Please ensure Javascript is enabled for purposes of website accessibility
Powered by Zoomin Software. For more details please contactZoomin

AVEVA™ Insight

TABLE OF CONTENTS

Network Architecture Overview

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
  • Last UpdatedAug 16, 2022
  • 3 minute read

By design, the various networks present in your corporate environment are secured to limit outside access and, in many cases, access between the networks. There are two basic network technologies used to limit such access: firewalls and proxies.

A firewall is mainly used to block outside access to a given network, and can restrict access based on:

  • Communications over a specific protocol such as TCP or UDP

  • Communications from a specific IP address, or to a specific IP address

  • Communications to a specific port.

A proxy is often implemented in a corporate network to limit access to outside sites. Proxies can be configured to block access to certain domains and can inspect the contents of client requests to block specific types of content such as Java, ActiveX, or Flash.

Generally, companies will utilize both pieces of technology to secure the networks in their corporate environments. Different networks may be set up so that access to machines with strict security requirements is tightly regulated. The following diagram shows an example network architecture, based on NERC-CIP and NIST recommendations, which connects multiple networks behind firewalls and a proxy:

A network architecture diagram. The components are described below.

Below are descriptions of each component in the above diagram:

  1. The Control network – Hosts machines with the highest security requirements. This network operates under a unique subnet.

  2. Firewalls – Control inbound and outbound access at the following points:

    • (2a) - Separates the DMZ from the Control network.

    • (2b) - Separates the Business network from the DMZ.

    • (2c) – Separates the corporate environment from the internet.

      These firewalls use two IP address, one for each network a given firewall is connected to.

  3. The demilitarized zone (DMZ) – A network residing between the Control and Business networks. DMZ Secure Link can be installed here to give devices on the Control network restricted access to endpoints on the other side of the DMZ, such as the Business network or internet. For more information, see Download and use DMZ Secure Link.

  4. The Business network – Hosts machines with less strict security requirements. Typically, this network will host the majority of intranet traffic and company computers. This network operates on a different subnet than the one used by the Control network.

  5. A Proxy – Handles internet requests from machines on the Business network. Not all networks utilize a proxy. If your network does not use a proxy, be sure to uncheck "Forward to upstream proxy" when configuring DMZ Secure Link.

Send Network Requests Over DMZ Secure Link

DMZ Secure Link is an AVEVA Insight application operated on the machine running the network DMZ. The DMZ Secure Link listens for requests on local addresses. If the DMZ uses multiple network interfaces, the DMZ Secure Link can be configured to wait for requests from all network interfaces, or narrowed down to specific addresses with a port. Incoming requests can be forwarded to a specific IP address and port.

In the example architecture, DMZ Secure Link listens for requests on 192.168.2.15:8080. Requests received by DMZ Secure Link over this IP address and port are then forwarded to the upstream proxy, which listens for requests on 10.1.1.20:8888.

AVEVA client applications on the Control network use the DMZ Secure Link IP address and port as their proxy.

A network diagram illustrating how DMZ Secure Link fits into the network

In This Topic
Related Links
TitleResults for “How to create a CRG?”Also Available in