Firewall functions and roles for company security
The firewall represents an indispensable technical component for network security concepts today. The various types of firewalls range from simple packet filters all the way up to powerful solutions with the direct support of specialized industrial protocols. Firewall designs, which range from software packages for PCs to industrially hardened products in metal housings for use at the field level, are every bit as diverse. The current threat of attacks plays a large role in this because it is significant in determining the correct technology and deployment location.
Modern security concepts adopt a holistic approach, taking into consideration not only the technology, but also the processes and the people involved. This is why it is a long time since firewalls alone have been promoted as sufficient or the only measure for securing information in industrial plants or have even been viewed as synonymous with network security. Firewalls continue to represent core elements in the segmentation of networks and therefore are an essential part of any security strategy with respect to network security.
The term "firewall" has come to be widely applied. This has led to the term being applied to a very wide range of technologies with different methods of operation and objectives. Examples of the variety of firewalls are stateless and stateful firewalls, transparent firewalls, firewalls at various levels of the network reference architectures, firewalls with deep packet inspection, and even firewalls with intrusion detection features. Then there are additional methods which also limit network traffic, such as access control lists. But which firewall is appropriate for which situation?
General firewall functions
Firewalls are systems which protect networks or network devices, such as industrial PCs, control systems, cameras, etc., from unauthorized access by preventing network traffic to or from these systems. The first broad distinction here is the difference between host firewalls and network firewalls. The first is installed on a computer (host) or already provided by the operating system, as a software feature. Examples of these firewalls are the Microsoft Windows system firewall or the iptables firewall provided with most Linux systems.
Network firewalls are devices which have been developed especially for use as a firewall and are placed in the network, rather than on a PC. These network, or hardware, firewalls are important elements in industrial facilities, especially when they are connected to additional networks or when wired transmissions are combined with less secure network technologies (e.g. wireless networks). In these situations, a network firewall serves to set up the network boundary as the first line of defense against attacks and only allows desired traffic into and out of the network.
The fundamental technical function of any firewall is to filter packets. Here, the firewall inspects packets, which it is supposed to forward, to determine whether they correspond to a desired template for traffic patterns. These templates are modeled in the form of rules. A firewall at the boundary of a network can thus, for example, include rules in the form of "A communication link within the network can only take place with a specified server" or "Only the PCs for remote maintenance can be reached outside the network, not any other devices." Creating special rules, such as for industrial protocols is also possible.
Network-based firewalls are of great significance for industrial facilities, but where are they used in today’s security concepts?
Applications and requirements for firewalls in an industrial environment
Firewalls are important basic components in today’s security concepts. They are used in various locations within the network. On the one hand, they can secure a company network against the outside. On the other, they can separate various devices within a network from each other or permit only specified communications between devices.
This concept of precise limitations on communication between network participants in internal networks, as well as partitioning of various network areas from each other, known as defense in depth, is usually combined with zones and conduits: layered defenses with multiple security levels, one behind the other.
Attacks against the system or network that needs to be defended are hampered through such a set of layered defenses―an attacker must defeat multiple security levels, not just a single obstacle. However, partitioning in multiple areas of the network defends them in the event that one of the network areas is actually being compromised by an attacker. In this case, the entire network is not immediately compromised; just the partitioned area that the attacker has been able to reach.
This concept is not new, but was already taken into consideration in the middle ages in the construction of castles and other defensive structures. Areas in particular danger were protected with multiple walls, the defenders in the castle keep, in the interior of the castle, were the last line of defense. The individual segments of the castle were separated from each other by gates and portcullises to make the attackers’ movements more difficult.
In communication networks, the isolation of groups of networked devices into zones and conduits represents the gates and portcullises. This procedure is often applied in combination with a stacked defense in depth. Zones and conduits virtually always demand the use of defense in depth, since gates and portcullises are useless without walls. Zones and conduits are a central component of the international standard IEC 62443 (formerly ISA99). In order to implement these proven procedures in communication networks, firewalls are used in great numbers at various locations in the network.
Firewall at the company boundaries
Firewalls play various roles in the partitioning of network portions. For one, a firewall can protect a company against threats from the outside. In many cases, this overall protection is the domain of IT firewall solutions, which are placed in a company’s data center. On the other hand, they can also be implemented, for instance, in production in order to effectively separate the production network from the rest of the company network.
Firewall in a small cell or external site
Industrial firewalls with router functions are perfect for smaller external branches or sites. This allows, for example, distribution stations to be connected with the rest of the company infrastructure via a WWAN network. The firewall controls the network traffic coming out of and going into the external site’s local network. Since such a firewall for connection of an external site represents the border between the company’s own network (the external site) and an external network (a provider network or the Internet), the firewall must possess full capabilities for packet filtering and filtering traffic between various networks. Such a firewall is called an IP firewall since it processes Internet Protocol (IP) traffic. Because these firewalls are often installed very near the actual facility, industrial hardening must also be taken into consideration. Extended temperature ranges and/or approval for use in special areas (e.g. energy supply and transportation) are crucial.
Firewall at the field level
It is rarely sufficient to protect only the external boundaries of the network against attackers. Often, attacks occur from the inside of a network. Firewalls can also limit communication in accordance with the security concept within a local network. If communication from outside the facility is only supposed to be possible with a single device, the firewall can specifically permit this connection while other attempts at communication are prevented. However, the demands put on a firewall in use within a network differ from the demands put on a firewall in use between networks. Therefore, a transparent layer 2 firewall at the Ethernet level is required instead of an IP firewall. Because the firewalls are implemented here at the field level, the application parameters (temperature, vibration, etc.), as well as the necessary approvals must be taken into consideration.
Firewall in a WLAN
Communication from wireless to wired networks should also be controlled by firewalls. For example, the communication of a tablet, which is connected to a device via a WLAN can be limited so that it can only access data through the user interface, but not additional subsystems or other devices connected to it. If a client is integrated into a WLAN, it is possible, in principle, to communicate directly with all other devices in the same (sub)network. Thus, an attacker can extend a successful attack on a client that is connected to the WLAN to any other device on the Ethernet network. This problem can be solved by restricting the forwarding of messages between WLAN clients with a firewall at the WLAN access point. Here, too, there is a need for a transparent layer 2 firewall which can filter communication within a network (directly between the WLAN devices in a network). In order to do this, the firewall must be implemented directly at the access point. Industrially hardened devices are important here as well.
In addition, it can also be practical to restrict communication to the desired patterns and communication relationships at all other points in the network. But, because firewalls can also have negative effects on transmission latency (delay in transmission) and network throughput, the use of a dedicated firewall is not always possible. In such cases, high-quality network switches can also use less powerful stateless filtering rules. These rules are usually not referred to as firewall rules, rather as access control lists (ACL). ACLs are suited for any situation where rapid filtering must take place within a network.
Differences in filtering
The environment and the placement within the network are not the only factors which determine the requirements of a firewall. The capabilities of the filtering mechanisms also vary greatly. It is important here to differentiate how deeply a firewall can observe the communication between different devices. Here, too, there is a broad range. The spectrum ranges from firewalls which can only perform simple template recognition on packets, all the way up to firewalls which also understand the functions and procedures in industrial protocols and thus can prevent individual communication patterns in a targeted manner.
The simultaneous combination of differing security characteristics, like different firewall mechanisms on different network layers for instance, can ensure additional security when implementing a defense in depth concept. Once again, the master builders of the middle ages provide the inspiration for this concept of diversity in defense mechanisms: In castles and other fortifications, high walls were often combined with other methods of defense, such as moats. Thus an attacker had to develop a much more sophisticated strategy in order to overcome not only the wall, but also the moat.
In modern communications networks, it is equally advisable to implement diverse firewall mechanisms and combine them with a defense in depth or other security mechanisms. The following filter mechanisms are commonly known:
Communications relationships between devices may be in various phases (states). For example, the communication relationship is usually initiated in a first phase. Active communication is conducted in a second phase and the connection is ended in a third phase. A concrete example of a protocol which uses this procedure is the transmission control protocol (TCP), which is often combined with the IP to form TCP/IP.
As the name implies, stateless firewalls cannot react to the state of a communication connection nor differentiate between the various phases. Thus, it can only be determined that individual devices or applications may communicate with one another. However, it cannot be determined whether the participants conduct the communication according to the normal procedure. In particular, the firewall cannot recognize or prevent any attacks resulting from abnormal protocol behavior. Especially vulnerable industrial devices with minimal self-defense are put at risk by this, for example, of a so-called denial of service attack, by which the communication interface of an industrial device is deliberately flooded and overloaded with forged or erroneous communication requests.
In contrast to stateless firewalls, stateful (state aware) firewalls can monitor the communication process of the participants and thus use the behavior of the partners during essential communications operations, such as the initiation or termination of the connection, as the foundation for the packet filtering. Thus, attacks which attempt to communicate over connections already made can be recognized and prevented. Equally, attacks which use a known faulty connection in order to load and overload a system can be prevented.
Deep packet inspection (DPI) firewalls
DPI is an extension of Stateful packet inspection. Stateful firewalls normally examine the packets in the network as deep as the header at the beginning of the packet because it contains the information through which the firewall can determine and monitor the communication state. These may be, for example, sequence numbers and communication flags for the commonly used TCP.
DPI goes one step further and allows examination beyond the communication header all the way to the payload (e.g. control protocols of the industrial applications) of a packet. In this way, highly-specialized attack patterns, which are hidden deep in the communication flow, can be discovered.
To do this, the firewall must be capable of interpreting the respective communication protocol in order to differentiate between a well-formed, "good" packet and a malicious packet or harmful payload. Therefore, DPI firewalls are often implemented as additional components of a stateful packet inspection firewall and only for certain protocols and application purposes, such as industrial protocols.
A DPI firewall offers a high degree of security, often with a rule set that can be individualized and configured, but it demands a great amount of computing power of the network firewall. It also requires a sophisticated configuration interface in order to command the complexity of it.
This fact, combined with the respective individual adaptations of an individual protocol has the result that DPI firewalls are not applied to be all-encompassing, rather only at certain, carefully determined points in the network. But, at that location where they are sensibly used, they create a significantly stronger hardening of the industrial communication.
Management of firewalls
Just as there are differences in the application areas and the capabilities of the packet filter, there are differences in the additional functions of a firewall. Whether it is a practical solution or more of an obstacle to the implementation of a security strategy can especially be seen in the management functions of a firewall. This is easy to recognize from two typical management tasks: a) the integration of a new firewall in an existing industrial network and b) the management of multiple firewalls with network management tools.
Deploying a new firewall in an existing industrial network is no trivial matter. In an industrial network, there are generally numerous communication relationships which are only completely and correctly summarized and documented in the rarest of cases. Since the main function of a firewall is prevention of unknown network traffic, the initial configuration of these devices is especially difficult in this case. If the firewall is configured too liberally, the control and monitoring traffic of the facility can flow without problems, however, then the firewall is also no great obstacle to an attacker.
If the firewall is configured too restrictively, it blocks the communication of a potential attacker, but it also slows down traffic of the facility so that it no longer operates faultlessly in all situations. That can lead to delays and costly repairs. It is important to properly configure the firewall in order to permit the desired communication and simultaneously prevent the undesirable traffic. Without a complete view of all communication relationships, the integration of a firewall in an existing network can be a nerve-wracking situation.
Modern, high-quality industrial firewalls support employees during commissioning by offering special analysis modes. Such a mode enables the firewall to analyze the communication relationships in a network during a learning phase. During this learning phase, which can be freely specified, the firewall records all communication relationships without restricting any of them. With the help of the connections analyzed, an administrator can detect the desired or undesired communication relationships quickly and easily and create a custom configuration of the firewall (semi-)automatically.
This saves time and enables a functional and secure configuration to be found without risking downtimes and failures. The duration of the learning period must be freely configurable since the firewall must observe all communication relationships during the learning phase. In particular, in the case of sporadic communication relationships, e.g. during regularly scheduled maintenance, the timeframe must be set accordingly to also capture this sporadic communication.
Management of multiple firewalls
The use of firewalls to isolate various devices and facility components from one another is an important aspect of the defense in depth strategy. If an attacker has overcome an initial obstacle, e.g. penetrated the network, additional firewalls with more specific rules can prevent penetration into additional and more sensitive facility components.
The use of multiple IP firewalls and transparent layer 2 firewalls requires management and configuration of these devices. Without a powerful management tool for simple (mass) configuration of firewalls, this task can be very time-consuming and error-prone in the case of changes to the network infrastructure. Hence, it is important that the firewalls can be managed and monitored centrally by network management tools to assist this process.
With proper management tools, standard configurations can be implemented quickly on newly-installed firewalls, as well as making changes to the configuration. An example of such a change can be on a new log server which can be reached by all devices in the production network. If all firewalls must now be configured individually, the IP address and the port of the log server must be set on each firewall. This is time-consuming and subject to errors. With a mass-configuration via a network management tool, this task can be simultaneously and reliably performed for all firewalls at once.
Even though modern security concepts consist of much more than just firewalls, they are still a central element which no security concept can do without. For implementing important concepts from international standards and proven procedures (best practices), such as defense in depth and zones and conduits, firewalls are absolutely essential to operations. Technical development in recent years has shown that firewalls not only vary greatly in their technical characteristics, but also in the features and equipment of their hardware, the approvals, as well as their operation and, therefore, their ability to be used in the industrial environment.
It is crucial to choose the correct firewall for various tasks in the industrial network due to these complex security concepts with diverse technologies.
Prof. Dr. Tobias Heer, future technologies, Hirschmann Automation and Control GmbH, Neckartenzlingen, Germany; Dr. Oliver Kleineberg, advance development, Hirschmann Automation and Control GmbH, Neckartenzlingen, Germany. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, firstname.lastname@example.org.
Hirschmann Automation is a Belden brand. Belden is a CSIA member.