Keep in mind that implementing security features, like encryption or proxying, can have an effect on system performance.
Home > Edge > Manufacturing Edge > Guides > Dell Validated Design for Manufacturing Edge - Design Guide with 5 Independent Software Vendors > Cybersecurity for Claroty
Keep in mind that implementing security features, like encryption or proxying, can have an effect on system performance.
The following settings have been validated on CTD version 4.6. Testing was done with CTD running on ClarotyOS. If users are deploying CTD software on existing RHEL or CentOS deployments, it is highly recommended to run the OS hardening scripts provided by Claroty. More information on this can be found in the Hardening section of the Claroty CTD Administration Guide.
openssl req -newkey rsa:2048 -nodes -keyout <key-name>.key -out <csr-name>.csr
ctd logs search-all <test user 1 username>
ctd logs search-all<test user 2 username>
time show local
. Upgrade and update EMC first, prior to CTD, in a connected scenario.
The following settings have been validated on SRA version 3.5. Testing was done with SRA running on CentOS 7.9. It is highly recommended to run the OS hardening scripts provided by Claroty. More information on this can be found in the Appendix: Hardening section of the Claroty SRA Installation Guide.
mkdir -p /tmp/ssl
openssl genrsa -out ssl.key 4096
openssl req -new -key ssl.key -out ssl.csr -sha256 -days 1095 -reqexts
SAN -config <(cat /etc/pki/tls/openssl.cnf; printf
"[SAN]\nsubjectAltName=DNS:Subject Alternative Name")
cp /tmp/ssl/ssl.crt /tmp/ssl/ssl.key /etc/icsra/workers/web/
Systemctl restart icsra
For guidance on how to configure AD FS to integrate with SRA over SAML 2.0, see the Configure AD FS to support SSO over SAML 2.0 section.
Helpful tip: Information on the IdP can be found in the XML metadata file. For example, this metadata file can be obtained from AD FS by browsing to https://<FQDN>/federationmetadata/2007-06/federationmetadata.xml.
server <IP/FQDN of NTP server> iburst prefer
systemctl restart chronyd
chronyc tracking
The following settings have been validated on the xDome analysis server dashboard.
CATEGORY | ACTION | DETAILS | USER |
Dashboard Users | User Logged In | Ser logged in | <username> |
Dashboard Users | User’s Role Changed | User <username> was changed to role <Role name> | <admin username> |
The following Claroty IDMZ architecture and security validation have been tested on CTD version 4.6.
EMC is used to manage multiple CTD Server and CTD Sensors connections. For the DVD security architecture, EMC is validated to run on the enterprise/IT and manages CTD instances residing in the IDMZ network while CTD Sensors are hosted on the OT network to collect OT data closer to the edge. CTD Sensors connect and send data to the CTD Server in the IDMZ and then the CTD Server connects to and sends its data to be aggregated at the EMC on the IT network.
Description | Source network | Source device | Destination network | Destination device | Port | Application |
Allow CTD Sensor on OT network to connect and send OT data to CTD in the IDMZ. | OT | CTD Sensor (1) | IDMZ | CTD Server (2) | TCP 22 | SSH |
Allow CTD Server within IDMZ to connect to EMC on the IT network. | IDMZ | CTD Server (2) | IT | EMC (3) | TCP 443 | SSL/TLS |
The following Claroty SRA architecture and security validation have been tested with SRA version 3.5.
SRA SAC connects to SRA Sites. SRA SAC uses SRA Sites to establish connections to target servers on the OT network. For the DVD recommended security architecture, the SRA Site is hosted in the IDMZ network. This creates a proxied connection between the SRA SAC and the target server in the OT network. These rules validate the initial connection and registration process between SRA SAC and SRA Site followed by the rules required to allow continued communications.
Description | Source network | Source device | Destination network | Destination device | Port | Application |
SRA Site registration to the SRA SAC hosted in the IT network.1 | IDMZ | SRA Site (2) | IT | SRA SAC (3) | TCP 9301,TCP 22 | SSH, Web browsing |
SRA Site to SRA SAC connection for continued communications. | IDMZ | SRA Site (2) | IT | SRA SAC (3) | TCP 22 | SSH |
The actual connection to the OT devices is done from the SRA Site. To securely implement this, the IDMZ firewall should only allow the required ports and protocols for the remote session type (example: RDP) between OT device and SRA Site. Also, SRA Sites allow SFTP connections to upload files. These rules validate OT devices uploading files securely using SFTP to SRA Site on the IDMZ network. Lastly, there may be use cases where OT devices will also access the SRA Site.
Description | Source network | Source device | Destination network | Destination device | Port | Application |
SRA Site to target OT device using supported remote session protocols.1 | IDMZ | SRA Site (2) | OT | OT Device (example: Engineering workstation) (1) |
|
|
Allow OT device to upload files to SRA Site. | OT | OT Device (1) | IT | SRA Site (2) | TCP 2222 | SSH |
Allow OT devices to access SRA Site web user interface. | OT | OT Device (1) | IDMZ | SRA Site (2) | TCP 443 | SSL |
The following Claroty xDome architecture and security validation have been tested with xDome Collector and Analysis Server.
xDome is made up of two main components. One component is the Collector, which resides on the plant floor and collects data about the network and assets through means such as passively collecting network traffic or integrating with on-premises devices. Within this recommended architecture, another collector server acts as a proxy to securely route traffic from OT, to the IDMZ, and then to the analysis server hosted in the cloud. The analysis server is also known as the dashboard where users see the processed plant floor data translated into assets, risks, vulnerabilities, threats, and so on. Lastly, the Claroty Edge component is another method to collect data on the plant floor and is designed to securely send data directly to the Cloud instance. Communications between components is done through secure tunnels.
Description | Source network | Source device | Destination network | Destination device | Port | Application |
Allow OT Collector to send traffic to Proxy Collector hosted in the IDMZ network. | OT | Collector (2) | IDMZ | Proxy Collector (3) | TCP 8443, TCP 8444 | HTTP-Proxy, Web-browsing, SSL |
Allow Proxy Collector to connect to and send data up to the Analysis Server hosted in the cloud. | IDMZ | Proxy Collector (3) | External1 | Analysis Server (4)2 | TCP 443 | SSL |
Allow Claroty Edge to send data to to proxy server hosted in the IDMZ network.3 | OT | Claroty Edge | IDMZ | Proxy | TCP 3128 | HTTP-proxy, SSL/TLS, Web-Browsing |
Allow proxy server to forward connection from Claroty Edge to analysis server. | IDMZ | Proxy | External | Analysis server | 443 | SSL/TLS |