One-way communication - Serial or Ethernet ?

[huskerdon]

What is the best method of setting up a unidirectional connection from one server to another? Here's the situation: we have a couple of workstations and a W2K server that needs to be isolated from the rest of the network, which is also W2K machines. The secure server is connected to a UNIX system, which is gathering SCADA information from our substations, etc. There is no link to the outside world on this side (other than to the SCADA system itself).
This data is gathered and processed on the secure W2K server, and some is put in Access DBs, and some is just converted to ascii format. We need to periodically send this data to the W2K server on the main PC network, so that data is available to all of the PC users in the building.
So what the boss wants is a ONE-WAY connection (either serial or ethernet), to send this data from the secure server to the rest of the network. I know there would be an issue of no handshaking and no confirmation of data being received, in a one-way situation. I would probably use a VB program to send the data at certain intervals. We have the ability to make our own cables, if it's just a matter of having no receive wire on the sending end of the cable. Does anyone have suggestions on how to do this, and is it possible using ethernet, rather than serial cables?

 

[robertjo24]

Ethernet would require a two way negotiation, even if only sending data one way. There would be AKS, etc for TCP, and still data going both ways for UDP.

If you want a one way only connection, serial is the way.

The ideal format would be to isolate the LANS, and publish the required information from the secure server to a server on the local network. This would satisfy the SCADA security aspect of the connection, and allow for dynamic data transfer from your secure server.

 

[jlshelton]

You have a software and a hardware issue.
Ethernet has many advantages: you probably already have the infrastructure. Distance is not a concern. Ethernet traffic can be routed anywhere around the world if ever needed.
Serial lines are close to obsolete, have limited range, and you wind up with a one-off solution.

Software-wise, it's easy to move data over serial or ethernet. Using standard TCP/IP software already running on the machines, you can have your software open up connections, creating your own link, or you can just do high level operating system commands, such as using FTP to transmit a file periodically. You might even consider using a shared network directory into which one computer writes data and the other reads it. There are many options.

=John=

 

[huskerdon]

robertjo and jshelton, thanks for your response. I guess I didn't make myself clear. These are already 2 completely isolated LANs. The secure LAN is connected to the SCADA system and a couple of other workstations, mainly for backups. The "normal" LAN comprises the other 20 workstations in the building, with Internet and e-mail access to the outside world.
The boss wants the only connection between the 2 LAN servers to be a one-way cable, and it sounds like it would be serial. This connection is needed in order to move collected data from the secure server to the other server periodically. The distance is not an issue, since the 2 servers will basically be right next to each other.
I think there are some new regulations coming down in the utility industry, stating that the isolation must be done in order to PHYSICALLY prevent data from flowing from outside into the secure LAN. Apparently, this means the boss does NOT want to use software or router methods to do this. There must be no physical way for an outsider to gain access to the secure LAN via this cable.
Any suggestions?

 

[franklin97355]

If you want to get paranoid use floppys. Otherwise to PHYSICALLY isolate the two boxes they can't be connected by any means. You need to read the spec and see what is really required.

 

[buitenhek]

Dear Huskerdon,
Due to time contraints I could not try out the concept before writing them to you. My thougth relates to Norton Internet Security: you can allow inbound/outbound communications. You could contact Peter Norton and ask if allowing only inbound contact would act as a security diode.
Good luck,


Regards
Peter Buitenhek
Profit Developer.com

 

[wires]

Serial is the simple soultion. Even if distances were involved you could convert the serial to ethernet with some Lantronix UDS series boxes.

Once you hook two boxes together with ethernet (expecially winboxes) there are too many holes.

Since serial hardware handshaking does not involve the data lines (TX & RX) you can have handshaking without opening a reverse path.

If you know VB it should be fairly easy...

 

[robertjo24]

FYI,

The new SCADA security guidelines are in development, but to the best of my knowledge, there is no restriction on physical connections.
One of the members on the panel developing the guidelines is currently in the process of installing a new SCADA system that is all IP based.
Proper network architecture, and adherence to security protocols should suffice.

If this were not true, there is currently millions of dollars being spent for nothing.

I would ask my boss to dig a little deeper before causing yourself more trouble than you solve.

 

[huskerdon]

Thanks very much to all of you that responded. Obviously my choice would be to handle it with a firewall or router method. The person in charge - his first thought was a "one-way serial connection". We'll discuss it again, and we'll come up with a solution. Thanks for your tips!

 

[daronwilson]

Of course you could do it via radio and have a one way, no physical connection setup. If you current SCADA system is radio, depending on what it is, it may be an easy solution to have a data packet sent periodically to the other LAN. Of course that opens up a bunch more security issues, but it could be one way and no physical connection.

On the other hand, serial is easy. Sure it is old, but hey in the SCADA world it is still everywhere. If you did a periodical dump of data via the serial port, with only the TX pin and ground connected, there should be no way to get data back the other way. Of course if you are paranoid, adding the RX or any hardware flow control pins gives you a means to signal data back to the secure side.

Telephone systems routinely do this in the form or SMDR (Station Messaging Detailed Report?) and they often just fire it out a line at a time with no flow control, no handshaking, and the printer or PMS (Property Management System) software takes the data and manipulates its.

No checksum, no positive indication it got there correctly, but one way indeed.

Good Luck!

It is only my opinion, based on my experience and education...I am always willing to learn, educate me!
Daron J. Wilson, RCDD
daron.wilson@lhmorris.com