How to securely connect a machine to a corporate Ethernet network using a Microwall VPN device

A CNC milling machine can be used in your company for the production of prototypes and small series. The control computer that is integrated into your production network uses Windows 7 Integrated Standard with the latest patch status. Since Microsoft ended extended support for this operating system in 2020, this milling machine will need to be isolated as a precaution. Using the firewall router "Microwall VPN" it is possible to allocate and create a dedicated network segment and the communication with this network segment can be significantly restricted by filtering rules.

Increased network security through isolation

In 2017, WannaCry made its way through networks and media around the world. A cryptoTrojan horse exploited a vulnerability in file and printer sharing on Windows networks. Its damaging effect was so massive that Microsoft not only patched current operating systems, but also provided security updates for products that had already expired extended support.    

WannaCry impressively demonstrated the potential dangers that result from running unwarranted network services. 

It seems obvious that you simply disable the redundant services. However, it is not always clear which services are actually needed among the sub-components of the system. In addition, modifications to the machines may lead to the loss of certification and thus the transfer of responsibility to the operator.

That's why we offer the Microwall VPN small firewall, an easy-to-use alternative for protecting production systems. It is a simple 2-port firewall that works on the whitelist principle. This means that all allowed connections must be explicitly approved. 

Dangerous situation

A brief analysis of the current situation with the nmap port scanner [Tutorial:Finding Open Ports in the Network] revealed something disturbing: The host computer showed twelve open ports reachable over the network, including the web server. 

The second, intensive check found a total of 24 open TCP ports. The web server is an unconfigured Internet Information Server 7.5 that contains known vulnerabilities that could lead to remote code execution. This means that an attacker can run any programs on the network.Winning the lottery for cyber “warriors”. Spicy detail : Thewebserver doesn't seem to provide anything but an info page, so it's probably as redundant as the others open ports. We're happy to take the time to do an intensive scan and get right down to the isolated, island operation of the device.        

Procedure - solution

Step 1: Determine the operating mode and necessary firewall rules

To make the configuration as simple as possible, we run MicroWall VPN in NAT mode. The control computer of the milling machine does not even appear, MicroWall VPN slips into its role as an actor in the network, so to speak.    

In fact, there is only one case where the router is supposed to communicate over the network. To access production data, you must be enabled to connect to the central Windows file server. All other connections will be blocked.

Since the host computer itself does not provide any network resources, incoming connections can be completely blocked. In addition, the version of the file server that the CNC software should access is known and unambiguous. Since the IP address of the file server is also known, no name resolution is required. Practical features such as computer discovery and network sharing, as well as Netbios transport protocols, are also redundant. Ports 137, 138 and 139 can therefore be ignored and thus blocked. UDP port 123 could be enabled for automatic time updates and UPD port 53 could be used for name resolution via DNS. However, since even these functions are not necessary for the operation of the milling machine, they also remain closed.

Patch management is handled by our IT department, so the automatic update ports remain closed. Otherwise, we would have to enable TCP connections to the WSUS server here.

The control computer only needs to be able to establish an SMB connection to a file server with a known IP address. This is done via destination port 445. Since this communication is over TCP, the reverse channel is directly included in the connection.By specifying a single rule, the router is permanently secured. At the same time, their function is ensured! 

Step 2: Configure the device

As a router MicroWall VPN connects the surrounding network to an isolated segment. It needs MicroWall VPN IP configuration to interface to both networks.  

• 1.) Entering a network name will make it easier for the administrator to assign rules later.
• 2.) The original IP configuration of the control computer (ie 10.10.10.20) will be taken for the public interface. Apart from the hardware address, nothing changes in the surrounding network.
• 3.) On the island side, we choose the classic network 192.168.1.0/24 for greater convenience. Microwall serves as the default gateway for this network and is assigned the address 192.168.1.1

Configuring the IP of the control computer:
The control computer receives the IP 192.168.1.10. The default gateway is Microwall with IP address 192.168.1.1.

Firewall rule to access the file server. In the last step, we set the necessary firewall rule. The control computer with IP address 192.168.1.10 must be able to establish a TCP connection over port 445 to the production data server with IP address 10.10.10.100.  

Step 3: Test run

A test run of several weeks now shows that the milling machine is doing its job as usual. 

Summary

With the help of MicroWall VPN, it was possible to isolate the CNC milling machine in its own network segment within a few minutes. To ensure functionality, it was enough to enter one firewall rule. A side effect was that, among other things, the NetBIOS protocols for file and printer sharing were suppressed, thus hiding the details of the milling machine behind the "Microwall".