Firewall functions and roles for company security

Firewalls continue to represent core elements in the segmentation of networks and therefore are an essential part of any security strategy with respect to network security.


Figure 1: Firewall between the Internet and the local company network. Courtesy: BeldenThe firewall represents an indispensable technical component for network security concepts today. The various types of firewalls range from simple packet filters all the way up to powerful solutions with the direct support of specialized industrial protocols. Firewall designs, which range from software packages for PCs to industrially hardened products in metal housings for use at the field level, are every bit as diverse. The current threat of attacks plays a large role in this because it is significant in determining the correct technology and deployment location.

Modern security concepts adopt a holistic approach, taking into consideration not only the technology, but also the processes and the people involved. This is why it is a long time since firewalls alone have been promoted as sufficient or the only measure for securing information in industrial plants or have even been viewed as synonymous with network security. Firewalls continue to represent core elements in the segmentation of networks and therefore are an essential part of any security strategy with respect to network security.

The term "firewall" has come to be widely applied. This has led to the term being applied to a very wide range of technologies with different methods of operation and objectives. Examples of the variety of firewalls are stateless and stateful firewalls, transparent firewalls, firewalls at various levels of the network reference architectures, firewalls with deep packet inspection, and even firewalls with intrusion detection features. Then there are additional methods which also limit network traffic, such as access control lists. But which firewall is appropriate for which situation?

General firewall functions

Firewalls are systems which protect networks or network devices, such as industrial PCs, control systems, cameras, etc., from unauthorized access by preventing network traffic to or from these systems. The first broad distinction here is the difference between host firewalls and network firewalls. The first is installed on a computer (host) or already provided by the operating system, as a software feature. Examples of these firewalls are the Microsoft Windows system firewall or the iptables firewall provided with most Linux systems.

Network firewalls are devices which have been developed especially for use as a firewall and are placed in the network, rather than on a PC. These network, or hardware, firewalls are important elements in industrial facilities, especially when they are connected to additional networks or when wired transmissions are combined with less secure network technologies (e.g. wireless networks). In these situations, a network firewall serves to set up the network boundary as the first line of defense against attacks and only allows desired traffic into and out of the network.

Figure 2: Firewall within a local network. Courtesy: BeldenThe fundamental technical function of any firewall is to filter packets. Here, the firewall inspects packets, which it is supposed to forward, to determine whether they correspond to a desired template for traffic patterns. These templates are modeled in the form of rules. A firewall at the boundary of a network can thus, for example, include rules in the form of "A communication link within the network can only take place with a specified server" or "Only the PCs for remote maintenance can be reached outside the network, not any other devices." Creating special rules, such as for industrial protocols is also possible. 

Network-based firewalls are of great significance for industrial facilities, but where are they used in today's security concepts? 

Applications and requirements for firewalls in an industrial environment

Firewalls are important basic components in today's security concepts. They are used in various locations within the network. On the one hand, they can secure a company network against the outside. On the other, they can separate various devices within a network from each other or permit only specified communications between devices.

This concept of precise limitations on communication between network participants in internal networks, as well as partitioning of various network areas from each other, known as defense in depth, is usually combined with zones and conduits: layered defenses with multiple security levels, one behind the other.

Attacks against the system or network that needs to be defended are hampered through such a set of layered defenses―an attacker must defeat multiple security levels, not just a single obstacle. However, partitioning in multiple areas of the network defends them in the event that one of the network areas is actually being compromised by an attacker. In this case, the entire network is not immediately compromised; just the partitioned area that the attacker has been able to reach.

This concept is not new, but was already taken into consideration in the middle ages in the construction of castles and other defensive structures. Areas in particular danger were protected with multiple walls, the defenders in the castle keep, in the interior of the castle, were the last line of defense. The individual segments of the castle were separated from each other by gates and portcullises to make the attackers' movements more difficult.

In communication networks, the isolation of groups of networked devices into zones and conduits represents the gates and portcullises. This procedure is often applied in combination with a stacked defense in depth. Zones and conduits virtually always demand the use of defense in depth, since gates and portcullises are useless without walls. Zones and conduits are a central component of the international standard IEC 62443 (formerly ISA99). In order to implement these proven procedures in communication networks, firewalls are used in great numbers at various locations in the network.

Firewall at the company boundaries

Firewalls play various roles in the partitioning of network portions. For one, a firewall can protect a company against threats from the outside. In many cases, this overall protection is the domain of IT firewall solutions, which are placed in a company's data center. On the other hand, they can also be implemented, for instance, in production in order to effectively separate the production network from the rest of the company network.

Firewall in a small cell or external site

Industrial firewalls with router functions are perfect for smaller external branches or sites. This allows, for example, distribution stations to be connected with the rest of the company infrastructure via a WWAN network. The firewall controls the network traffic coming out of and going into the external site's local network. Since such a firewall for connection of an external site represents the border between the company's own network (the external site) and an external network (a provider network or the Internet), the firewall must possess full capabilities for packet filtering and filtering traffic between various networks. Such a firewall is called an IP firewall since it processes Internet Protocol (IP) traffic. Because these firewalls are often installed very near the actual facility, industrial hardening must also be taken into consideration. Extended temperature ranges and/or approval for use in special areas (e.g. energy supply and transportation) are crucial. 

Firewall at the field level

It is rarely sufficient to protect only the external boundaries of the network against attackers. Often, attacks occur from the inside of a network. Firewalls can also limit communication in accordance with the security concept within a local network. If communication from outside the facility is only supposed to be possible with a single device, the firewall can specifically permit this connection while other attempts at communication are prevented. However, the demands put on a firewall in use within a network differ from the demands put on a firewall in use between networks. Therefore, a transparent layer 2 firewall at the Ethernet level is required instead of an IP firewall. Because the firewalls are implemented here at the field level, the application parameters (temperature, vibration, etc.), as well as the necessary approvals must be taken into consideration.

Firewall in a WLAN

Communication from wireless to wired networks should also be controlled by firewalls. For example, the communication of a tablet, which is connected to a device via a WLAN can be limited so that it can only access data through the user interface, but not additional subsystems or other devices connected to it. If a client is integrated into a WLAN, it is possible, in principle, to communicate directly with all other devices in the same (sub)network. Thus, an attacker can extend a successful attack on a client that is connected to the WLAN to any other device on the Ethernet network. This problem can be solved by restricting the forwarding of messages between WLAN clients with a firewall at the WLAN access point. Here, too, there is a need for a transparent layer 2 firewall which can filter communication within a network (directly between the WLAN devices in a network). In order to do this, the firewall must be implemented directly at the access point. Industrially hardened devices are important here as well.

In addition, it can also be practical to restrict communication to the desired patterns and communication relationships at all other points in the network. But, because firewalls can also have negative effects on transmission latency (delay in transmission) and network throughput, the use of a dedicated firewall is not always possible. In such cases, high-quality network switches can also use less powerful stateless filtering rules. These rules are usually not referred to as firewall rules, rather as access control lists (ACL). ACLs are suited for any situation where rapid filtering must take place within a network.

<< First < Previous Page 1 Page 2 Next > Last >>

click me