Firewalls: vital for a successful security model
Tobias Heer, Oliver Kleineberg and Jeff Lund discuss firewalls – what they are and what they do.
Firewalls are essential for ensuring network security and increasing system robustness and resiliency. No sound security model can do without them. There are a variety of firewall devices, each with different technical characteristics, hardware features and industry approvals.
Firewalls protect networks and devices, such as industrial PCs, control systems and cameras, from unauthorised access by preventing network traffic to or from these systems. As a core element of network segmentation, firewalls play a critical role in any network security strategy.
At a high level, the goal of a firewall is to secure the link between a company network and industrial network to protect against external threats; separate devices within the network from each other to prevent internal issues from spreading; and permit only certain communications between devices to protect against malicious attacks and device or operator errors.
On a technical level, a firewall’s function is to filter packets. After inspecting each packet to determine whether it corresponds to an approved traffic pattern, firewalls filter or forward packets that match these templates, or rules. As an example, rules can include:
• Communication from within the network can only take place with a specified server on the outside.
• Only PCs used for remote maintenance can be reached from outside the network.
• Write-commands for the Modbus/TCP protocol are only permitted from the maintenance terminal.
There are two primary security methods that use firewalls to protect the network. These strategies work together and complement each other for a holistic approach to network security.
1. A Zones and Conduits approach limits communication between participants in internal networks, and blocks various network areas from each other. This adds additional defence layers to build a more resilient network in case one area is compromised.
2. A Defence in Depth approach provides multiple layers of defence, in contrast to just one defence mechanism, like a single firewall. This design deters attacks against networks through a set of layered defenses so an attacker must defeat multiple security levels.
There are two broad firewall categories – host and network firewalls. Host firewalls are installed on a computer or are provided by the operating system as a software feature. Network firewalls are devices that are specifically developed for use as a firewall, and are placed in the network rather than on a PC. Network firewalls are important security elements for industrial facilities when dealing with multiple networks or when wired and wireless technologies are combined. For example, a network firewall that is placed at the network perimeter establishes the first line of defence against attacks and only allows desired traffic into and out of the network.
Three main types of firewall mechanisms offer different levels of packet filtering:
Stateless firewall – Communication between devices occurs in various phases, or states. The communication relationship is usually initiated in a first phase, and active communication is conducted in a second phase, with the connection ending in the third phase. Stateless firewalls only determine which individual devices or applications may communicate with one another. They cannot determine whether the communication follows normal procedures or recognise and prevent attacks resulting from abnormal behaviour. Stateless firewalls are often characterised by very high throughput performance. In contrast, stateless firewalls will not protect against erroneous or spoofed communication requests to which some devices may be susceptible.
Stateful firewalls – Stateful or state aware firewalls monitor the communication process and use the recorded information as an additional decision metric for packet filtering. Attacks that attempt to communicate over established connections can often be recognised and prevented. Attacks using specific communication patterns to overload a system can be prevented as well.
Deep packet inspection firewalls – An extension of stateful packet inspection, deep packet inspection firewalls go a step further to examine the full packet to find highly specialised attack patterns hidden deep in the communication flow. These firewalls offer a high degree of security, as they often provide filtering mechanisms that can be highly individualised and finely configured, but they do demand lots of computing power to implement.
Firewalls can protect a company against threats from the inside and outside. The overall protection from outside threats stems from IT firewall solutions placed in a company’s data center. They can also be implemented in production to separate the production network from the rest of the company network. Depending on the location of your firewall, here are other elements to consider.
Firewalls in a WLAN – Communication from wireless to wired networks should also be controlled by firewalls. If a client is connected to a wireless local area network (WLAN), they can communicate directly with all other devices in the same network. An attacker can attack a client that is connected to WLAN, then extend that attack to any other device on the network. Firewalls can be used to restrict the forwarding of messages between WLAN clients at the WLAN access point to increase the overall security of the network.
Firewalls at the field level – A sound security strategy also addresses threats that lie within the network. If communication outside the facility is only supposed to be possible with a single device, the firewall can allow this connection, while preventing other communication attempts. Since the physical demands put on a firewall within a network differ from the demands put on a firewall between networks, usually due to the installation area of the device, field-level firewalls require particular attention to the specific application parameters, such as temperature and vibrations.
Firewalls in a small cell or external site – Industrial firewalls with router functions are suited to smaller external sites. Through this, remote work sites can connect to the rest of the company’s control infrastructure via a cellular network. The firewall controls the flow of network traffic going in and out of the external site’s local network and creates a border between the company’s own network and an external network. The firewall must possess full capabilities for packet filtering and this type of firewall is called an IP firewall, as it processes internet protocol (IP) traffic.
Filtering differences, environmental concerns and whether a management tool is needed should be standard considerations for teams in their search for a firewall solution.
1. Look at differences in filtering: Depending on how you will use it, various filtering mechanisms will be needed. First, determine how in-depth a firewall can go when observing the communication between devices. This could range from firewalls that only perform simple pattern recognition to firewalls that understand industrial protocols and can prevent individual communication, when needed.
2. Environmental concerns: Firewalls should be able to withstand extended temperature ranges, significant vibration and other environmental factors. They should also be compliant with all industry standards and approvals, and designed for use in special areas, such as energy supply, hazardous locations and transportation applications.
3. Tailored for your specific needs: Firewalls should be able to accomplish very specific tasks that support a team’s custom needs and applications. For example, if the application end devices require a specific firewall behavior due to the use of unique communication patterns and the firewall cannot support this, it’s wise to keep looking.
4. Use a proper management tool: When using multiple firewalls, teams need to be able to effectively manage and configure the devices. Without a powerful management tool for simple and mass configuration of firewalls, the tasks can be very time-consuming and error-prone. It’s important that firewalls can be centrally monitored by network management tools to keep things running smoothly.
Firewalls are just one component of a modern security strategy, but are the cornerstone that holds a holistic security model together. By implementing a holistic defence strategy that combines different firewall functions and positions them within the network according to their strengths, engineering teams can design networks that are prepared for the future.
Tobias Heer has been with Belden since 2012 and specializes in topics that revolve around security and wireless in industrial control systems.
Oliver Kleineberg joined Belden in 2007 and he is responsible for Advance Development within Belden’s Industrial IT platform.
Jeff Lund is a senior director of product line management in Belden’s Industrial IT group.>
Source: Control Engineering Europe - All Articles