Connectivity Security
CONNECTIVITY
Networking provides significant advantages and at the same time adds risk.
Multiple connections to the JNIOR may be easily created all over a single
network wire. Those may be ongoing connections such as you might need
between the JNIOR and the equipment it controls. They may also be brief
and random connections as you might expect when someone issues a command
or checks status now and again. You cannot be certain that every communication
over the network is what you intend. This is a huge issue with the personal
computer where the network is generally constantly active communicating with
remote systems and frankly actively doing things that no one can explain.
The JNIOR provides services such as the File Transfer Protocol (FTP), Telnet,
SSH, Hypertext Transfer protocols serving web pages (WebUI), and others.
These are generally only those services that you would need to properly
program and maintain your automation device. You can use the
NETSTAT command
to see which
ports have been opened and are available to receive connections.
Limit Connectivity
------------------
By default the JNIOR will open a standard set of protocols. Each of those
will by default require a username and password. Those login credentials are
your protection against unwanted access. Therefore we highly recommend that you
do not keep the default passwords as discussed in the previous section.
Also it is important to note that not all protocols have login capabilities.
MODBUS remains a popular protocol but it does not support login without some
custom extension. It is therefore a huge security vulnerability. We recommend
that it be avoided. The Series 3 JNIOR activated the non-secure MODBUS by
default. The Series 4 offers MODBUS as an application that you must specifically
activate. Hopefully doing so while fully aware of the risk.
In most cases the login requirement may be disabled for a protocol. This is
done through a Registry setting. Again, this is not recommended as you are
creating a serious security vulnerability. Clearly disabling login is an aid
in development. But once you have your automation set up and performing most
neglect to go back and eliminate this risk. It is therefore very important
to first conquer the login hurdle before proceeding to implement any automation.
Not all protocols provided are required to manage your JNIOR. In fact you
can successfully perform all required actions through the WebUI web interface
using your browser. You might even force that to be done securely. You
logically then can disable all of the other protocols leaving only HTTP
on Port 80 and HTTPS on Port 443. Perhaps only the latter if you require
a secure trusted connection.
Note that the Support Tool utilizes, and therefore requires, the Telnet and FTP
protocols. You will need to leave those active if you plan to use that tool.
Given that the WebUI offers services such as drag and drop file transfer,
file downloading, command line console access and status, you can significantly
harden your installation by limiting accessibility. A single rule allowing the
HTTP port 80 (also the HTTPS port 443) can be added to a firewall or proxy
providing limited remote access to the device. Similarly a single port
forwarding rule might be added to the advanced configuration of a router.
Summary
-------
Remain cognizant of the services open on your JNIOR. Insure that each requires
a secure login. Do not use the default passwords. There is no need to create
highly cryptic passwords but do avoid those obvious ones that can be easily
guessed.
SEE ALSO
HELP Topics:
NETSTAT
[/flash/manpages/manpages.hlp:1662]