This section outlines the most common security practices that are currently used in industrial-control environment in terms of the architecture, design, deployment, and management of the firewall in order to separate the PCN network from the corporate network.
The solutions presented are related to two main scenarios:
- Two-zone firewall-based designs without a DMZ
- Three-zone firewall-based designs with a DMZ
There is also another scenario, which is often referred as dual-homing. In this scenario, dual-network interface cards are installed either in a workstation or in a control device that requires access to both the corporate and process control networks.
Dual-homing is an easy way to connect the corporate network to the control network, but it puts the dual-homed device at a significant security risk, even if a personal firewall is installed on it. For this reason, it is rarely used and will be not detailed in this section.