cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

701
Views
0
Helpful
3
Replies
BrianSekleckiGE
Beginner

IE2000/IE3000/IE4000 Question: ACLs for ProfiNet or Ethernet/IP CIP (Control Plane)

All:

 

Give the recent security advisories on the IE3000/IE4000/IE2000: 

 

  One might ask:  When can we expect to see an IP/Ethernet(MAC) ACL available to restrict communications with the CIP / EthernetIP and/or ProfiNet functions (which run on the control plane)?

 

There isn't always a stateful firewall between untrusted clients and Switch management SVIs/BVIs.  This would be a prudent feature addition into today's security landscape?


~BAS

3 REPLIES 3
Albert Mitchell
Cisco Employee

Brian,

i don't fully understand the request.

you're asking about security on the Control Plane for Industrial Protocols, and not the data plane?   where control plane for an Ethernet Switch is traffic that terminates or originates from the CPU on the Switch. 

Profinet & CIP are just data to an IE switch. 

 

If you want to use security ACLs on an Ethernet interface to impact the forwarding of Industrial Protocols between interfaces on an IE switch you can do that today.

The recent vulnerabilities / CVEs appear to affect the Control Plane implantation of CIP (Where CIP/EthernetIP tags in a Rockwell environment are enumerated from Cisco IOS[-XE] internal data structures)

 

Reference:

https://www.securityweek.com/rockwell-industrial-switches-affected-more-vulnerabilities-cisco-software

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170201-psc1

 

https://www.cvedetails.com/cve/CVE-2017-3812/

 

 

Brian,

back to your original question.  CIP and/or Profinet protocols are on the IE switches are used to manage the switch as part of a larger solution.  if the IE switch is deployed in a network using CIP, then it may be desirable for a CIP mgmt application (eg: Studio5000), to manage the IE Switch.  same with Profinet.

Meaning, there's no point in an ACL to block CIP or Profinet on the Control plane when you want them to manage the switch.

when the IE switch is deployed in a scenario not using CIP or Profinet, or you do not want CIP or Profinet protocol to have access to the Switches control plane, then disable those features on the Switch.  with those features disabled, the mgmt plane vulnerabilities are not exposed. when CIP is disabled, then the security password is not exposed.  there is no security password to view. 

 

if do need to use CIP or profinet and want prevent the documented exposure, then you'll need to update the SW Version. 

1.  "CSCvu58224 Privilege escalation from 1 to 15 using CIP",   this has been fixed in the most recent releases.   17.3.3, 17.4.1 and 17.5.1 have a fix.    if you cannot update IOS-XE SW versions then remove users with ReadOnly privileges, which is what Priv level 1 means.

2. CIP denial of Service was found to occur in IE2000/IE3000.  its been fixed in 15.2.7 and later releases.

 

i may not have covered all the issues.  I hope you get the point.  if you're still confused just reply.  i'll look for it.

Create
Recognize Your Peers