Safety’s Sake: Fixed Configuration Firewalls

Wednesday, January 19, 2011 @ 09:01 AM gHale

By Eric Byres

It is no secret a Safety Integrated System (SIS) is a key factor in safe industrial operations. But along with the SIS, firewalls play an important element in keeping the operation running securely.

A new firewall hit the market and it is a Fixed Configuration Firewall (FCF) which runs a technology known as Deep Packet Inspection (DPI). But just what is a fixed configuration firewall?

Nearly all firewalls on the market are designed to be configured to allow or block traffic using Access Control Lists (ACL). For example, you may only want to allow web traffic (i.e. HTTP traffic) from a client at IP address 192.168.1.10 to a web server with an address of 192.168.1.20. Then you would write an ACL rule something like “Allow Src=192.168.1.10 Dst=192.168.1.20 Port=HTTP” and load it in the firewall.

The good news is being able to enter ACLs gives the firewall administrator a lot of flexibility. If today the firewall is managing web traffic and tomorrow you need to allow database traffic, it is simple to adjust the ACLs. And since flexibility is what most IT security experts want, that is what the firewall vendors have given them. They have flexibility to define multiple rules for absolutely any protocol and any IP address.

But with flexibility comes a price — increased chance for human error, or worse, human evil.

When you sit down and look at it, the amount of human error in firewall configuration can be staggering. For example, an IEEE paper on firewall errors showed even critical IT firewalls in major corporations can have poorly written rule sets. The author of the study, Dr. Avishai Wool, defined 12 serious firewall configuration errors (each very general in nature) and then inspected the firewall configurations of 27 major corporations. He found an average of 7 serious errors per firewall, with some having as many as 12 errors. At that point, why have a firewall for all the good it is doing you?

To address the human factors issue, most companies must carefully document their ACLs and conduct regular firewall rule reviews and security audits. For example, NERC-CIP-005 (which deals with firewalls) states:

“R5.1. The Responsible Entity shall ensure that all documentation required by Standard CIP-005-2 reflect current configurations and processes and shall review the documents and procedures referenced in Standard CIP-005-2 at least annually.”

Now rule audits do not come cheap — often a good audit costs more than the cost of the firewall. And for that matter, even the expert labor needed to configure the firewall can be more expensive than the firewall. All this adds up to a significant Total Cost of Ownership (TCO) over the life of the firewall.

As for the human evil side, if firewalls can detect an attack they can also ignore one, too. All it takes is sloppy access (i.e. password) management for the firewall, so organizations like the U.S. Nuclear Regulatory Commission ask their licensees for a lot of safe guards and audits when it comes to firewall management. Again, those cost money.

Fixed Configuration Firewalls reduce high TCO by locking in to a single (exhaustingly tested) configuration at the factory. For example, the Honeywell Modbus Read-only Firewall only allows Modbus read commands. It blocks all other traffic; a setting that you simply cannot tamper with.

Of course a firewall like this would not work for the normal IT space, as there are too many Adds/Moves/Changes of both applications and users. But in the ICS/SCADA space, the basic network design can stay steady state for decades. For example, if a SIS is using Modbus TCP today for communications to the DCS, it probably will be using the protocol ten years from now. In fact, if your SIS starts trying to use the HTTP protocol to connect to a World Cup Soccer site in Malaysia or Denmark, which is exactly what Stuxnet did when it infected a new computer, you probably have a problem — a problem so big you don’t want staff to be able to make the alarms disappear by changing a few rules.

By using a fixed configuration firewall, there is limited ongoing review or maintenance required. After all, if no one can ever change the rules, you don’t really need that quarterly rule review/audit. And if there is no user access to the unit at all, the issues of password management and access logging disappear.

Typically the only audit needed is to confirm the unit is in place and powered on. Occasionally some companies will run a periodic scan against the firewall, but the result of that is so black and white, it is a trivial and cheap test. Best of all, the firewall is tamper proof, so the next Stuxnet can’t steal a password, reprogram the ACLs and sneak into your control system.

So if you have SCADA or control systems that have very consistent network traffic patterns, a fixed configuration firewall is worth considering. It can reduce the TCO of security significantly and it is a tamper proof security solution.

Eric Byres is the chief technology officer at Byres Security. This was an excerpt from Eric Byres’ blog Practical SCADA Security. For more information go to tofinosecurity.com/blog.