Specifications
Table Of Contents
- About This Document
- Understanding Networking and IP Addressing
- Introduction to Networking
- Networking using IP
- Niagara Considerations
- Additional Information
- Configuration and Troubleshooting Tools
- Connecting on a LAN
- Connecting with Direct Dial
- Connecting to an ISP
- Using Security Technologies
- Configuration Files Used for Communication
- Glossary
- Index
Niagara Release 2.3
Revised: May 22, 2002 Niagara Networking & Connectivity Guide
Chapter 6 Using Security Technologies
Security Considerations
6–2
Another common point of attack for Internet hosts is the web server that runs on
many Internet hosts (including Niagara hosts). However, our web server
implementation is proprietary and not subject to the well-advertised attacks on
Microsoft Internet Information Server and the Apache HTTP Server.
The following security suggestions are provided to help you secure Niagara hosts
when connecting them to the Internet. You should evaluate the suggestions to see if
they are applicable for each job that you architect.
Note Many of these suggestions are also good guidelines for connecting hosts even in a
LAN/WAN or direct-dial environment. Anyone with physical (or network) access to
a host can be considered a security threat. You may want to consider implementing
some of these, regardless of Internet connectivity.
General Guidelines
• Architect a LAN/WAN-only or LAN/WAN plus direct-dial solution—The
most obvious way to protect hosts is to avoid connecting them to the Internet
at all. However, that limits connectivity from other hosts already connected to
the Internet (typically BUI users or other Niagara hosts).
• Implement a firewall between your Niagara host and the rest of the
Internet community—Firewalls provide a barrier between the Internet
community and protected hosts. For more information, see the “Using a
Firewall or Proxy Device” section on page 6-4.
• Implement a VPN between Niagara hosts—See “Using a Virtual Private
Network,” page 6-23.
• Implement strong passwords on each Niagara host and station—
Implementing strong passwords may prevent an attacker from guessing a
Niagara host or station password. See “Creating a Strong Password,” page 6-3.
• Change the default administrator password or establish a new
administrator account on each host and delete or disable the default one
that ships with the product—Each JACE ships with at least one default host
administrator user name and password (typically tridium/niagara). If you do
not change or disable this account, any person familiar with our software can
gain administrative access to the host.
Caution If you change the password (or create a new account and disable the default),
be sure to record your changes and store them in a place you (and your
colleagues) can find them again. If you forget or lose the name or password
you must ship the unit back for recovery.
• Change the default HTTP port (and other ports)—Changing server-side
ports keeps out novice attackers, but may not stop more sophisticated ones. See
“Default Niagara Port Numbers,” page 6-7 and “Changing Niagara Default
Ports,” page 6-9.