(2) for ASA - 169.226.0.2 - Startup Wizard 9. Select an Address Translation, if necessary, and then click Next. Stratix 5950 ASDM 7.6(2) for ASA - 169.226.0.2 - Startup Wizard...
  • Page 45 On the Administrative Access dialog box, edit the HTTPS/ASDM rule to allow web access to ASDM based on your management network configuration. Stratix 5950 ASDM 7.6(2) for ASA - 169.226.0.2 - Startup Wizard 169.254.20.12 This edit can take a few minutes.
  • Page 46 In this example, the license has already been accepted. 13. Click Next. Stratix 5950 ASDM 7.6(2) for ASA - 169.226.0.2 - Startup Wizard 14. Enter the necessary information and click Next. Stratix 5950 ASDM 7.6(2) for ASA - 169.226.0.2 - Startup Wizard 10.118.55.102...
  • Page 47 Chapter 3 15. Enable Auto Update for ASA, if needed and click Next. Stratix 5950 ASDM 7.6(2) for ASA - 169.226.0.2 - Startup Wizard 16. On the Startup Wizard Summary, click Finish. The ‘Management IP Address’ listed in the ‘Configuration Summary’ is NOT the Management IP address in the Management network.
  • Page 48 18. Review your setup information. If you must change something, click Back and modify your settings. 19. When you are satisfied with the settings, click Finish. Stratix 5950 ASDM 7.6(2) for ASA - 169.226.0.2 - Startup Wizard 10.51.72.223 169.226.0.2 192.223.1.1 168.100.1.2...

  • Page 49: Configure Firepower Administrative Settings

    Configure the Security Appliance Chapter 3 Configure FirePOWER Administrative Settings To use PuTTY to connect to the serial port, follow these steps. 1. Run PuTTY and connect to the serial port of the device. 2. Click Open to start a command-line session. 3.
  • Page 50 Chapter 3 Configure the Security Appliance 9. Log in to FirePower with: username: admin Password: Sourcefire Passwords are case-sensitive. 10. Run configure password and change the password 11. Set the DNS servers that you obtained from your network administrator, for example: configure network dns servers [IP Address], [IP Address], [IP Address] 12.

  • Page 51: Configure The Https Certificate Information

    Configure the Security Appliance Chapter 3 Configure the HTTPS Certificate Information Follow these steps to configure the HTTPS certificate. 1. Disconnect the temporary connected network cable from your computer. 2. Change your NIC from DHCP to your normal network configuration. 3.
  • Page 52 Chapter 3 Configure the Security Appliance 8. Wait until the EIP Mod status indicator on the Stratix 5950 security appliance is solid green, which takes about 5 minutes. 9. Run Cisco ASDM-IDM Launcher. No certificate warning dialogs are expected. ASDM opens.

  • Page 53: Configure A Test Policy To Block Cip Administrative Traffic

    Configure a Test Policy to Single Policy Restriction Block CIP Administrative The ability to create policies was deprecated in the Stratix 5950 Version 6.4.0/ Traffic ASDM Version 7.12.1. With that release, you only get one policy: Default Allow All. You can modify the default policy, but you cannot create policies.
  • Page 54 Chapter 3 Configure the Security Appliance 5. In the policy, select the Advanced tab. 6. Click the Pencil icon next to Network Analysis and Intrusion Policies. Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...
  • Page 55 Configure the Security Appliance Chapter 3 7. Click the Network Analysis Policy List link. 8. Click Create Policy. Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...
  • Page 56 Chapter 3 Configure the Security Appliance 9. Name the policy and click Create and Edit Policy. 10. Wait while the policy is being created. 11. Select Policy Information -> Settings -> TCP Stream Configuration. 12. Click TCP Stream Configuration 13. In the Perform Stream Reassembly on Both Ports field, scroll to the end of the line, and add 44818 to the list.
  • Page 57 Configure the Security Appliance Chapter 3 14. Select Policy Information -> Policy Layers -> My Changes Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...
  • Page 58 Chapter 3 Configure the Security Appliance 15. At SCADA Preprocessors, change CIP Configuration to Enabled. 16. At Transport/Network Layer Preprocessors, change Inline Normalization to Enabled. 17. Click Policy Information. 18. Click Commit Changes. Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...
  • Page 59 Configure the Security Appliance Chapter 3 19. Enter a description. 20. Click OK. 21. In the Network Analysis and Intrusion Policies dialog box, change the Default Network Analysis Policy to the Network Analysis Policy that you created. IMPORTANT EVERY time that you create a new Access Control Policy, this step MUST be done.

  • Page 60: Add A Rule

    Chapter 3 Configure the Security Appliance Add a Rule To add a rule, follow these steps. 1. From the Default Action pull-down menu, choose an Intrusion Prevention option. We recommend Balanced Security and Connectivity. 2. On the Rules tab, click Add Rule. 3.
  • Page 61 Configure the Security Appliance Chapter 3 Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...
  • Page 62 Chapter 3 Configure the Security Appliance 6. Click the Logging tab. 7. Click Log at Beginning and End of Connection. 8. Click Add. 9. Click Store ASA FirePOWER Changes. 10. Click Apply All. 11. Click OK. Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...
  • Page 63 Configure the Security Appliance Chapter 3 12. Go to: ASDM>Monitoring>ASA FirePOWER Monitoring>Task Status. 13. Wait until the Apply Block_CIP_Admin_Policy task finishes, which takes about 2 minutes. TIP The device ships in a Monitor Mode configuration. This configuration enables the device to show you what it would have blocked, if it was in a full blocking configuration, for test purposes.

  • Page 64: Update Real Time Eventing View

    Chapter 3 Configure the Security Appliance Update Real Time Eventing View Follow these steps to update the real time eventing view. 1. Go to ASDM>Monitoring>Real Time Eventing>All ASA FirePOWER Events. 2. Click Add/Remove columns. 3. Drag Application, then Web Application from the left column to the right column.

  • Page 65: Change Device From Monitor Mode To Full Blocking Config

    Configure the Security Appliance Chapter 3 Change the Device from Monitor Mode to a Full Blocking Configuration (Inline Mode Only) The security appliance is configured from the factory in Monitor Mode configuration. This configuration enables the appliance to show you what it would have blocked if it was in a full blocking configuration, for test purposes.
  • Page 66 8. Physically connect the 5950 device inline by connecting the network cables to port 1 and port 2 of the device. A test configuration could be: a. PC>Network Cable>Stratix 5950 Port 1 b. Stratix 5950 Port 2>Network Cable>1756-EN2TR Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...

  • Page 67: Configure Span Port Monitoring Settings

    Configure the Security Appliance Chapter 3 Configure SPAN Port Monitoring Settings This section only applies to SPAN Port mode configuration only. 1. Run PuTTY and connect to the serial port of the device. 2. Click Open to start a command-line session. 3.

  • Page 68: Change The Ip Address Of The Communication Module

    Chapter 3 Configure the Security Appliance Change the IP Address of the Communication Module Follow these steps to change the IP address on the 1756-ENT2R by using RSLinx® software. 1. Use RSLinx® Classic from your computer to attempt to change the IP address on the 1756-ENT2R.
  • Page 69 Configure the Security Appliance Chapter 3 Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...
  • Page 70 Chapter 3 Configure the Security Appliance 3. Go to ASDM>Monitoring>ASA FirePOWER Monitoring> Real Time Eventing. 4. Confirm that a log entry was added. The Action is logged as Block with reset. The Application is logged as CIP and the Web Application is logged as CIP Admin. Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...

  • Page 71: Configure Precision Time Protocol (Ptp)

    Configure the Security Appliance Chapter 3 PTP synchronizes the clocks of various devices in a packet-based network. Configure Precision Time Protocol (PTP) To enable PTP, follow these steps. 1. From ASDM Home, click Configuration. 2. Under Device Management, click PTP. Precision Time Protocol is displayed.
  • Page 72 Chapter 3 Configure the Security Appliance Notes: Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...

  • Page 73: Chapter 4 Status Indicators

    Chapter Monitor the Security Appliance This chapter contains information required to monitor the Stratix® 5950 Security Appliance. This table describes the Stratix 5950 Security Appliance status indicators. Status Indicators Table 6 - Stratix 5950 Security Appliance Status Indicators Indicator Status...
  • Page 74 Chapter 4 Monitor the Security Appliance Table 6 - Stratix 5950 Security Appliance Status Indicators Indicator Status Description The Alarm Out not configured or the system is off (Default). Solid red System has detected a minor alarm report of a power-supply dual failure.

  • Page 75: Overview

    Chapter Centralized Management Local management can get cumbersome when we must manage many IFWs in Overview the network. A centralized management enables consistent policy enforcement and quick troubleshooting of security incidents, with offered summarized reports across the security deployment. A centralized interface helps organizations to scale efficiently and manage a wide range of security devices with improved visibility.
  • Page 76 Chapter 5 Centralized Management Figure 18 - FireSIGHT Management Center The FireSIGHT Management Center discovers real-time information about changed network resources and operations to provide a full contextual basis for making informed decisions. The FireSIGHT Management Center delivers a fine level of detail that includes: •...

  • Page 77: Cisco Security Manager (Csm)

    Centralized Management Chapter 5 The Cisco Security Manager (CSM) provides scalable, centralized Cisco Security Manager (CSM) management for the firewall component of the IFW. With CSM, administrators can gain visibility and maintain policy compliance across the network. Designed for operational efficiency, CSM also includes a powerful suite of automated capabilities, such as health and performance monitoring, software image management, automatic conflict detection, and integration with ticketing systems.
  • Page 78 Chapter 5 Centralized Management • Reporting and troubleshooting – Provides system and custom reports. – Offers export and scheduled email delivery of reports in CSV or PDF format. – Provides advanced troubleshooting with tools such as ping, traceroute, and packet tracer. •...

  • Page 79: Management Recommendations

    Centralized Management Chapter 5 The following aspects of managing the IFW must be considered before Management deployment. Recommendations • Local management that uses Adaptive Security Device Manager (ASDM) is recommended for small deployments only (no more than five IFW devices). •...

  • Page 80: Centralized Management

    Chapter 5 Centralized Management This figure describes the centralized management approach. Centralized Management Figure 20 - Centralized Management Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...

  • Page 81: Power Failure Of The System

    The hardware on the Stratix 5950 security appliance restricts pairing to ports 1&2 or ports 3&4. Port 1 cannot be paired with 3, invalid pairs are (1,3) / (1,4) / (2,3) / (2,4).

  • Page 82: Default State Of The Hardware Bypass

    Chapter 6 Hardware Bypass Default State of the Hardware Bypass The default hardware bypass feature is enabled. The following ASA CLI commands have been added to support the hardware ASA CLI Commands for bypass feature. Hardware Bypass show hardware-bypass This CLI command displays the status of the bypass on particular port set. The status details the state of the relays on power fail and sticky as well.

  • Page 83: Limitations Of Hardware Bypass

    MAC address on the link. You must enable one more MAC allowed on the port of the switch than expected. • A Stratix 5950 security appliance cannot be placed on a link with Port Security enabled. In general, placement of the appliance on a link with Port Security enabled affects the following.
  • Page 84 Chapter 6 Hardware Bypass [no] hardware-bypass gigabitethernet {1/1-1/2|1/3-1/4} [sticky] This CLI command is used to enable or disable the bypass mode during power down and power up. Hardware Bypass Behavior During Power Down To enable hardware bypass mode when power is lost to the appliance the following CLI is used.
  • Page 85 Hardware Bypass Chapter 6 To enable hardware bypass mode with the manual option, the following CLI is used. stratix5950# hardware-bypass manual gigabitethernet 1/1-1/2 When hardware bypass is disabled with the manual option, the traffic stops on the bypass port pair immediately and flow through physical interfaces. To disable hardware bypass mode with the manual option, the following CLI is used.
  • Page 86 Chapter 6 Hardware Bypass Notes: Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...

  • Page 87: Chapter 7 Cip Preprocessor

    Chapter CIP Inspection IMPORTANT In order for any CIP Access Control Policy or CIP Intrusion Policy to work properly, the Network Analysis Policy must be properly configured to inspect CIP traffic. See the relevant section in Configure the Security Appliance. The ASA FirePOWER module has a software component and the Network CIP Preprocessor Analysis Policy rules engine called a preprocessor.

  • Page 88: Cip Access Control Policies

    Chapter 7 CIP Inspection Table 7 - CIP Generic Rules CIP Generic Rule Description CIP Read ODVA-specified commands that read data from a device. CIP Unknown CIP command was unable to be categorized to any other CIP application. CIP Write ODVA-specified commands that write data into a device.

  • Page 89: Cip Access Control Policy Rule Limitations

    CIP Inspection Chapter 7 The following CIP Application Categories can be used in Access Control Policy rules: Table 9 - Access Control Policy Application Categories Application Categories Description CIP RA Admin Actions that change the state of the device via CIP that use standard and Rockwell Automation-specific methods, such as CIP Reset.

  • Page 90: Cip Intrusion Policies

    Chapter 7 CIP Inspection CIP Intrusion Policies Through advanced configuration, you can specify detailed CIP protocol parameters for the most granular level of traffic identification. These parameters are specified through IDS preprocessor rules. This configuration requires a high level of CIP-specific knowledge. Table 10 - CIP Protocol Parameters IDS Keyword Description...
  • Page 91 Chapter Firewall Modes ASA software provides the firewall features such as ACL, NAT, VPN, and overall system and platform management. FirePOWER software provides the Next Generation IPS features, Application Control, Network Discovery, and Network AMP functionality. The ASA runs in two different firewall modes: •...

  • Page 92: Industrial Firewall Deployment Considerations

    Chapter 8 Firewall Modes Figure 22 - Traffic Flow under Passive (Monitor Only) Mode The Stratix® 5950 Security Appliance runs with these defaults: • ASA in Transparent Mode • SFR configured to be inline Passive mode with No Drop Actions (not in SPAN/TAP/Passive Mode) The IFW can be deployed in various modes, depending on the level of desired Industrial Firewall...
  • Page 93 Firewall Modes Chapter 8 undesired traffic and other actions that are applied by policy, the traffic is returned to the firewall for further processing. In inline transparent mode, traffic goes through the firewall checks before being forwarded to the FirePOWER module. The module blocks traffic that is not allowed for a certain application.

  • Page 94: Inline Transparent Monitor-Only Mode

    Chapter 8 Firewall Modes Inline Transparent Monitor-only Mode In an inline monitor-only deployment, a copy of the traffic is sent to the IFW FirePOWER module, but it is not returned to the firewall. Inline monitor-only mode indicates what the IFW FirePOWER module can do to traffic, and allows you to evaluate the content of the traffic, without impacting the network.

  • Page 95: Inline Routed Mode

    Firewall Modes Chapter 8 In routed mode, the ASA is considered to be a router hop in the network. Inline Routed Mode • Routed mode operates in layer 3 router mode. • Each interface has IP addresses assigned and other typical layer 3 attributes are assigned.

  • Page 96: Deployment Recommendations

    Chapter 8 Firewall Modes Placement and deployment of the IFW depends on the desired function of the Deployment device in the industrial network. When you place the IFW inline with traffic Recommendations flow, you can monitor the traffic and/or take desired actions, such as blocking. If you place the IFW outside of the traffic flow, you can only monitor the traffic.

  • Page 97: Industrial Firewall Use Cases

    Firewall Modes Chapter 8 The IFW is used to separate networks with different security requirements and Industrial Firewall Use Cases is also strategically placed within a network to monitor and log traffic. In this section, several architectures and their use cases are discussed. Machine/Skid Protection The machine/skid protection use case is used to separate a machine, skid, or unit from a higher-level network.

  • Page 98: Rockwell Automation Publication 1783-Um010C-En-P - June

    Chapter 8 Firewall Modes Considerations Before implementing the IFW in a machine/skid protection architecture, it is recommended that the designer understands and documents the following. • Ingress and egress traffic source and destination host communications. For example, IP addresses of controllers, HMI, engineering workstations, and all communications that enter or leave the machine/skid must be known so firewall and DPI security policies can be configured.

  • Page 99: Redundant Star Cell/Area Zone Protection

    Firewall Modes Chapter 8 Redundant Star Cell/Area Zone Protection When a redundant star network configuration is required to meet redundancy requirements, the IFW can have an architecture that supports redundant Layer 2 EtherChannel links. Figure 27, the IFW is placed between the distribution switch and the plant floor equipment.

  • Page 100: Ring Cell/Area Zone Protection

    Chapter 8 Firewall Modes Considerations Before implementing the IFW in a redundant star architecture, it is recommended that the designer understands and documents the following. • Ingress and egress traffic source and destination host communications. For example, IP addresses of controllers, HMI, engineering workstations, and all communications that enter or leave the machine/skid must be known so firewall and DPI security policies can be configured.
  • Page 101 Firewall Modes Chapter 8 Figure 28 - Industrial Firewall Placement for Ring Cell/Area Zone Protection The IFWs are not acting as an active/standby firewall pair in this configuration, but they simply provide firewall and, possibly, DPI functionality on both ingress points of the network ring. Considerations Before implementing the IFW in a ring cell/area zone protection architecture, it is recommended that the designer understands and documents:...

  • Page 102: Cell/Area Zone Monitoring

    Chapter 8 Firewall Modes Cell/Area Zone Monitoring The cell/area zone monitor mode use case is used to monitor traffic of interest without placing the IFW directly inline of a controller, skid, machine, or cell/ area zone of interest. The IFR is connected to a switch that has visibility to the traffic that is required to be monitored.

  • Page 103: Updating The Device

    Chapter Updating the Device To update the Stratix® 5950 Security Appliance, you must: • Update ASDM • Update ASA • Back up the controls license • Update SFR • Restore the controls license From the ASDM Home dialog, follow these steps to update the ASDM software Updating ASDM Software image.
  • Page 104 Chapter 9 Updating the Device 5. This step is optional. Perform this step if you want to change the file name. This step is not recommended. Click Browse Flash, and the Browse Flash dialog appears with the Local File System Path populated automatically. If the file name does not appear, enter it manually in the File Name field, and then click OK.
  • Page 105 Updating the Device Chapter 9 9. Click Deploy near the top-middle of the ASDM Home dialog. 10. Exit ASDM. 11. Reopen ASDM and update it on your local personal computer. a. Click Upgrade Now. b. On the InstallShield Wizard Welcome dialog, click Next. Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...
  • Page 106 Chapter 9 Updating the Device c. On the Destination Folder dialog, click Next. d. On the Ready to Install the Program dialog, click Install. Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...

  • Page 107: Updating Asa Software

    Updating the Device Chapter 9 e. On the InstallShield Wizard Completed dialog, click Finish. 12. Reconnect to the device with the newly upgraded ASDM. From the ASDM Home dialog, follow these steps to update the ASA software. Updating ASA Software 1.
  • Page 108 Chapter 9 Updating the Device 5. Use this optional step only if you want to change the file name, but it is not recommended. Click Browse Flash. The Browse Flash dialog appears with the file name populated automatically. If the file name does not populate automatically, enter it manually in the File Name field, and then click OK.
  • Page 109 Updating the Device Chapter 9 a. From the ASDM Home dialog, choose Tools>System Reload to reload the device. b. The System Reload dialog appears. Click Schedule Reload. Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...
  • Page 110 Chapter 9 Updating the Device Table 14 - System Reload Configuration Fields Field Description Save the running configuration at time of reload Saves the running configuration when the system reloads. Reload without saving the running configuration Reloads the running configuration without saving it. Restart the device immediately.

  • Page 111: Back Up Controls License

    Updating the Device Chapter 9 Before updating your software, you must back up your controls license. To back Back Up Controls License up your controls license from the command line, follow these steps. 1. Access the SFR command line interface. If you are using a console cable, the CLI defaults to ASA.
  • Page 112 Chapter 9 Updating the Device Figure 31 - Example of Command to Copy Boot Image from SD Card 4. Once is copied to disk0, change the pointer and tell it to boot the image from that image. Type sw-module module sfr recover configure image disk0:asasfr-5500x-boot-6.4.0-1.img.
  • Page 113 Updating the Device Chapter 9 • Ready/Recover indicates that the device is ready for a console session and to be configured The Ready/Recover status can take up to five minutes to display. 8. Type Session SFR console. 9. Log in with username=admin, password=Admin123. This installation is new, and it requires the default password.
  • Page 114 Chapter 9 Updating the Device 13. At this point, copy over and install SFR (which takes 2 hours). This can be done from FTP, TFTP, or HTTP, but not from an SD card. The system indicates that it is verifying, downloading, and extracting, which takes a few minutes on a direct link.
  • Page 115 Updating the Device Chapter 9 18. Press the space bar to advance screens. Press Enter to accept the EULA. The device prompts you to change the password and to enter the networking information recorded in Step 1; for example, IP address, Network mask, and Gateway.
  • Page 116 Chapter 9 Updating the Device d. Click Submit License. The device loads the license and indicates “Success: Successfully Saved License”. If necessary, contact the Rockwell Automation Support Site for assistance. Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...

  • Page 117: Troubleshoot

    Chapter Troubleshoot The latest information about what software your system is running is necessary Obtain the Current Running information for troubleshooting. You must provide this information when you Software Versions contact customer support. 1. ASDM method: a. Log in to ASDM. b.

  • Page 118: Reset The Device To Factory Defaults

    Chapter 10 Troubleshoot Reset the Device to Factory Defaults WARNING: Only complete this procedure when required and requested by Rockwell Automation Technical Support. This procedure can take at least 10 hours of interactive time to perform. This procedure is based on the following assumptions and performed with these versions of Cisco software: The procedures are based on instructions from the Cisco website: https://www.cisco.com/c/en/us/support/docs/security/asa-firepower-...

  • Page 119: Uninstall An Old Sfr Module

    2. Connect the management interface cable on the Stratix® 5950 Security Appliance to NIC on computer. 3. Connect serial cable from console port on Stratix 5950 appliance to serial port on the computer. 4. Plug in the Stratix 5950 appliance and apply power.

  • Page 120: Reinstall An Sfr Module

    Chapter 10 Troubleshoot 4. stratix5950(config)# configure terminal 5. “Would you like to enable anonymous error reporting to help improve the product?”. Enter N 6. stratix5950(config)# enable password <YOUR_ENABLE_PASSWORD> 7. stratix5950(config)# interface Management1/1 8. stratix5950(config-if)# ip address <ASA_IP_ADDRESS> <ASA_NETMASK> 9. stratix5950(config)# http <ASA_IP_ADDRESS> <ASA_NETMASK>...
  • Page 121 Troubleshoot Chapter 10 6. Wait until the "Console session:" shows "Ready" 7. stratix5950# session sfr console 8. Log in with: username=admin, password=Admin123 9. asasfr-boot>setup 10. Complete the steps with the networking information for the SFR IP address. 11. system install noconfirm ftp:// FTP_IP_ADDRESS/asasfr-sys-5.4.1-213.pkg Enter the username/password, and the system begins to download the package.

  • Page 122: Install The Sfr 5.4.1.2 Update

    Chapter 10 Troubleshoot Install the SFR 5.4.1.2 Update Follow these steps to install the SFR 5.4.1.2 update. Only do perform this update if you are running the 5.4 branch and you do not want to run 6.4. However, we recommended you update to 6.4. 1.

  • Page 123: Install The Sfr 5.4.1.4 Update

    Troubleshoot Chapter 10 Install the SFR 5.4.1.4 Update Follow these steps to install the SFR 5.4.1.4 update. Only perform this step if you are running the 5.4 branch and you do not want to run 6.4. However, we recommend you update to 6.4. 1.
  • Page 124 Chapter 10 Troubleshoot 4. stratix5950(config)# configure factory- default 5. stratix5950(config)# wr 6. Unplug power to device. Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...

  • Page 125: Glossary

    IFW. Management System CSM Version 4.11 The Stratix 5950 security appliance is a joint technology collaboration with Cisco. You can leverage the CSM and FireSIGHT Management Center Cisco software bundles with this device.
  • Page 126 Glossary ) IPS is a network security/threat prevention technology that examines network Intrusion Prevention System ( traffic flows to detect and prevent vulnerability exploits. K9 License A web-based filtering technology that provides automatic updates when you need a robust, real-time solution. is a database used for managing the entities in a communication network.

  • Page 127: Index

    Index alarm 19 ground 14 ASA 39 ASA firewall 11 hardware bypass 81 limitations 83 base license 11 bridge-groups 83 bypass relay 12 Inline Mode 42 intrusion prevention 75 IPsec 11 Centralized management 79 centralized management 75 CIP inspection 88 logs 17 CIP RA Admin 89 CIP RA Read 89...
  • Page 128 Index SD card 14 SPAN Port Mode 42 status indicators 73 storage 17 temperature 19 terminal 17 test policy 53 test your system 37 troubleshoot reset device 118 verify boot fast 118 USB 14 Rockwell Automation Publication 1783-UM010C-EN-P - June 2019...
  • Page 130 How Are We Doing? form at http://literature.rockwellautomation.com/idc/groups/literature/documents/du/ra-du002_-en-e.pdf. Rockwell Automation maintains current product environmental information on its website at http://www.rockwellautomation.com/rockwellautomation/about-us/sustainability-ethics/product-environmental-compliance.page. Allen-Bradley, Rockwell Software, Rockwell Automation, RSLinx, and Stratix are trademarks of Rockwell Automation, Inc. CIP, EtherNet/IP are trademarks of ODVA, Inc.

Table of Contents