Security in the LXI Environment
LXI Connexions Magazine Article
LXI brings with it a host of advantages to the system integrator in developing a test system. It also brings with it new challenges which need to be considered when incorporating LXI devices into a new or existing test architecture. The very nature of LXI means that many systems may need to be connected to larger corporate networks for test results. In the case of remote monitoring, it may even need to be connected to the internet.
Obviously security of the instrument is of paramount importance, but what are the threats?
Broadly they can be defined into three distinct areas:
1) Data integrity. If you are performing time sensitive measurements, it could be possible for traffic on a connected LAN to interfere with transfers, slowing transmission and causing lost data.
2) Data security. It may be possible for data to leak to other parts of a network, exposing information that you may not wish to be publicly known.
3) Instrument security. Here there are two aspects to consider; Internal and External instrument security. Plugging an LXI device directly to the internet could be a dangerous proposition, allowing all and sundry to control or damage your equipment. Internal security would involve letting only a select few individuals manage or control LXI equipment.
If we expand each category in detail, it is possible to determine a number of ways in which to secure an LXI device to ensure it functions as expected.
When a new piece of computer equipment is purchased, in large organisations it usually falls to the IT department to configure and commission the device. They will take care of such things as assigning IP addresses, attaching asset tags and securing the device. As Test Equipment sports Ethernet connectivity more and more, it is necessary to involve the IT department to ensure that the device functions as expected and causes no problems with other portions of the corporate network. In the case of an isolated test system which may only feature a simple controller and several LXI boxes, it may be more practical to leave the system completely isolated from the corporate network on its own separate LAN. Sometimes it is necessary to connect such a test system into the corporate LAN to allow the transfer of test results. What problems could arise from this?
In a typical LAN environment there could be a whole host of devices sending out broadcast requests, DHCP acknowledgements and other configuration and status information. This information needs to be processed by a device to see if it should be actioned further, the majority of which it could safely ignore. All of these packets of information flowing around a network could potentially slow attached devices down, causing them to miss important events which could be problematic in the instance where a measurement needs to be taken periodically at a certain time. If the processor is busy filtering network packets from the network, it might miss this window rendering the test results useless.
Additionally, LAN connections can only transfer a set amount of information down a connection per second. The capacity of the LAN cable is called bandwidth. Common speeds of networks are 10 or 100 megabits per second. Gigabit speed networks, where the bandwidth is measured in thousands of bits per second, are more commonly used on servers or as links between switching hubs, as well as with high end desktop systems. If a large data set needs to be transferred at the same time as another device starts a transfer, there may not be enough time to complete the transaction before the next set of data needs to be transmitted. And although the bandwidth of a connection may be 100 megabits per second, in practical applications the bandwidth is usually much lower.
To ensure sufficient bandwidth, good network design and implementation can help to mitigate any problems. The first is to select the correct sort of hubs or switches. When networks first began appearing in the workplace, the device of choice to connect networked equipment was the hub or concentrator. This device is the logical equivalent of twisting network connections together. When one device begins talking, all of the other devices on the network can listen in. Special algorithms in the connected devices hardware are able to determine when it is safe for a device to begin talking and what action to take when two devices attempt to talk at once. When two devices attempt to talk at once a collision is said to have occurred. As a network increases in size, the potential for collisions increases substantially. These collisions lower available bandwidth and can cause network slowdowns.
As the price of network equipment came down, the rise to prominence of a different type of network hub grew. This device is the network switch. It records the unique hardware address of each device connected to it and can intelligently route traffic to only those connections where the data could be required. This reduces the opportunity for collisions and increases the available bandwidth for all devices. Most networking devices you can buy today are of this type, the older concentrator type hubs are considered obsolete in the computer industry. But there is an advantage with using an older style concentrator and that is latency. The smaller switches have a processor running specific software which examines each network packet to determine its destination. This inspection process takes time, somewhere in the order of microseconds for a fast device whereas a concentrator has no such delay; it simply repeats what is heard on one port to all the others.
All of this information can be digested into a few simple rules:
1) Ensure enough bandwidth is available to transfer data within a set timeframe. Allocate more than is required to give yourself some headroom.
2) Where the equipment is likely to be connected to larger networks, use switching hubs to minimise the amount of unnecessary network chatter coming from the larger network.
3) Where equipment needs to communicate events very quickly, use older style concentrators to connect devices. Buffer these with switches to a larger network to limit network chatter.
An important element of LAN based instruments is the security of the device itself. Physical security is easy enough to deal with, placing the equipment in a locked room, or one which requires a token such as a key card to access. But when the test results from the device need to be transmitted across a campus or for example a QA department, the need to ensure the data is not intercepted or changed has high value.
Statistically speaking, security intrusions into a company are much more likely to be performed by someone working for the company itself. These types of intrusions can range from someone using another user's password to access information to outright theft of confidential data. Data security takes an even more central stage where items designed for Military use are being tested. Test data could potentially reveal important weaknesses in a product or its likely capability.
So how do you stop information from one part of a network from reaching another. And more importantly, how do you prevent that data from being accessed by remote machines.
The first simple technique is to segment your network. In this technique you split your network into discrete sections or subnets. Each subnet uses a different set of what are called public IP addresses. These addresses are assigned to each device either manually or using a dynamic method such as DHCP, and uniquely identify a machine in much the same way as a house address does for a physical property. The links between each network segments are joined using devices called routers. These devices form the backbone of networks and the internet in general. Their purpose is to examine the data coming in, and forward the data to the correct interface or onwards to another router. Each time a packet encounters a router and is transferred, the packet is said to have made a 'hop'. Routers contain what is called routing tables, and use rules contained within the routing table to determine what happens when a packet is received. The router could decide to forward the packet onwards, it may not have a rule for the packet so it may simply drop the packet or in some cases the packet could be too large so the router will split packet into smaller chunks before sending it on its way. Each time a packet of data encounters a router a time penalty is applied in reaching its final destination. The routers the packets negotiate, the greater the penalty.
So a router can be used to stop or to allow traffic from one part of the network to another. In an ideal world your test system would not be allowed to connect to a computer say in the company's post room. However, routers can be fooled into sending data to the wrong place by a process called spoofing. This is like taking the house number off a house, and placing your neighbour's house number on it when you know they are expecting a delivery! So whilst routing is useful and in very large networks necessary, it is not a secure solution to preventing data from going to places other than those intended.
Fortunately there is a special type of router that can help in this regard, it is called a firewall. A firewall is a device which usually finds itself on the periphery of networks. Your home DSL router could possibly contain a small firewall to protect your desktop computer. A firewall inspects each packet of data as it arrives, and compares this packet to a list of rules concerning what it should do with this packet. The rules normally allow data to end up in one of three states. Dropped, where the packet is simply discarded, Accepted, where it is routed on with no changes or port forwarded. This is like a forwarding address, where you connect to the firewall instead of a protected device. The firewall handles translation of the packets to and from the protected device and can provide a level of protection than connecting a device directly to a network.
Firewalls and some routers can also perform an additional function which is called network address translation. This is where multiple protected devices requests to a network all appear to be coming from one address on the firewall. The firewall remembers these requests and routes the replies after checking them, through to the correct protected device. Some firewalls can also check to see if the packet has been spoofed or tampered with and even perform functions such as warning a system operator if attempts to access unauthorized systems occur.
Firewalls can also perform one other useful function and that it is to filter incoming packets of data to see what the destination port is. A port is like multiple mailboxes at a single address. A computer may have several services or programs listening to these ports and access to some of these may be prohibited from a connected network. The firewall can filter these individual port requests, refusing those which are undesirable. An example of this is that you may want a user to access a web server located behind a firewall, which works on port 80, but refuse access to file accesses which works on another set of ports.
So to recap:
1) A router can be used to isolate parts a network from one another, either to limit traffic or to split up a large network.
2) A firewall can be used to allow or deny requests to a network and protect devices connected behind it.
By default, LXI devices in common with many other types of computer equipment have very basic security. They are open and accessible to all by design. So in order to secure an instrument, it is necessary to determine what the threat is. We have already seen some of the techniques used to protect equipment in a closed corporate environment, but what of other scenarios?
In a very high security environment, physical access to the device may be limited by measures such as locks and keys or even physical security measures such as human guards. Connection of test systems to other networks may be completely prohibited and so where a network comprises a system contained entirely within a locked room where only a select number of staff has access, the risk to the instruments security could be considered low.
The same cannot be said of a distributed system, where the connections between equipment could be anywhere from a few hundred feet to many thousands of miles. It may be impractical to transmit data over private wires, and in some cases there may be no option but to use the Internet. The transmission of test data between sites presents a challenge. The data could be snooped upon by anyone with the right equipment. The data could be changed or instruments tampered with rendering tests useless. Fortunately there is a way to transmit data across a public network in such a way as to prevent tampering or unauthorised eavesdropping. The technology is called encryption and its practical application within networks, the VPN or Virtual Private Network. What a VPN device does is to encrypt data using complex mathematical equations and a cipher known as a private key or certificate. If somebody where to capture packets of data and analyse them, without the cipher and decoding algorithms, the data is meaningless. Various strengths of the encryption can be employed, which run the full gamut of taking months, to many thousands of year with even the fastest computers in the world to successfully decrypt using current technology.
So how does a VPN connection work? Each end of the connection requires a VPN box to communicate. In a simplistic description, they have two ports. A red port which is connected to the Internet for instance. And a green port which is connected to your protected device. The traffic to and from the protected device enters the green port and is encrypted; this then travels through the internet to the other VPN box where it is decoded. The tunnelling part of the acronym VPN, comes from the fact that to the protected device, it appears as if it is connected to the same network as the device at the other end of the VPN connection. In other words, its as if you had a private cable which you physically connected from one device to another, as if the intermediate network wasn't even there.
A VPN device can provide impressive security and the technology is in use everyday within such diverse fields as banking, utility companies and government, to remote office workers picking up their email or exchanging documents. Its security however depends upon the secrecy of the encryption cipher being maintained. If the cipher becomes common knowledge, it is possible to eavesdrop on a VPN connection.
Another consideration when connecting equipment to the Internet is its vulnerability to outside attack. Any device, whether connected through a VPN or not should have a firewall installed. The analogy to not using a firewall is to go on holiday leaving your front door wide open, You are giving an open invitation to all and sundry to enter.
If the instrument runs a desktop operating system or can run user supplied software, is it adequately protected from virus infection? Is it possible to remotely control or command the device, and if so, have safeguards been put in place to ensure that only those with permission to do so can?
Even with all this impressive security technology at our disposal, the fact remains that in a commercial or industrial environment, the majority of security breaches occur from within the organisations own staff. The level of breach can run from something as simple as idle curiosity to outright espionage. And security within an organisation ought to be considered in tandem with that of outside influences.
LXI devices must have a secure method of locking the configuration from changes. The specification does not mandate protection where a user could manually interrupt a measurement for instance. So if it is the case where idle button pushing could be a problem, the instrument should be kept under lock and key. Instruments should also be protected from power outages by the use of uninterruptible power supplies. A lengthy measurement could be rendered useless by a cleaner unplugging a rack to power a floor buffer!
Physical security can be enhanced by the use of tamper proof labels on network points, and the use of locking data cabinets. Remember also that IT administrators usually have unfettered access to the entire network at their disposal. In these instances, work with your IT department to ensure that access is limited here.
Configuration and access passwords should also be kept secret, and connected computer equipment should have USB, floppy and CD-Writers disabled or keylocked.
Security of any networked device should be carefully thought out. Security of devices, especially when connected to the Internet can become complicated very quickly. In these cases it is often preferable to engage the services of a certified professional than run the risk of misconfiguring a system. Make use of your internal IT resources as there will often be considerable experience of security matters through dealing with normal corporate systems. And use common sense when securing your devices and data. There is little point in investing in complex and expensive IT security if someone can walk in and steal your equipment!