Security Guide - Use DMZ Servers instead of Permanent Standby Servers (Recommended Security Settings)

Use DMZ Servers instead of Permanent Standby Servers

If your system architecture has permanent standby servers that are only used to read data from ClearSCADA, you can improve your security by replacing them with De-Militarized Zone servers (DMZ servers).

DMZ servers can run outside a firewall and have a single, read-only connection to ClearSCADA. The read only connection means that it is impossible for the ClearSCADA software on the DMZ server to write to the ClearSCADA database.

However, vulnerabilities in the operating system that runs on the DMZ server can potentially expose your system to unauthorized access. To avoid this, you can use your DMZ server outside a firewall—the firewall can be set to help protect your system against unauthorized access via the operating system.

The table below shows the benefits of using a DMZ server outside a firewall in comparison to a DMZ server without a firewall or a read-only permanent standby server.

	ClearSCADA software can read from ClearSCADA database	ClearSCADA software can write to ClearSCADA database	Protection against misuse of ClearSCADA software on Server	Protection against Operating System Vulnerabilities
Permanent Standby Server (used as a Read Only server)	Yes	Yes	ClearSCADA user accounts Windows user accounts	No
DMZ Server (no firewall)	Yes	No	ClearSCADA on DMZ server cannot write to the ClearSCADA database. ClearSCADA user accounts Windows user accounts	No
DMZ Server (outside a firewall)	Yes	No	ClearSCADA on DMZ server cannot write to the ClearSCADA database. ClearSCADA user accounts Windows user accounts	Yes. Firewall can be set to help protect against non-ClearSCADA vulnerabilities.

ClearSCADA software can read from ClearSCADA database

ClearSCADA software can write to ClearSCADA database

Protection against misuse of ClearSCADA
software on Server

Protection against
Operating
System
Vulnerabilities

Permanent Standby Server (used as a Read Only server)

Yes

ClearSCADA user accounts

Windows user accounts

DMZ Server
(no firewall)

Yes

ClearSCADA on DMZ server cannot write to the ClearSCADA database.

ClearSCADA user accounts

Windows user accounts

DMZ Server
(outside a
firewall)

Yes

ClearSCADA on DMZ server cannot write to the ClearSCADA database.

ClearSCADA user accounts

Windows user accounts

Yes. Firewall can be set to help protect against non-ClearSCADA vulnerabilities.

For maximum security, we recommend that instead of read-only servers, you use DMZ servers that run outside a firewall.

If your requirements mean it is impractical to use a firewall, we still recommend that you use a DMZ server instead of a read-only server. Using DMZ servers means you have the added protection of the single, read-only connection between the ClearSCADA software on the DMZ servers and the ClearSCADA database.

Even without a firewall, a DMZ server offers greater protection than a permanent standby server. (due to it having no write connection to ClearSCADA).

To configure a server as a DMZ server, see De-Militarized Zone (DMZ) Permanent Standby Servers in the ClearSCADA Guide to Server Administration.