![Show Menu](styles/mobile-menu.png)
![Page Background](./../common/page-substrates/page0027.jpg)
25
industrial communications handbook 2016
For instance RADIUS and the IEEE 802.1x (Port based net-
work access control) standard work together to authorise any
laptop plugged into a network switch. Until the user responds
with the correct username and password, no networking data
is allowed to travel between that laptop and the rest of the
network. This authentication process sends authorisation in-
formation back to the switch, which states what devices the
laptop can communicate with on the network.
This type of functionality can be taken a step further with
the use of a Secure Access Management (SAM) system. This
system can take over much of the AAA functionality, and pro-
vide extra security, logging and access control features. Some
SAM systems are able to monitor devices attached to the net-
work, and send an alert if the configuration of the unit changes
(as compared with a verified user created configuration) or if
the firmware becomes out of date. These systems generally
provide an authentication management system, which allows
users to keep a single username/password combination to log
onto the SAM system, which then controls the user’s access to
end devices on the network. This means that users are not able
to access irrelevant end devices at all, whether intentional or
accidental. A misconfiguration of an end device, can quickly
and easily be identified by network engineers and rectified
with minimal effort, as the SAM is able to keep track of any
changes made. These systems not only protect the network
against possible security threats, but can increase productivity
and facilitate proper time management by removing or auto-
mating many of the steps required to maintain a network and
the attached devices.
Access control technologies start to bridge the gap between
physical and logical security. With physical security the concern
is people accessing devices that make up the network and ca-
bles interconnecting the devices. With logical security the need
is to secure the data itself. Ethernet and distributed networking
offer a multitude of benefits to industrial communications sys-
tems; however, as they expand they become harder to secure,
especially from a physical standpoint. At some point a secure
network eventually connects to a less secure—or unsecure—
network, such as an uplink to a corporate office for perfor-
mance monitoring or an internet connection for remote access
and control. For this reason a combination of policies, physical,
and logical security on a mission-critical control or production
network is needed.