4. 4
Westermo Group 2020
Founded in 1975
Industry leading software and hardware
development force
Own production in Sweden with
state of the art process control
Own sales and support units in 12 key countries,
distribution partners in many others
6. 6
Resilience in computer networks is the “ability to provide and maintain an acceptable
level of service in the face of faults and challenges to normal operation.”
This is a very wide definition, as it covers everything from packet loss to complete failure
of a node or link.
Also includes the ability to defend against and respond to cybersecurity attacks, whether
malicious or unintended misconfigurations.
The more resilient a network is, the more tolerant it is to faults or errors across the
network and can maintain uptime.
Because of the wide definition, there are also a multitude of ways to improve your
network’s resilience.
Resiliency – What is it?
8. 8
One of the most straightforward ways to improve resiliency is to add redundancy
If one node or link suffers a catastrophic failure, redundant connections keep the
network running without impacting performance.
Unfortunately, not as simple as just dropping in another switch to the network!
Layer 2 protocols such as FRNT or RSTP manage ring topologies, adding extra paths to
nodes without causing debilitating Broadcast Storms.
Layer 3 protocols such as OSPF and VRRP can automatically designate a route between
networks and failover in the event of broken links.
Hardware Redundancy
9. 9
Built in functions to avoid uncontrolled broadcast storms.
Link integrity control.
Non-FRNT ports are not allowed to communicate with FRNT ports.
Default FRNT alarm signaling via SNMP, LED, Digital-Out and Syslog.
Very fast fail-over of Multicast traffic, no need to wait for IGMP timeouts.
Supports different medias fiber optic, copper and SHDSL, although fiber optic links allows for best fail-
over performance.
Extremely fast convergence time of 20ms means little impact to network in the event of a link failure.
This translates to high resilience!
Layer 2 Redundancy
FRNT
10. 10
Layer 2 Redundancy: FRNT Ring Coupling
FRNT
Master
Ring
FRNT
Sub
Ring
FRNT
Sub
Ring
FRNT
Sub
Ring
11. 11
Layer 2 Redundancy: FRNT Ring Coupling
X
X
X
FRNT
Master Ring
FRNT
Sub Ring
FRNT
Sub Ring
12. 12
Within the Network Layer, there are many options to add resiliency to a network:
RIP
OSPF
VRRP
RIP and OSPF are what are called “Dynamic Routing Protocols” which can automatically
determine best paths between networks, for automatic convergence in the event of a
network outage.
VRRP or “Virtual Router Redundancy Protocol” will automatically designate a router as a
default gateway, with multiple routers configured as backups.
Layer 3 Resiliency: Routing Protocols
14. 14
Combining Layer 2 and Layer 3 resilience functionality allows for
extremly high availablity.
FRNT Super Ring
FRNT Sub Ring FRNT Sub Ring
RiCo Node
RiCo Node RiCo Node
RiCo Node
CORE-Network
X
X
X
Link Failure
FRNT Ring Failover
Link Failure
Ring Coupling Failover X
X
Link Failure
FRNT Ring Failover
Link Failure
Ring Coupling Failover
FRNT Ring Failover
Distribution Layer,
Rack/Control rooms
Layer 3
Layer 2
XOSPF Failover OSPF Routing Protocol
16. 16
Hybrid L2/L3 Network
L2 ring topology 20-30ms
re-convergence time
L3 routing and FW at each
node creates a Zone
X Dynamic routing protocol (OSPF) used to advertise
location of subnets only, not used for re-convergence
17. 17
Efficient Routing to Minimize Network Delay
Network backbone
Router firewall Router firewall Router firewall
Messages are only ever routed twice
• Once into the backbone
• Second time when leaving backbone
• Messages pass though the FW when entering and leaving the network backbone
18. 18
Multiple Zones
Backbone Fibre
ZONE 1
10.10.10.0/28
ZONE 2
10.20.20.0/28
Traffic cannot pass
between zones
unless it is allowed
to do so
XObject controller
/smart IO
19. 19
Maintainer’s Sandbox Connection
Backbone Fibre
ZONE 1
10.10.10.0/28
ZONE 2
10.20.20.0/28
Traffic cannot pass
between zones
unless it is allowed
to do so
XObject controller
/smart IO
ZONE 3
192.20.20.0/28
Maintainers sandbox entry point,
access to network is FW, if 802.1x
configured only valid
users/machines can join the
network
21. 21
Getting Control of the Assets
Using common UN and PW are an open
door to cyber actors
Maintainers leave taking the common
credentials with them
Almost impossible to change UN and PW
across a large user population
Maintaining a large user DB on each
device is equally difficult
Solution is to use RADIUS or TACACS+
User Authentication
Effort required initially, much tighter
control and lower ownership cost long-
term
Authentication
server