Tweet
The topic of Security with respect to the JNIOR came up in a meeting yesterday, Most of you know that the Series 3 JNIOR handles MODBUS by default but that with Series 4 you have to enable it. I am not sure that you know that this is because MODBUS does not require a login and represents a huge security vulnerability. Correct me if I am wrong but I believe MODBUS is only required with GDC servers.
What this means is that anyone that can get on the network with access to a JNIOR can invoke MODBUS and play havoc with the I/O.
The JNIOR does have a login feature for MODBUS however this requires that the server implement the custom command to handle that. Of course if they just pull some MODBUS library from someplace companies like GDC cannot accommodate the feature. They certainly won't if they don't realize the security aspect of this. That won't concern them unless the end-users inquire about it.
Obviously you wouldn't want to put a Series 3 on the open Internet at all. A Series 4 performs quite well on the open network however one assumes that MODBUS would not be enabled. If it is they had better enable the login.
I am not a MODBUS fan. Most MODBUS implementations end up polling for status (repeatedly asking for the state of something). You can never poll fast enough given that everyone wants an immediate response to some action. That ends up being a burden on the network and the machines at either end. Consider the JMP Protocol (or legacy JNIOR protocol) which transmits a status update only when a state changes. Polling is not required.
I suppose that I can implement an IP address filter on the MODBUS connection but that would end up creating another level of configuration confusion. And, naturally, MODBUS over a serial cable is not an issue.
I just thought I would put this out there in case security concerns you.
What this means is that anyone that can get on the network with access to a JNIOR can invoke MODBUS and play havoc with the I/O.
The JNIOR does have a login feature for MODBUS however this requires that the server implement the custom command to handle that. Of course if they just pull some MODBUS library from someplace companies like GDC cannot accommodate the feature. They certainly won't if they don't realize the security aspect of this. That won't concern them unless the end-users inquire about it.
Obviously you wouldn't want to put a Series 3 on the open Internet at all. A Series 4 performs quite well on the open network however one assumes that MODBUS would not be enabled. If it is they had better enable the login.
I am not a MODBUS fan. Most MODBUS implementations end up polling for status (repeatedly asking for the state of something). You can never poll fast enough given that everyone wants an immediate response to some action. That ends up being a burden on the network and the machines at either end. Consider the JMP Protocol (or legacy JNIOR protocol) which transmits a status update only when a state changes. Polling is not required.
I suppose that I can implement an IP address filter on the MODBUS connection but that would end up creating another level of configuration confusion. And, naturally, MODBUS over a serial cable is not an issue.
I just thought I would put this out there in case security concerns you.
Comment