Firewall functions and roles for company security

Firewalls continue to represent core elements in the segmentation of networks and therefore are an essential part of any security strategy with respect to network security.

09/13/2017


Figure 1: Firewall between the Internet and the local company network. Courtesy: BeldenThe firewall represents an indispensable technical component for network security concepts today. The various types of firewalls range from simple packet filters all the way up to powerful solutions with the direct support of specialized industrial protocols. Firewall designs, which range from software packages for PCs to industrially hardened products in metal housings for use at the field level, are every bit as diverse. The current threat of attacks plays a large role in this because it is significant in determining the correct technology and deployment location.

Modern security concepts adopt a holistic approach, taking into consideration not only the technology, but also the processes and the people involved. This is why it is a long time since firewalls alone have been promoted as sufficient or the only measure for securing information in industrial plants or have even been viewed as synonymous with network security. Firewalls continue to represent core elements in the segmentation of networks and therefore are an essential part of any security strategy with respect to network security.

The term "firewall" has come to be widely applied. This has led to the term being applied to a very wide range of technologies with different methods of operation and objectives. Examples of the variety of firewalls are stateless and stateful firewalls, transparent firewalls, firewalls at various levels of the network reference architectures, firewalls with deep packet inspection, and even firewalls with intrusion detection features. Then there are additional methods which also limit network traffic, such as access control lists. But which firewall is appropriate for which situation?

General firewall functions

Firewalls are systems which protect networks or network devices, such as industrial PCs, control systems, cameras, etc., from unauthorized access by preventing network traffic to or from these systems. The first broad distinction here is the difference between host firewalls and network firewalls. The first is installed on a computer (host) or already provided by the operating system, as a software feature. Examples of these firewalls are the Microsoft Windows system firewall or the iptables firewall provided with most Linux systems.

Network firewalls are devices which have been developed especially for use as a firewall and are placed in the network, rather than on a PC. These network, or hardware, firewalls are important elements in industrial facilities, especially when they are connected to additional networks or when wired transmissions are combined with less secure network technologies (e.g. wireless networks). In these situations, a network firewall serves to set up the network boundary as the first line of defense against attacks and only allows desired traffic into and out of the network.

Figure 2: Firewall within a local network. Courtesy: BeldenThe fundamental technical function of any firewall is to filter packets. Here, the firewall inspects packets, which it is supposed to forward, to determine whether they correspond to a desired template for traffic patterns. These templates are modeled in the form of rules. A firewall at the boundary of a network can thus, for example, include rules in the form of "A communication link within the network can only take place with a specified server" or "Only the PCs for remote maintenance can be reached outside the network, not any other devices." Creating special rules, such as for industrial protocols is also possible. 

Network-based firewalls are of great significance for industrial facilities, but where are they used in today's security concepts? 

Applications and requirements for firewalls in an industrial environment

Firewalls are important basic components in today's security concepts. They are used in various locations within the network. On the one hand, they can secure a company network against the outside. On the other, they can separate various devices within a network from each other or permit only specified communications between devices.

This concept of precise limitations on communication between network participants in internal networks, as well as partitioning of various network areas from each other, known as defense in depth, is usually combined with zones and conduits: layered defenses with multiple security levels, one behind the other.

Attacks against the system or network that needs to be defended are hampered through such a set of layered defenses―an attacker must defeat multiple security levels, not just a single obstacle. However, partitioning in multiple areas of the network defends them in the event that one of the network areas is actually being compromised by an attacker. In this case, the entire network is not immediately compromised; just the partitioned area that the attacker has been able to reach.

This concept is not new, but was already taken into consideration in the middle ages in the construction of castles and other defensive structures. Areas in particular danger were protected with multiple walls, the defenders in the castle keep, in the interior of the castle, were the last line of defense. The individual segments of the castle were separated from each other by gates and portcullises to make the attackers' movements more difficult.

In communication networks, the isolation of groups of networked devices into zones and conduits represents the gates and portcullises. This procedure is often applied in combination with a stacked defense in depth. Zones and conduits virtually always demand the use of defense in depth, since gates and portcullises are useless without walls. Zones and conduits are a central component of the international standard IEC 62443 (formerly ISA99). In order to implement these proven procedures in communication networks, firewalls are used in great numbers at various locations in the network.

Firewall at the company boundaries

Firewalls play various roles in the partitioning of network portions. For one, a firewall can protect a company against threats from the outside. In many cases, this overall protection is the domain of IT firewall solutions, which are placed in a company's data center. On the other hand, they can also be implemented, for instance, in production in order to effectively separate the production network from the rest of the company network.

Firewall in a small cell or external site

Industrial firewalls with router functions are perfect for smaller external branches or sites. This allows, for example, distribution stations to be connected with the rest of the company infrastructure via a WWAN network. The firewall controls the network traffic coming out of and going into the external site's local network. Since such a firewall for connection of an external site represents the border between the company's own network (the external site) and an external network (a provider network or the Internet), the firewall must possess full capabilities for packet filtering and filtering traffic between various networks. Such a firewall is called an IP firewall since it processes Internet Protocol (IP) traffic. Because these firewalls are often installed very near the actual facility, industrial hardening must also be taken into consideration. Extended temperature ranges and/or approval for use in special areas (e.g. energy supply and transportation) are crucial. 

Firewall at the field level

It is rarely sufficient to protect only the external boundaries of the network against attackers. Often, attacks occur from the inside of a network. Firewalls can also limit communication in accordance with the security concept within a local network. If communication from outside the facility is only supposed to be possible with a single device, the firewall can specifically permit this connection while other attempts at communication are prevented. However, the demands put on a firewall in use within a network differ from the demands put on a firewall in use between networks. Therefore, a transparent layer 2 firewall at the Ethernet level is required instead of an IP firewall. Because the firewalls are implemented here at the field level, the application parameters (temperature, vibration, etc.), as well as the necessary approvals must be taken into consideration.

Firewall in a WLAN

Communication from wireless to wired networks should also be controlled by firewalls. For example, the communication of a tablet, which is connected to a device via a WLAN can be limited so that it can only access data through the user interface, but not additional subsystems or other devices connected to it. If a client is integrated into a WLAN, it is possible, in principle, to communicate directly with all other devices in the same (sub)network. Thus, an attacker can extend a successful attack on a client that is connected to the WLAN to any other device on the Ethernet network. This problem can be solved by restricting the forwarding of messages between WLAN clients with a firewall at the WLAN access point. Here, too, there is a need for a transparent layer 2 firewall which can filter communication within a network (directly between the WLAN devices in a network). In order to do this, the firewall must be implemented directly at the access point. Industrially hardened devices are important here as well.

In addition, it can also be practical to restrict communication to the desired patterns and communication relationships at all other points in the network. But, because firewalls can also have negative effects on transmission latency (delay in transmission) and network throughput, the use of a dedicated firewall is not always possible. In such cases, high-quality network switches can also use less powerful stateless filtering rules. These rules are usually not referred to as firewall rules, rather as access control lists (ACL). ACLs are suited for any situation where rapid filtering must take place within a network.


<< First < Previous Page 1 Page 2 Next > Last >>

The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by Control Engineering subscribers. Vote now (if qualified)!
The System Integrator Giants program lists the top 100 system integrators among companies listed in CFE Media's Global System Integrator Database.
Each year, a panel of Control Engineering and Plant Engineering editors and industry expert judges select the System Integrator of the Year Award winners in three categories.
This eGuide illustrates solutions, applications and benefits of machine vision systems.
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
HMI effectiveness; Distributed I/O; Engineers' Choice Award finalists; System Integrator advice; Inside Machines
Women in engineering; Engineering Leaders Under 40; PID benefits and drawbacks; Ladder logic; Cloud computing
Robotic integration and cloud connections; SCADA and cybersecurity; Motor efficiency standards; Open- and closed-loop control; Augmented reality
Programmable logic controllers (PLCs) represent the logic (decision) part of the control loop of sense, decide, and actuate. As we know, PLCs aren’t the only option for making decisions in a control loop, but they are likely why you’re here.
This digital report explains how motion control advances and solutions can help with machine control, automated control on assembly lines, integration of robotics and automation, and machine safety.
This article collection contains several articles on how advancements in vision system designs, computing power, algorithms, optics, and communications are making machine vision more cost effective than ever before.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Control room technology innovation; Practical approaches to corrosion protection; Pipeline regulator revises quality programs
Cloud, mobility, and remote operations; SCADA and contextual mobility; Custom UPS empowering a secure pipeline
Infrastructure for natural gas expansion; Artificial lift methods; Disruptive technology and fugitive gas emissions
Automation Engineer; Wood Group
System Integrator; Cross Integrated Systems Group
Jose S. Vasquez, Jr.
Fire & Life Safety Engineer; Technip USA Inc.
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
click me