Security Architecture Whitepaper
This document provides a description of the network architecture and security design of
Rockwell Automation’s FactoryTalk® Remote Access™
solution.This document is aimed to network administrators, security auditors and decision makers to provide a complete description of the security management and design to evaluate if
FactoryTalk® Remote Access™
is compliant to their security standards and their use case scenarios.Design Consideration
The core task of
FactoryTalk Remote Access
is to connect securely to a client to remote devices through the Internet (considered an insecure network). Thus, security is paramount on all design and implementation decisions, more than any other usability aspects.Components Architecture | |
|---|---|
FactoryTalk® Remote Access™ Runtime | The software service that runs on remote devices to allow remote access to the device itself from Frontend clients. The Runtime is available for open systems such as Windows computers and for closed systems, such as Rockwell Automation’s industrial routers. The same security considerations apply in each case. |
Access Servers | Access Servers are a distributed, redundant set of servers that enables device connection and provides a location for clients to connect to devices. |
FactoryTalk® Remote Access™ Domain | The domain is a logical container that stores all the resources of a customer account: users, groups, and devices, and their configurations, folders, authorization rules and logs. |
Web Frontend | The interactive web client allows users to log in into their FactoryTalk® Remote Access™ organization and connects to remote devices that run the FactoryTalk® Remote Access™ Runtime. Administrative users can also use the Web Frontend to manage the security rules and the configuration of devices.Advanced functions like VPN are achieved by using applets (Tools) that can be started directly from the web browser. In this document, the web frontend is generically referenced as a Frontend client. |
Relay Servers | These servers in are in multiple regions and act as a public relay endpoint between Control Center and Runtime. They are not directly exposed and reachable through the Internet. |
FactoryTalk® Remote Access™ Web API | This API exposes the API needed by the Web Frontend and the Tools Applets to work and provides for other auxiliary facilities such as software updates. |
Provide Feedback