How Firewalls Work
Wednesday, May 18, 2016 @ 02:05 PM gHale
By Dr. Tobias Heer, Dr. Oliver Kleineberg and Jeff Lund
The Industrial Internet of Things (IIoT) takes operational performance into a bright future, raising efficiency and productivity to new levels. At the heart of this vision is the convergence of physical and digital assets, sharing information between devices, users, and business systems in ways not yet seen.
The potential is compelling, but so are the risks to mission-critical devices and systems that increased connectivity brings.
Ensuring the security of these assets requires a diligent and comprehensive strategy that creates boundaries to protect the network from external and internal cyber threats. This essentially puts up walls at the edges of the network, as well as protected corridors at essential points within the network. While firewalls have been part of IT network security for decades, it is well worth a closer look to understand not only what they do, but how and where they are best applied to industrial control systems.
Rather than a “one size fits all” technology, firewalls come in different shapes and sizes and operate in a variety of ways. The key to building a reliable and secure network is understanding which type of firewall to deploy where.
How Firewalls Work
Network firewalls differ from host firewalls (often referred to as personal firewalls), which are installed on computers or are part of the operating systems and designed to protect the device itself. In contrast, network – or hardware – firewalls set up a boundary at the edge of the network that acts as the first line of defense against cyberattacks and only allows approved communication into and out of the network.
The primary function of firewalls is to filter data – in the form of packets – to determine if it corresponds to a desired template for communication traffic patterns, before forwarding. What differs between types of firewalls is the sophistication of the templates (usually referred to as rules) the firewall supports and the performance impact of applying these rules to the traffic. Rules can be used to define and enforce communications patterns, such as:
• Restricting communications outside of the network to only certain target servers and workstations
• Limiting communications within the network to specific sets of devices, protocols or commands
Defense in Depth
As more devices network together and more applications consume data from the networked control systems, the threat of cyber attacks against industrial operations rise. The potential for software errors, device failures, human errors, and malware to compromise the safe and reliable operation of the system is much higher. As such, a more sophisticated approach to protecting the network from external and internal incidents is required.
The model of setting limitations between network participants in internal networks, as well as partitioning network areas off from one another, creates a layered defense with multiple security levels. This approach, known as Defense in Depth, creates the most robust strategy – hampering threats with multiple layers of protection, while preventing any compromise or error from spreading in the event an incident does breach the boundary.
To achieve the protection afforded by this model, different types of firewalls enforce different types of rule sets at multiple locations in the network. A sound strategy includes:
• Firewalls at the corporate boundary to protect from outside threats: These firewalls generally end up placed in the data center and typically work in tandem with industrial hardened firewalls in the production area to isolate the critical control networks and the more exposed enterprise networks from one another.
• Firewalls at the field level: Similar to the defense strategies built into medieval castles where attackers faced multiple obstacles – moats, gates, etc. – to protect access to key assets, firewalls at the field level end up deployed to limit communication to specific devices or between defined zones. To ensure only proper messages flow between zones and to critical assets, these firewalls must understand where messages are coming from and going to and can, in addition, also support the detailed analysis of industrial protocol traffic so they can ensure the contents of the messages are valid and reasonable.
• Firewalls wireless local area network (WLAN) access points: Just as firewalls provide border protection between the control network and enterprise network, industrial wireless access points need to include firewall functionality to detect unauthorized WLAN clients and prevent unauthorized communication. Special firewalls that can also filter the direct traffic between wireless clients are required for this task. Normal edge firewalls are not up to this task.
A word of caution about deploying firewalls: While effective in preventing unauthorized communication traffic on the network, these devices can also add latency or delays. Where rapid filtering must take place, high-quality network switches using hardware-accelerated access control lists can be an effective means to achieving security and effective communications flow.
As mentioned earlier, firewalls are not one size fits all. Once the network’s key assets and potential vulnerabilities have been identified, teams need to determine what type of filtering is required at each location so they can select the appropriate firewall or network security device for that location.
The range of filtering capabilities is very broad – from filtering based on packet addressing information and simple template recognition, to the ability to understand functions and procedures in industrial protocols and a highly sophisticated ability to recognize and prevent specific communication patterns in a targeted manner.
The spectrum of filtering mechanisms includes:
1. Stateless firewalls: A stateless firewall only determines if devices and applications are allowed to communicate with one another by the use of simple rule sets. Because they can operate at “wire speed,” stateless firewalls are often included in high-quality network switches using access control lists.
2. Stateful firewalls: A stateful firewall determines if devices and applications are allowed to communicate with one another and monitors the communication processes between participants to determine if any given packet is “reasonable.” This is based on the packets that have come before it. This capability makes stateful firewalls powerful tools for protecting network boundaries.
3. Deep packet inspection: Deep packet inspection goes deeper still to look inside the packet for specific industrial protocols and examine the contents of the message. With deep packet inspection, firewalls can detect malformed packets that might cause a device to fail if forwarded to it or malicious packets that could cause system errors or failure, such as writes to registers that should not be written to, device reboots, or attempts to load new firmware images. Firewalls with these abilities are often deployed at mission-critical points in the network to create a very strong hardening of industrial communication.
Protecting a network and enhancing its reliability is not just a matter of deploying the correct type of firewall at the appropriate network points, it is also about ensuring those firewalls are properly configured and maintained. In control systems that have evolved over many years and perhaps lack full documentation, determining proper configurations can be a challenge.
Fortunately, today’s modern, high-quality firewalls often contain a “learning” mode that analyzes the communication relationships in a network. With this analysis, administrators can quickly and easily create custom configurations for desired and undesired communications based on the actual communication patterns in the network. The advantages of using these modes to facilitate the setup of the firewalls include time savings and the elimination of downtime and failures.
For ongoing maintenance, network management tools that enable mass configuration make efficient reconfiguration possible based on evolving requirements.
First Line of Defense
When an organization understands the advances in firewall technology and where and how these devices can best be deployed, the journey to protecting the network from both external and internal threats can begin.
Firewalls set clear and flexible boundaries for communication traffic – both at the perimeter of the network and within critical zones. With the range of features and technical characteristics available today, these devices afford any industrial operation an effective first line of defense from cyber threats while at the same time making the system more reliable and more resilient against device failures and human error.
To learn more about firewall technology, click here to download this white paper.
Dr. Tobias Heer focuses on future technologies at Hirschmann Automation and Control GmbH, Dr. Oliver Kleineberg works in advanced development at Hirschmann Automation and Control GmbH and Jeff Lund is senior director – product line management at Belden Inc.