When you can't see the forest for the domains: why a two forest model should be used to achieve logical segregation between SCADA and corporate networks
Document Type
Conference Proceeding
Publisher
School of Computer and Information Science, Edith Cowan University
Place of Publication
Perth, Western Australia
Faculty
Faculty of Computing, Health and Science
School
School of Computer and Security Science / Centre for Security Research
RAS ID
8592
Abstract
The increasing convergence of corporate and control systems networks creates new challenges for the security of critical infrastructure. There is no argument that whilst this connection of what was traditionally an isolated network, to a usually internet enabled corporate network, is unavoidable, segregation must be maintained. One such challenge presented is how to properly and appropriately configure an active directory environment to allow for exchange of required data, but still maintain the security goal of separation of the two networks. This paper argues that while separate domains may seem to achieve this goal, the reality is that a domain is not a security boundary, and in fact does not effectively segregate the networks. A more secure and robust barrier can be created through the creation of separate forests, which still allows for one-way trust relationships to be established between the two forests for authentication and data exchange. The paper concludes that there is no loss of functionality or communication through the use of two forests, but there is a loss of security if using one.
DOI
10.4225/75/57a7f28c9f481
Access Rights
free_to_read
Comments
Woodward, A., & Turner, B. (2009). When You Can’t See the Forest for the Domains: Why a Two Forest Model Should be Used to Achieve Logical Segregation Between SCADA and Corporate Networks. In proceeding of the 10th Australian Information Warfare and Security Conference. Edith Cowan University, Perth Western Australia. Available here