Industrial Internet Security Framework v 1.0 | Page 90
Security Framework
9: Protecting Communications and Connectivity
Most of these message filters can be implemented in gateway host or device software, or as real
or virtual network appliances. In hosts or devices, these filters control messages and information
exchanges for a single endpoint. As real or virtual network appliances, gateways with filters can
control messages and information flows for entire network segments.
9.2.5 NETWORK FIREWALLS
Network firewalls are message-oriented filtering gateways used extensively to segment IIoT
systems. Most firewalls are Layer 2, 3 or 4 IP routers/message forwarders with sophisticated
message filters. Firewalls may be deployed as either physical or virtual network devices. A
firewall’s filtering function examines every message received by the firewall. If the filter
determines that the message agrees with the firewall’s configured traffic policy, the message is
passed to the firewall’s router component to be forwarded. Firewalls may also rewrite messages,
most commonly, via performing encryption or network address translation (NAT).
In addition, a full-featured firewall may include the following features:
•
•
•
•
•
virtual private networks with the ability to forward messages through an encrypted
tunnel,
user accounts requiring users to authenticate with the firewall before message
forwarding is enabled for that user or for the user’s computer,
inline anti-virus scanning allowing files to be scanned with anti-virus scanning engines
while in motion via FTP, SMTP, HTTP or other protocols that commonly carry files,
inline intrusion detection allowing packets in motion through the firewall to be scanned
with intrusion detection engines and
inline intrusion prevention allowing packets in motion through the firewall that match
intrusion detection signatures to be dropped.
Device firewalls are designed to protect endpoints. They may be conventional firewalls with deep
packet inspection capability or Layer 2 IP routers with deep packet inspection filters. The latter
can be deployed without reconfiguring routes in existing, endpoint devices.
Learning-type filters and configurable filters may be used for device firewall application-level
filtering. Learning filters monitor traffic for a period of time, and automatically create filtering
rules to identify all observed traffic as normal and permitted. Once the learning mode is
complete, the firewalls can be configured to forward only traffic that agrees with the filters, and
to drop all other traffic. Configurable filters can be set up to permit some application-level
content, and to forbid other content. For example, one might be configured to permit writes to
certain device registers and not others, or to permit reads and writes of any registers, but not
downloads of firmware.
IIC:PUB:G4:V1.0:PB:20160926
- 90 -