Industrial Internet Security Framework v 1.0 | Page 90

Security Framework 9: Protecting Communications and Connectivity Most of these message filters can be implemented in gateway host or device software, or as real or virtual network appliances. In hosts or devices, these filters control messages and information exchanges for a single endpoint. As real or virtual network appliances, gateways with filters can control messages and information flows for entire network segments. 9.2.5 NETWORK FIREWALLS Network firewalls are message-oriented filtering gateways used extensively to segment IIoT systems. Most firewalls are Layer 2, 3 or 4 IP routers/message forwarders with sophisticated message filters. Firewalls may be deployed as either physical or virtual network devices. A firewall’s filtering function examines every message received by the firewall. If the filter determines that the message agrees with the firewall’s configured traffic policy, the message is passed to the firewall’s router component to be forwarded. Firewalls may also rewrite messages, most commonly, via performing encryption or network address translation (NAT). In addition, a full-featured firewall may include the following features: • • • • • virtual private networks with the ability to forward messages through an encrypted tunnel, user accounts requiring users to authenticate with the firewall before message forwarding is enabled for that user or for the user’s computer, inline anti-virus scanning allowing files to be scanned with anti-virus scanning engines while in motion via FTP, SMTP, HTTP or other protocols that commonly carry files, inline intrusion detection allowing packets in motion through the firewall to be scanned with intrusion detection engines and inline intrusion prevention allowing packets in motion through the firewall that match intrusion detection signatures to be dropped. Device firewalls are designed to protect endpoints. They may be conventional firewalls with deep packet inspection capability or Layer 2 IP routers with deep packet inspection filters. The latter can be deployed without reconfiguring routes in existing, endpoint devices. Learning-type filters and configurable filters may be used for device firewall application-level filtering. Learning filters monitor traffic for a period of time, and automatically create filtering rules to identify all observed traffic as normal and permitted. Once the learning mode is complete, the firewalls can be configured to forward only traffic that agrees with the filters, and to drop all other traffic. Configurable filters can be set up to permit some application-level content, and to forbid other content. For example, one might be configured to permit writes to certain device registers and not others, or to permit reads and writes of any registers, but not downloads of firmware. IIC:PUB:G4:V1.0:PB:20160926 - 90 -