Rockwell Automation Publication 1783-UM010C-EN-P - June 2019 31
Industrial Firewall Use Cases Chapter 2
Cell/Area Zone Monitoring
The cell/area zone monitoring mode use case in Figure 11 monitors traffic
without placing the IFW directly inline of a controller, skid, machine, or
cell/area zone of interest. The IFW is connected to a switch that has visibility
to the traffic that is required to be monitored. A span session or port mirror is
created to send the traffic of interest to the IFW.
Figure 11 - Industrial Firewall Placement for Cell/Area Zone Monitoring
The Passive Monitor Mode architecture with CIP™ DPI is not recommended
for monitoring and logging CIP connections. When OpenAppID rules are
used with the FirePOWER module, the first packet that matches the CIP
access control policy event is logged and the particular CIP connection is
noted. Packets that match the access control policy and those packets that have
the same connection ID are not sent to the log. For this reason, passive monitor
mode with the CIP protocol it is not recommended.
Considerations
Before implementing the IFW in passive monitor-only mode, we
recommended that the designer understands and documents:
• Ingress and egress traffic volume
• Hardware bypass is not applicable in passive monitor-only mode,
since the IFW is not placed inline.
To Next Page
Loading...