Rockwell Automation Publication 1783-UM010C-EN-P - June 2019 101
Firewall Modes Chapter 8
Figure 28 - Industrial Firewall Placement for Ring Cell/Area Zone Protection
The IFWs are not acting as an active/standby firewall pair in this configuration,
but they simply provide firewall and, possibly, DPI functionality on both
ingress points of the network ring.
Considerations
Before implementing the IFW in a ring cell/area zone protection architecture,
it is recommended that the designer understands and documents:
• Ingress and egress traffic source and destination host communications.
For example, IP addresses of controllers, HMI, engineering
workstations, and all communications that enter or leave the
machine/skid must be known so firewall and DPI security policies can
be configured.
• Ingress and egress traffic source and destination protocols must be
known to configure the firewall and DPI rules.
• Ingress and egress traffic volume.
• Redundancy and availability requirements. In this use case, the ports are
configured for Layer 3 EtherChannel. Hardware bypass is not available
in this architecture.
To Next Page
Loading...