Allen-Bradley Stratix 5950 - Rockwell Automation Publication 1783-UM010 C-EN-P

To Next Page

To Previous Page

98 Rockwell Automation Publication 1783-UM010C-EN-P - June 2019

Chapter 8 Firewall Modes

Considerations

Before implementing the IFW in a machine/skid protection architecture, it is

recommended that the designer understands and documents the following.

• Ingress and egress traffic source and destination host communications.

For example, IP addresses of controllers, HMI, engineering

workstations, and all communications that enter or leave the

machine/skid must be known so firewall and DPI security policies can

be configured.

• Ingress and egress traffic source and destination protocols must be

known to configure the firewall and DPI rules.

• Ingress and egress traffic volume.

• Redundancy and availability requirements. For example, when

considering high availability, one must regard the security

considerations while in hardware bypass mode.

Main Page

Default Chapter3
- Table of Contents3
- Additional Resources8
Preface8
- Summary of Changes8
About the Security Appliance11
Chapter 1 Overview11
- Hardware Features12
  - Status Indicators15
- Installation of the Security Appliance16
- Express Setup Button16
- Power Supply17
- Small Form Factor Pluggable (SFP) Modules17
- Memory and Storage17
- SD Card17
- USB Ports17
- Management Ethernet Port18
- Console Port18
- Alarm Ports19
- Power Supply19
  - CLI Commands19
- Temperature Sensor20
- Software Features20
Chapter 2 Industrial Firewall Technology Overview21
- Logical Framework23
- Network Protection (Adaptive Security Appliance)23
- Intrusion Prevention and Detection (Firepower)25
- Machine/Skid Protection25
  - Transparent Mode25
- Routed Mode26
  - Nat26
  - Considerations26
- Redundant Star Cell/Area Zone Protection28
  - Considerations28
- Ring Cell/Area Zone Protection29
  - Considerations30
- Cell/Area Zone Monitoring31
  - Considerations31
- Time Synchronization32
Industrial Firewall Use Cases21
Configure the Security Appliance37
Chapter 3 Configure the Security Appliance Prerequisites38
- Device Setup39
- Configure a Test Policy to Block CIP Administrative Traffic53
- Configure Precision Time Protocol (PTP)71
Prerequisites38
- Ethernet Devices38
Chapter 4 Status Indicators73
Chapter 575
- Firesight Management Center75
- Cisco Security Manager (CSM)77
- Management Recommendations79
- Integration of New Firewalls79
- Centralized Management80
Overview75
Chapter 6 Power Failure of the System81
- Enable the Hardware Bypass by Using CLI Commands81
  - Default State of the Hardware Bypass82
- ASA CLI Commands for Hardware Bypass82
- Limitations of Hardware Bypass83
  - Hardware Bypass CLI83
Chapter 7 CIP Preprocessor87
- CIP Access Control Policies88
- CIP Access Control Policy Rule Limitations89
- CIP Intrusion Policies90
Chapter 8 Industrial Firewall Deployment Considerations92
- Inline Transparent Mode92
- Inline Transparent Monitor-Only Mode94
- Inline Routed Mode95
- Passive Monitor-Only Mode95
- Deployment Recommendations96
- Industrial Firewall Use Cases97
Chapter 9 Updating ASDM Software103
- Updating ASA Software107
- Back up Controls License111
- Install the SFR 6.4.0 Update111
Updating the Device103
Chapter 10 Obtain the Current Running Software Versions117
- Reset the Device to Factory Defaults118
Troubleshoot117
Glossary125
Index127

Allen-Bradley Stratix 5950 - Rockwell Automation Publication 1783-UM010 C-EN-P - June

Table of Contents