We recently had an issue with a developer connecting through VPN to a customer’s site. The developer had a backup running on his local machine. When the VPN connection was established, the DEV gateway started to work as a production machine and all tag changes / database queries where updated twice.
How do you protect your production environment against intruders like this? Any suggestions to prevent dangerous situations like this?
Typically we have a production gateway with the production with the production database/PLC connections/tags, and then a development gateway with a dev DB, simulated PLC’s and tags relying on the simulations. Starting up another copy of the production gateway, while on the the VPN that has access to the database is the reason things started updating twice - you had two servers with the DB credentials running historian, your scripts, etc.
Imo there is almost no reason to ever start up a new copy of the production gateway, but ESPECIALLY while on the production network for the reasons you just described. The only reasons I ever go onto the production gateway are to push project changes, see logs for errors, or change configurations as needed - none of which require another instance.
Another reason I can think of is it might mess with your licensing - I am not exactly sure how it works but if both gateways can touch the internet and Ignition sees you have two servers using the same license, it might cause an issue - I am not 100% sure on this but I always tried to make sure it never came up as a potential issue.
Lastly, in the event you have scripts in your project that you only want to run on your production gateway but no other, I recommend this thread - Good way to make sure my gateway scripts only run on the server? - The gist - make JSON configuration files (I put them either inside the ignition install or the user folder system) with information that would be something like {"environment":"PROD"} or {"environmnet":"DEV"}. This will only help you conditionally filter gateway/client scripts you only want to run on your production server though, but this would not solve your initial issue of double saving to a prod database.
All this is to say, make a new development gateway with it’s own separate db/plc connections etc so that even if it is opened up while on the VPN, you won’t have this issue.
@bkarabinchak.psi’s post is excellent. One thing I’d quickly add; coming from the other direction, every DB I’ve ever used has the capacity to lock restrictions down to not just having the right credentials, but also the right credentials from the right host - so you could have your Ignition login only be trusted from the ‘real’ gateway IP.
Very true. I have seen more than my fair share of projects that have Ignition log in to the db as root@'%' and it makes me cringe every time. Don’t ever do it.