I will be designing a system where edge devices across the country will be pushing data to an Ignition server in the cloud. This Ignition Gateway Network can work either on a Virtual Private Network, or I can just leave port 8088 open and have the edge devices connect to the public IP of the main Ignition server.
It would be much easier to maintain the system if the edge devices just connect to the main gateway through the public IP address.However I’m afraid leaving port 8088 open could leave the software fragile to exploits. What is your recommendation, how fragile is the Ignition software for exploits, or do you think it is secure enough to leave it open?
I personally recommend against leaving it open, strongly suggest the use of VPN.
Leaving aside the issue of how “secure” Ignition itself is, leaving port 8088 in particular open is a huge red flag. Traffic on port 8088 is HTTP, meaning clear text. Anyone on the same network as someone logging in to your gateway can read their credentials.
We have plenty of customers who have publicly available gateways, but to take that step without knowing how to properly secure a webservice (at minimum, HTTPS and minimal exposed ports) is asking for trouble. Exploits within Ignition are low on the list of potential problems with exposing a wide open HTTP server that you don’t know how to properly secure.
The only exposed port would be that of 8088, and the only application the firewall would allow listening to that port would be ignition. Also the address will have a TLS certificate and would only connect to edge devices through certificate authentication. Besides that, what else could be a weakness in the security of this web service? I will most certainly end up using the VPN network anyways, but besides the points that I mention what else should I be thinking about?
If you’re properly using HTTPS/TLS, and have appropriate firewalls in place, then yes, you’re correct - the risk is significantly reduced. At that point, it basically comes down to your preference: is the additional maintenance burden of a VPN worth the reduced risk of some unknown exploit in Ignition compromising things. In pretty much all respects, the VPN is the “safer” option - I can’t make the decision for you, but if you don’t have a compelling reason to, I would be pretty cagey about exposing a gateway to the internet.
As for Ignition itself - we have conducted (and passed) external security audits before, but there’s still a matter of attack surfaces. Something like OpenVPN has gone through hundreds of times more testing than Ignition itself, so the theoretical probability of a vulnerability is therefore probably lower.
You describe having the cloud based Ignition server connect to the edge devices. Are there any performance or bandwidth concerns with connecting the PLCs directly to a cloud based server? We are considering locating out gateway in a remote data center and I was wondering if the scan rate would be a concern. Thanks!
Absolutely! If your gateway isn’t on the same network as your PLCs then you can count on terrible performance. In a setup like this you really want a box with drivers/MQTT local to the PLCs and the data coming into the cloud gateway to be coming in via MQTT.
Alternatively, you can have an OPC UA connection from the cloud gateway to the edge gateway. This is less common, but also works.
The important part is that polling of your PLCs happens local to those PLCs.
Not exactly on the same topic but I am looking for a publicly accessible perspective application.
Right now, the gateway and the PLC’s are all on the same network that is behind a firewall I am able to access the Ignition Server through VPN connection no problem. The issue is that upper management, production, etc are also wanting to access the screens (production data) but controls/IT do not want to give VPN credentials to all of the people requesting access. If I was able to install an additional server on the open side of the fireway and pass data that way, how could I make the perspective screens readily available on the internet for anyone with a login?
I’ve just arrived to this post because I’m looking for the same as cmszr3.
I’d like that some users could access specific ignition applications (perspective) from outside our network, from their phones or tablets.
We don’t need designer access from outside or all applications. Just a couple of them.
Is that possible?
Use a proxy server exposed to the internet (nginx or similar in reverse proxy mode) configured to forward selected project URLs to the Ignition server.
Has anyone been able to safely give access to perspective from the outside network?