Rockwell Automation Publication 1783-UM010C-EN-P - June 2019 87
Chapter 7
CIP Inspection
CIP Preprocessor
The ASA FirePOWER module has a software component and the Network
Analysis Policy rules engine called a preprocessor. The preprocessor is
responsible to handle the interpretation of the packet before being handled by
the rules engine. The IFW has a CIP™ preprocessor that interprets the CIP
protocol, which allows the system administrator to author policy rules related
to the CIP protocol actions.
Common Industrial Protocol (CIP) is an open protocol that encompasses a
comprehensive suite of messages and services for industrial automation
applications. CIP is used to communicate to ControlLogix processors and I/O
subsystems for control, process control, safety, motion control, real time
information and network management. The IFW with the CIP preprocessor
has the ability to inspect a packet that contains the CIP protocol and
determine whether to permit or deny the traffic based on the preconfigure
policy rules.
Two types of CIP DPI rule categories have been added to the IFW:
• CIP Generic - related to the open CIP standard
• Rockwell Automation specific CIP - CIP protocol extensions specific to
Rockwell Automation products
The CIP open standards define a generic set of commands in the CIP protocol.
The IFW defines security policies as they relate to the CIP open standard. The
list of supported CIP generic rules are:
IMPORTANT In order for any CIP Access Control Policy or CIP Intrusion Policy to work
properly, the Network Analysis Policy must be properly configured to
inspect CIP traffic.
See the relevant section in Configure the Security Appliance.
Table 7 - CIP Generic Rules
CIP Generic Rule Description
CIP Admin ODVA-specified commands that change the state of a device.
CIP Infrastructure ODVA-specified commands that are core functions. For example, Setting up sessions
and connections.
CIP Malformed Malformed data according to specification.
To Next Page
Loading...