Industrial Internet Security Framework v 1.0 | Page 89

Security Framework 9: Protecting Communications and Connectivity Gateways with filters control the flow of information passing between network segments. Message filters control the flow of messages at some layer of a protocol stack, while application gateways tend to control information flows more abstractly. Firewalls are examples of bidirectional message-filtering gateways embodying many security features. Examples of important IIoT filtering technologies include: Air gaps are network segments with no online connection, wired or wireless, to any external network. Air gaps are the strongest form of filtering, but provide none of the connectivity benefits. Layer 2 filters separate physical network signaling systems, but forward Open Systems Interconnection (OSI) Layer 2 network frames. Managed switches and bridging firewalls are examples of technologies that filter messages based on Ethernet Media Access Control (MAC) addresses or other device-level addressing. Virtual Local Area Networks (VLAN) switches are used for traffic management, but they are not security devices so they are not recommended as perimeter protection mechanisms between network segments at different trust levels. Layer 3/4 filtering: The most commonly used IIoT message filters are firewalls able to filter messages based on network addresses, port numbers and connection state. Such filtering technologies are known as packet filters and stateful inspection. Application and middleware layer content filtering: Some firewalls and other message filters understand specific communications protocols and are able to filter messages based on application content. For example, an application layer filter might permit device register read requests, but block write requests. Other filters might permit messages from a particular user, but not other users. This is called deep packet inspection. Message rewriting: Some message filters modify messages as they pass through the filter. For example, network address translation (NAT) filters change IP addresses and port numbers, and virtual private network (VPN) servers encrypt and decrypt message streams. VPN are often deployed in IIoT systems to help protect interactive remote access mechanisms, and to encapsulate and protect plain-text device communications protocols as they pass across WAN. Proxies are application-layer message filtering with message-rewriting capabilities. Typically, proxies maintain at least two similar transport-level connections: one to a device on a protected network, and one to a device on an external network. Proxies may answer queries or serve other protocol requests out of their own caches and data storage, or they may forward requests to external data repositories. Server replication: Server replication maintains a real-time copy of part or all of a protected industrial server on a less-trusted network segment, most commonly at IT/OT network perimeters. For example, a plant historian server may be replicated through an IT/OT firewall. The replication mechanism can act as a filter by replicating only a subset of historical data points out to the corporate network. Virtual networks: Virtual networks may implement message filters in hypervisors or virtual firewall hosts. IIC:PUB:G4:V1.0:PB:20160926