24 Rockwell Automation Publication 1783-UM010C-EN-P - June 2019
Chapter 2 Industrial Firewall Use Cases
Figure 7 shows how the security zones depicted can be applied to the CPwE
network architecture to create DMZs and other types of segmentation.
Figure 7 - Security Zones within CPwE Architecture
Firewalls are normally positioned either as a node, where the network splits
into multiple paths, or inline with one network path. In routed networks, the
firewall usually resides at the location immediately before traffic enters the
router. Most firewalls provide routing and, in some network designs, the
firewall acts as both the firewall and the router.
Most firewalls inspect the following elements of a packet:
• Source MAC or IP address
• Destination MAC or IP address
• Source TCP or UDP Port
• Destination TCP or UDP Port
• Protocol - Layer 2, 3, 4, or 7
Firewalls that inspect these elements of a packet are commonly known as
five-tuple firewalls. Typically, firewall rules include these five elements to
configure a rule. The firewall is configured to permit or deny ingress and egress
traffic that is based on these five-tuple rules.
A firewall can inspect traffic for conformance with proper protocol behavior
and drop non-compliant traffic, but the firewall does not have deep knowledge
of the protocol. To inspect and make permit-and-deny decisions at the
protocol level, deep packet inspection (DPI) capabilities are needed. These
DPI capabilities are discussed in the following section.
To Next Page
Loading...