30 Rockwell Automation Publication 1783-UM010C-EN-P - June 2019
Chapter 2 Industrial Firewall Use Cases
Considerations
Before implementing the IFW in a ring cell/area zone protection architecture,
it is recommended that the designer understands and documents:
• Ingress and egress traffic-source and destination-host
communications. For example, IP addresses of controllers, HMI,
engineering workstations, and all communications that enter or leave
the machine/skid must be known so firewall and DPI security
policies can be configured.
• Ingress and egress traffic source and destination protocols must be
known to configure the firewall and DPI rules.
• Ingress and egress traffic volume (refer to performance subsections
within the Industrial Firewall Deployment Considerations
section)
• Redundancy and availability requirements. In this use case, the ports
are configured for Layer 3 EtherChannel.
• Hardware bypass is supported when the IFW is placed inline with a
Layer 3 link.
IMPORTANT While it is a valid use case, ring cell/area zone protection implementation
with the IFW as described in this section is not recommended due to
architectural limitations of this deployment. Since active/standby pairing of
the IFWs is not supported in this use case, when one IFW is disrupted, its
connection state information is lost. Any persistent connections that are
established via the disrupted IFW must expire, then re-establish via the
remaining IFW, which results in significant communication downtime.
To Next Page
Loading...