This is Part 8 of our “25 Things to Consider when Choosing an OPC Tunneler” series. What flexibility is there in how ports are configured?
Depending on your level of knowledge regarding OPC tunneling solutions, you may or may not be aware of how a tunneler uses TCP ports for transferring data between machines. Your IT department likely gives you plenty of trouble whenever you mention needing to open a TCP port. And with good reason - cyber attacks frequently exploit commonly used TCP ports.
This blog post will outline three top reasons why it's important for an OPC tunneling solution to support fully configurable TCP ports for transferring your data.
I'm sure you're starting to see a common thread in this series of blog posts - DCOM is painful for many reasons, which is why an alternative is so desirable. Port usage and flexibility comes into play as a result. OPC relies on the Microsoft RCP service which uses Port 135. OPC Tunneling solutions rely on TCP socket connections between machines to transfer your process data.
But why does that matter? Cyber hackers also like to make use of TCP ports when designing attacks to exploit the vulnerabilities of a system. So having the ability to choose less frequently utilized TCP ports can minimize the chances that a cyber attack would be successful.
Properly designed OPC tunneling software greatly contributes to cyber security in the following ways:
- Tunneling doesn't rely on DCOM TCP/IP port 135
DCOM has no configurability when it comes to what TCP port will be used for a remote connection. Since DCOM relies on Microsoft RPC services, Port 135 is always used, as well as some other ports needing to be open for communications. As such, cyber hackers are fully aware of Port 135 and its vulnerability, making any connections that are not behind a firewall extremely risky.
- Poorly designed OPC tunnelers might hard code the TCP/IP port
Not much better than a remote DCOM connection is an OPC tunneler connection where the TCP port used for the tunnel is hard coded. Considering that the tunnel vendor would have to document which TCP port is being used for their tunnel connection, all a hacker would need to do is access the software product manual to determine which port to attack.
- Fully selectable TCP/IP ports provides the ultimate flexibility for your IT department
A well-designed OPC tunneler solution provides fully configurable TCP port settings for the tunnel connection. This allows you to work with your IT department to determine which TCP port works the best for your network architecture. Since you can define any TCP port, this makes it possible to select a port that isn't widely used and is much less likely to be the target of a cyber attack. Selectable TCP ports also allow you to avoid duplicate port usage in your system.