A variation on the firewall-with-DMZ solution is to use a pair of firewalls to build up the DMZ, linked to each other and positioned between the corporate and process control networks. The resources and devices to be shared are deployed in the DMZ between the firewalls, as shown in the following diagram:

In this scenario, the firewall positioned in the corporate network blocks the arbitrary packets from proceeding to the control network or the shared historians. The other firewall prevents unwanted traffic from a compromised server from entering the control network.