Thursday, March 30, 2023

How to apply Zero trust to a Legacy OT system ?

Applying zero trust to a legacy OT (Operational Technology) system can be challenging, but it is still possible. Here are some steps that can be taken to apply zero trust principles to a legacy OT system:

  1. Identify the assets: The first step is to identify all the assets in the legacy OT system. This includes hardware, software, and data.

  2. Map the data flows: Map the data flows within the legacy OT system to understand how data is exchanged between different assets.

  3. Define the security perimeter: Once the assets and data flows have been identified, define the security perimeter for the legacy OT system. This involves defining the boundaries of the system and what assets and data are considered part of the system.

  4. Implement access controls: Implement access controls based on the principle of least privilege. This involves granting users and devices access only to the specific assets and data they need to perform their job functions.

  5. Monitor and log all activities: Implement monitoring and logging of all activities within the legacy OT system. This will help detect and respond to any security incidents.

  6. Implement security controls: Implement security controls such as firewalls, intrusion detection systems, and data encryption to secure the legacy OT system.

  7. Update and patch legacy systems: If possible, update and patch the legacy OT system to improve its security posture. This may involve replacing or upgrading legacy hardware and software components.

  8. Conduct regular security assessments: Conduct regular security assessments of the legacy OT system to identify and address any vulnerabilities

Applying zero trust to a legacy OT system may require a phased approach and a combination of technical and organizational measures. It is important to involve all stakeholders, including IT and OT teams, in the planning and implementation of zero trust measures to ensure their success.

Wednesday, January 25, 2023

IT/OT Convergence - Not only a technical challenge!

The convergence of IT (Information Technology) and OT (Operational Technology) can present several challenges:

  • Management: in most of the company, IT and OT systems were managed by different teams, with different skills and expertise. It can be difficult to ensure that the two teams are being managed effectively and that the IT and OT engineers are working together effectively.
  • Compliance and regulation: IT and OT have different compliance and regulatory requirements. It can be difficult to ensure that both systems are meeting all relevant standards.
  • Understanding and process: both teams are talking different languages and have different expectations. There is long a learning curve to take in consideration if you start this journe. IT must understand OT and the other way around. This understanding must not be limited to technical aspects. The process must also be taken in consideration. For example, ITIL processes are not well known by most of the OT Teams.

For the reasons listed above, it's important to build a strong governance. You should have a dedicated team in charge of the convergence process, with clear roles and responsibilities and the right level of expertise in IT and OT.
And maybe the most important. A trust must be created between both teams.

 


Thursday, January 5, 2023

How to use the Ansible Vault ?




 If your are using a clear password in your YAML file, you can encrypt the file via Ansible-vault.


  • How to encrypt the credentials ?

#ansible-vault encrypt MyCredentials.yml

New Vault password: <Enter the password and stored in a safe place>
Confirm New Vault password: <Enter the same password>
 Encryption successful

  • How to view the encrypted credentials ?

#ansible-vault view MyCredentials.yml

Vault password: <Enter the password previously chosen>



  • How to change data in your file (for example your credentials) ?

decrypt the file MyCredentials.yml

User@Ansible-Host:~/> ansible-vault decrypt MyCredentials.yml
Vault password: <known_key>
Decryption successful


Edit the file with your preferred editor (vim/nano) by changing the data.

Then encrypt the file again

User@Ansible-Host:~/> ansible-vault encrypt MyCredentials.yml
New Vault password: <known_key>
Confirm New Vault password: <known_key>
Encryption successful

2023 - New Posts - I'm back

 After a big pause, I have decided to share again my experience. I will publish more articles on several topics and no more just the network. The following areas will be covered:

  • IT/OT Convergence. For this specific area, I would like to cover the technical challenges but also the organization changes which brings this convergence.
  • IoT 4.0 and cybersecurity.
  • Advanced firewalling.
  • Ansible and Automation.


Friday, June 10, 2016

BGP Conditional Advertisement

This BGP feature is able to filter a subnet advertisement based on a certain match (AS-PATH, subnet in the routing table...). In our example below, we can image that AS100 is an ISP1 and AS200 is an ISP2. In most of the case, we monitor only the status of the interface which is directly connected. But in our case, we will monitor the presence of the subnet 20.20.20.0/24 which is advertised by the ISP1.
By default, we only advertise the subnet 50.50.50.0/24 to ISP1 and if the subnet 20.20.20.0/24 disappears, we announce it also to ISP2. We can typically use this feature when ISP2 is more expensive than ISP1.



  • Configuration:

R1:
interface Loopback50
 ip address 50.50.50.50 255.255.255.0
!
interface Ethernet0/0
 ip address 192.168.50.1 255.255.255.0
!
interface Ethernet0/1
 ip address 192.168.150.1 255.255.255.0
!
router bgp 50
 network 50.50.50.0 mask 255.255.255.0
 neighbor 192.168.50.2 remote-as 100
 neighbor 192.168.150.3 remote-as 200
 neighbor 192.168.150.3 advertise-map NOT_ANNOUNCE_R3 non-exist-map ADVERTISE
!
ip prefix-list LO20 seq 5 permit 20.20.20.0/24
!
ip prefix-list LO50 seq 5 permit 50.50.50.0/24
!
route-map NOT_ANNOUNCE_R3 permit 10
 match ip address prefix-list LO50
!
route-map ADVERTISE permit 10
 match ip address prefix-list LO20
R2:
interface Loopback20
 ip address 20.20.20.20 255.255.255.0
!
interface Ethernet0/0
 ip address 192.168.50.2 255.255.255.0
!
interface Ethernet0/1
 ip address 192.168.100.2 255.255.255.0
!
router bgp 100
 network 20.20.20.0 mask 255.255.255.0
 neighbor 192.168.50.1 remote-as 50
 neighbor 192.168.100.3 remote-as 200
R3:
interface Ethernet0/0
 ip address 192.168.100.3 255.255.255.0
!
interface Ethernet0/1
 ip address 192.168.200.3 255.255.255.0
!
interface Ethernet0/2
 ip address 192.168.150.3 255.255.255.0
!
router bgp 200
 neighbor 192.168.100.2 remote-as 100
 neighbor 192.168.150.1 remote-as 50


  • Initial behavior:

R3 sees subnet 50.50.50.0/24 only from R3
R3#sho ip bgp
     Network          Next Hop            Metric LocPrf Weight Path
 *   20.20.20.0/24    192.168.150.1                          0 50 100 i
 *>                   192.168.100.2            0             0 100 i
 *>  50.50.50.0/24    192.168.100.2                          0 100 50 i
We can check that R1 is not advertising the subnet to R3:
R1#sho ip bgp neighbors 192.168.150.3 advertised-routes
     Network          Next Hop            Metric LocPrf Weight Path
 *>  20.20.20.0/24    192.168.50.2             0             0 100 i
R1#sho ip bgp neighbors 192.168.50.2 advertised-routes
     Network          Next Hop            Metric LocPrf Weight Path
 *>  50.50.50.0/24    0.0.0.0                  0         32768 i
R1#sho ip bgp neighbors 192.168.150.3 | in Conditio
  Condition-map ADVERTISE, Advertise-map NOT_ANNOUNCE_R3, status: Withdraw

  • Now the subnet 20.20.20.0/24 is removed from the routing table:

R2#int lo20
shut

We can check that R1 is now advertising the subnet to R3:
R1#sho ip bgp neighbors 192.168.150.3 | in Conditio
  Condition-map ADVERTISE, Advertise-map NOT_ANNOUNCE_R3, status: Advertise
R1#sho ip bgp neighbors 192.168.150.3 advertised-routes
     Network          Next Hop            Metric LocPrf Weight Path
 *>  50.50.50.0/24    0.0.0.0                  0         32768 i

R3#sho ip bgp
BGP table version is 18, local router ID is 192.168.200.3
 *>  50.50.50.0/24    192.168.150.1            0             0 50 i
 *                    192.168.100.2                          0 100 50 i

Monday, May 9, 2016

Simple regular expression Cisco CLI (AND)

This small memo explains just how to use a show command pipe command to get a AND regular expression. For example :
show interface status | inculde textA AND textB

In order to perform this action, you can use this expression:
show  interfaces status | in textA.*textB

Example, show all interface Gi1/2/ which are connected:
show  interfaces status | in Gi1/2/.*connected

Monday, March 14, 2016

BGP MED routing decision - Always-compare-med

MED (Multi-Exit Discriminator) is used to influence routing decision. By default, a router which receives MED attribute from neighbors, only compares it if they are coming from the same AS. As you can see in the diagram below:
  • R3 send to R4 a MED of 50 for subnet 172.16.1.0/24
  • R2 send to R5 a MED of 100 for subnet 172.16.1.0/24
  • The lowest MED is the preferred path

In a first step, the configuration below has been applied:
R1:
interface Loopback1
ip address 172.16.1.1 255.255.255.0
router bgp 50
bgp log-neighbor-changes
network 172.16.1.0 mask 255.255.255.0
neighbor 10.1.1.2 remote-as 100
neighbor 10.1.3.3 remote-as 200
R2:
router bgp 100
bgp log-neighbor-changes
neighbor 10.1.1.1 remote-as 50
neighbor 10.1.2.3 remote-as 200
neighbor 10.1.4.4 remote-as 300
neighbor 10.1.4.4 route-map MED out
!
access-list 1 permit 172.16.1.0 0.0.0.255
!
route-map MED permit 10
match ip address 1
set metric 100
!
route-map MED permit 20
R3:
router bgp 200
bgp log-neighbor-changes
neighbor 10.1.2.2 remote-as 100
neighbor 10.1.3.1 remote-as 50
neighbor 10.1.5.4 remote-as 300
neighbor 10.1.5.4 route-map MED out
!
access-list 1 permit 172.16.1.0 0.0.0.255
!
route-map MED permit 10
match ip address 1
set metric 50
!
route-map MED permit 20
R4:
router bgp 300
bgp log-neighbor-changes
neighbor 10.1.4.2 remote-as 100
neighbor 10.1.5.3 remote-as 200

MED is seen in R4 but R4 set R2 has next-hop. R4 doesn't compare MED because information is coming from 2 different ASs. R2 is used due to the fact that he has the lowest Router-id 10.1.4.2.
R4#sho ip bgp 172.16.1.0
BGP routing table entry for 172.16.1.0/24, version 2
Paths: (2 available, best #1, table default)
  Advertised to update-groups:
     3
  Refresh Epoch 1
  100 50
    10.1.4.2 from 10.1.4.2 (10.1.4.2)
      Origin IGP, metric 100, localpref 100, valid, external, best
  Refresh Epoch 1
  200 50
    10.1.5.3 from 10.1.5.3 (10.1.5.3)
      Origin IGP, metric 50, localpref 100, valid, external

Now, we add the command 'bgp always-compare-med' on R4:
R4:
router bgp 300
bgp always-compare-med

As you can, R4 has now choosen R3 for the next-hop. MED is used:
R4#sho ip bgp 172.16.1.0
BGP routing table entry for 172.16.1.0/24, version 2
Paths: (2 available, best #1, table default)
  Advertised to update-groups:
     4
  Refresh Epoch 1
  200 50
    10.1.5.3 from 10.1.5.3 (10.1.5.3)
      Origin IGP, metric 50, localpref 100, valid, external, best
  Refresh Epoch 1
  100 50
    10.1.4.2 from 10.1.4.2 (10.1.4.2)
      Origin IGP, metric 100, localpref 100, valid, external