Firewalls

One of the best practices of the DiD strategy is to isolate the Control Network (CN), which is also often called the Process Control Network (PCN), from the corporate and internet systems using firewalls. While firewalls are widely used in the traditional IT sector, their adoption in CN/PCN environments is quite recent. Most IT firewalls are generally unaware of industrial-control protocols and may introduce unacceptable latency into time-critical systems. They may also face operational constraints that are not typical in the IT world. The reality is that firewalls can be complex devices that need careful design, configuration, and management to be efficient and effective. In this section, we are going to look at some basic information about firewalls and how they are usually deployed in the factory to segregate the control network and protect industrial devices. 

Basically, a firewall is a mechanism used to control and monitor traffic to and from a network to protect the devices on that network. It checks for the traffic passing through it and ensures that the network messages fit predefined security criteria or policies. Messages that don't meet the policies are discarded. It can also be considered a filter that blocks unwanted network traffic and forces specific constraints on the amount and type of communication that occurs between a protected network and other networks. A firewall can exist in different shapes and configurations. It can be a specific hardware device that is physically connected to a network, a virtual appliance with firewall capabilities running on a hypervisor, or even a host-based software solution. Separate hardware and software devices are often referred to as network firewalls and typically provide the most robust and secure solution and the best management options. From now on, when we use the term firewalls, we are referring to this latter kind.

Network traffic is sent in discrete sequences of bits, called packets. Each packet contains separate pieces of information, including, but not limited to, the following:

  • The IP address source and destination
  • The port number of the source service and the destination service
  • The protocols that are accepted or denied
  • The direction of the traffic—inbound or outbound

A firewall, upon receiving a packet, analyzes the preceding characteristics to establish the proper action to take. It may drop the packet, buffer it temporarily to limit the bandwidth usage according to a class of service, or forward it to a different recipient. The firewall behavior is based on a set of rules commonly referred to as ACLs. There are different classes of firewalls depending on their analysis and action capabilities; the main ones are the following:

  • Packet filtering firewallThe configuration of this firewall is based on a set of basic policies (block/allow) and a series of specific rules for the involved source and destination IP addresses and ports. A packet filtering firewall analyzes the headers of each IP packet in transit for the following information:
    • The source and destination IP addresses
    • The encapsulated transport protocol (for instance, TCP or UDP)
    • The source and destination ports of the transport protocol
    • The inbound and outbound traffic
  • Stateful inspection firewall: This works like a packet filter firewall but, in addition, tracks all TCP connections that are open from and to the outside. It explicitly models the TCP session concept, allowing us to define rules on this basis. For example, we can automatically accept all packets that come from a previously authorized TCP session.
  • Application proxy firewall: In the application proxy firewall, there is no direct connection between the inside and the outside of the network machines, but instead there are two separate connections. The proxy works at the application level, just like the Hypertext Transfer Protocol (HTTP) or the File Transfer Protocol (FTP). It receives requests according to these protocols and forwards or blocks them, depending on the configuration. This means that all internal machines and clients are forced to go through the proxy since direct access to the external servers is blocked.
  • Deep-packet-inspection (DPI) firewalls: This is an emerging trend in the firewall domain. These typically offer filtering deeper into the application layer than a traditional application proxy, by allowing or blocking the packets according to their semantics. They are specialized in understanding the industrial protocols. For example, a DPI firewall for the OPC Classic protocol could be configured to only allow reading of the underlying device, blocking any attempt at writing.

Basically, the goal of the firewalls is to minimize the risk of unauthorized access and unwanted network traffic to the internal devices on the PCN. The risk minimization strategy is based on a few golden rules:

  • There should be no direct connection from the internet to any device linked to the PCN.
  • Access from the corporate or plant network to the PCN must be restricted to what is really needed after an in-depth analysis of the possible alternatives.
  • The remote support of control systems should only be allowed if secure methods of authorization are in place.
  • If wireless devices are used, secured connectivity must be implemented.
  • Rules and policies must be well-defined, indicating the type of traffic allowed between the networks.
  • There should be regular monitoring of the traffic coming in and going out the PCN.
  • There should be a secure communication channel for the management of the firewall.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset