Chapter 6 - Network Planning And Security; Connecting To The Business Network; Third Party Applications - Honeywell dolphin 70e black Network And Security Manual

6
Network Planning and Security

Connecting to the Business Network

The Dolphin 70e Black network and other networks (e.g., Internet or business network) should be separated by a firewall. See
System Architecture on page 1-2.
The nature of network traffic on a Dolphin 70e Black network differs from other networks.
• The business network may have different access controls to other networks and services.
• The business network may have different change control procedures for network equipment, configuration, and software
changes.
• Security and performance problems on the business network should not be allowed to affect the Dolphin 70e Black
network and vice versa.
Ideally, there should be no direct communication between the Dolphin 70e Black network and the business network. However,
practical considerations often mean a connection is required between these networks. The Dolphin 70e Black network may
require data from the servers in the business network or business applications may need access to data from the Dolphin 70e
Black network. A connection between the networks represents a significant security risk; therefore, careful consideration should
be given to the system architecture design. Due to the security risk, it is strongly recommended that only a single connection is
allowed and that the connection is through a firewall.
If multiple connections are required, a common practice is to create Data demilitarized zones (DMZ) where data servers that
serve two different security domains are located. A DMZ is an area with some firewall protection, but is still visible to the outside
world. Business network servers for Web sites, file transfers, and email are located in a DMZ. More sensitive, private services
(e.g., internal company databases and intranets) are protected by additional firewalls and have all incoming access from the
Internet blocked. You can also create an effective DMZ with just one firewall by setting up access control lists (ACLs) that let a
subset of services be visible from the Internet.

Third Party Applications

Honeywell provides most of the applications that meet the needs of Dolphin 70e Black customer. In instances where a third
party application must be added the the Dolphin 70e Black, always verify the following with the vendor:
• Secure Development Lifecycle (SDL) practices were used when writing the software.
• The proper means and security controls to mitigate any threats to the Dolphin 70e Black system are provided.
In addition, evaluate additional risks to the Dolphin 70e Black system with regard to the following:
• The SLA agreement with the vendor.
• The change in the attack surface as a result of the software.
• Additional services used by the software that may consume needed resources for the Dolphin 70e Black with Android
system.
If the above precautions cannot be done, then extra care must be taken in isolating and using the software. Additional settings
might be needed in firewalls, point-to-point VPNs, or similar network features, depending on the additional risks in the third party
software.
Note: Third party software should be signed by a trusted authority before installation.
6 - 1