Ask Slashdot: How Best To Disconnect Remote Network Access?

An anonymous reader writes "Is there a device to automatically disconnect network or otherwise time limit a physical connection to a network? The why? We are dealing with a production outage of large industrial equipment. The cause? The supplier, with no notice, remotely connected to the process control system and completely botched an update to their system. We are down and the vendor is inept and not likely to have us back to 100% for a few days. Obviously the main issue is that they were able to do this at all, but reality is that IT gets overridden by the Process Control department in a manufacturing business. They were warned about this and told it was a horrible idea to allow remote access all the time. They were warned many times to leave the equipment disconnected from remote access except when they were actively working with the supplier. Either they forgot to disconnect it or they ignored our warnings. The question is, is there a device that will physically disconnect a network connection after a set time? Yes, we could use a Christmas tree light timer hooked up to a switch or something like that but I want something more elegant. Something with two network jacks on it that disconnects the port after a set time, or even something IT would have to login to and enable the connection and set a disconnect timer would be better than nothing. As we know, process control workers and vendors are woefully inept/uneducated about IT systems and risks and repeatedly make blunders like connecting process control systems directly to the internet, use stock passwords for everything, don't install antivirus on windows based control computers, etc. How do others deal with controlling remote access to industrial systems?"

Firewall rules help.

[Anonymous Coward]

iptables lets you specify times if you're using a linux box as the firewall, otherwise consult the fine manual that came with your equipment or consult a professional with said equipment. This is bog standard.

Re:You have got to be...

[Pubstar]

This. I just got my CCNA and I knew ages ago that there is a time out option in the GUI settings for most Cisco gear . I can't remember the CLI commands, but if I can do it with almost no field experience, the OP should be able to too.

This is a common issue

[Loudog]

Ignore the haters, they don't understand the politics for this. I used to design industrial Ethernet networks for a large vendor, and we spent quite a bit of time pointing out to customers how dangerous the direct lines were. However, IT departments have very little say over manufacturing networks. This isn't always a bad thing (see the many IT/help desk horror stories). Because the remote access is often required as part of the maintenance contract, offer to partner with manufacturing to install a small firewall with access filters that are controlled by IT, but set (requested) by manufacturing.

A small Cisco ASA, Juniper SRX or its like will do the job nicely, and can shield you from hack attempts along that access path.

Re:Get another job?

[msauve]

Or use this job

crontab:

#turn off at 5 PM everyday
00 17 * * * /usr/bin/snmpset -v 2c -c private ethernetswitch.example.com IF-MIB::ifAdminStatus.<portnum> i down

#turn on at 9AM weekdays
00 9 * * 1-5 /usr/bin/snmpset -v 2c -c private ethernetswitch.example.com IF-MIB::ifAdminStatus.<portnum> i up