NiagaraAX security considerations

Any host connected to the Internet is vulnerable to attacks by someone else in the Internet community. This is especially true of any host that stays connected to the Internet virtually full time. NiagaraAX hosts that may be vulnerable include:

Any NiagaraAX host connected to a company’s LAN and which has a public IP address.

Any NiagaraAX host directly connected to an ISP and which has a public IP address.

NiagaraAX devices function as proprietary web servers, not typical client machines. As part of normal station operations, they do not download any files. However, you may want to install virus protection for an AXSupervisor PC if it is used for other (non-NiagaraAX functions).

The NiagaraAX framework does not use the Microsoft IIS server, instead it is a pure Java web server developed by Tridium. This eliminates many security holes associated with the Microsoft IIS server. The Fox protocol is a proprietary HTTP protocol which makes it highly unlikely that someone could hack the system without reverse engineering the product.

Typically, Win32-based hosts are more vulnerable than QNX-based hosts. This is a function of two factors:

in Windows, there are many access points open by default that attackers can exploit. In contrast, the QNX OS has fewer access points enabled by default.

the widespread availability of the Windows OS itself. Because the QNX OS is less common, people have not taken the time to figure out how to attack it.

Another common point of attack for Internet hosts is the web server that runs on many Internet hosts (including NiagaraAX hosts). However, the NiagaraAX web server implementation is proprietary and not subject to the well-advertised attacks on Microsoft Internet Information Server and the Apache HTTP Server.

The following security suggestions are provided to help you secure NiagaraAX hosts when connecting them to the Internet. You should evaluate the suggestions to see if they are applicable for each job that you architect.

Note: Many of these suggestions are also good guidelines for connecting hosts even in a LAN/WAN or direct-dial environment. Anyone with physical (or network) access to a host can be considered a security threat. You may want to consider implementing some of these, regardless of Internet connectivity.