EasyManua.ls Logo

Allen-Bradley Stratix 5950 - Deployment Recommendations

Allen-Bradley Stratix 5950
130 pages
Print Icon
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
96 Rockwell Automation Publication 1783-UM010C-EN-P - June 2019
Chapter 8 Firewall Modes
Deployment
Recommendations
Placement and deployment of the IFW depends on the desired function of the
device in the industrial network. When you place the IFW inline with traffic
flow, you can monitor the traffic and/or take desired actions, such as blocking.
If you place the IFW outside of the traffic flow, you can only monitor the
traffic.
Regardless of where the IFW is placed, Cisco and Rockwell Automation
recommend configuring the device in monitor-only (IDS) mode during the
initial deployment stages. This strategy allows for applications, endpoints, and
other communication data to be monitored on the network over a time. IPS
policies can be crafted over time that can have the desired effect on targeted
traffic without inadvertently affecting other traffic. Once the network traffic is
characterized and the policies are tested, an IFW, deployed inline, can be
placed into its normal (IPS) mode, which helps protect the network. If the risk
of inadvertent effects on network traffic outweighs the benefits of IPS for a
particular deployment, the IFW can be placed as a passive listener. However,
the IFW must be physically relocated to be inline with the network segment if
an IPS function is desired in the future.
When placed inline, the IFW can be deployed in transparent or routed mode.
Cisco and Rockwell Automation generally recommend deploying the IFW in
transparent mode (default) unless routing functionality is needed.
In summary, the deployment recommendations for the IFW are:
Inline transparent mode - deployments where the ability to help protect
the network is more important than traffic affected by potential ‘false
positives’. Always place the IFW in monitor-only mode during the initial
deployment, then transition to full IPS mode during a maintenance
window.
Inline routed mode - same as transparent mode, but deployments where
routing functionality is also required.
Passive monitor-only mode - deployments where uninterrupted
connectivity is more important than active network protection. The
IFW remains in monitor-only mode with no possibility of running in
full IPS mode unless it is moved to be inline in the network segment.

Table of Contents