All iFIX 3.5 and earlier SCADA and client nodes create listeners for incoming communications. For clients, this usually means that unsolicited alarm messages can be accepted from SCADA machines they have not initiated communications with.
A non-listening client is a client/SCADA that cannot accept incoming connections. Non-listening clients/SCADAs allow the machines to make connections to other servers as normal, but also allow them to not have a listener created. This means that any attempts to communicate with a non-listening client will fail, but the non-listening client can still communicate when it initiates the connection.
Creating Non-listening Clients
iFIX 4.0 and greater allow you to configure clients to be non-listening by default, securing iFIX so that non user-configured communications are denied. You can modify the clients' behavior at a later time if you want them to accept incoming connections.
To create a non-listening client:
- Open the FIX.INI on your SCADA server or client using a text editor. This file resides in the iFIX Local path.
- Locate the TCPTASK under the [NETWORK] section and change:
RUN=%TCPTASK.EXE
to:
RUN=%TCPTASK.EXE/s
- Save the file. You can now start an iFIX session without opening a listening socket.
NOTE: The use of non-listening machines is independent of the secure communications requirements and is node/instance specific. For more information about secure communications, refer to Connection Authentication.
Non-listening Clients and Terminal Services
Creating listening sockets for every machine has become a potential security risk.
On Terminal Services, only the last iFIX client session to open a socket maintains the socket; that is, any call to open a socket closes the previous socket. Therefore, on Terminal Services, only one iFIX client has a listener, and that is based on the last client to start.
Using Terminal Services, all clients, except the last one to start, are automatically non-listening. The creation of non-listening clients is not required. However, it is recommended that you make the clients non-listening, as non-listening clients are more secure than listening clients.
Non-listening Clients and Windows XP Service Pack 2 (SP2)
If you are using Windows XP SP2 or Windows Server 2003 SP1, and an iFIX client attempts to open a socket, the firewall appears informing you of this attempt. If you choose No, the client closes the socket and becomes non-listening; if you choose Yes, you create an open socket. Closing down this socket prevents firewall notifications from being displayed; however, as outgoing communications establish the socket to the SCADA, only the ability to receive unsolicited messages is removed.
Denial of Service Attacks
Denial of service (DoS) attacks are a potential problem when unnecessary listening sockets are open. A DoS attack is an attempt to prevent legitimate users of a service from using that service.
Nothing done in iFIX can prevent a DoS, nor mitigate its affect on the network; however, closing down unnecessary listening sockets prevents iFIX from needlessly processing DoS messages aimed at the client nodes.
In a physically secure situation this is not a problem, as the attack would have to come from within the secure network. In a distributed network, however, where clients and SCADAs are on separate networks, the chance of one of the networks not being secure increases. Closing the listening socket prevents iFIX from processing incoming messages that are not intended for iFIX; that is, an iFIX only firewall.
