Today, modern security concepts follow a holistic approach in which processes, people and technology are all taken into account. Firewalls have therefore long since ceased to be advertised as the only measure for creating information security in industrial plants or even seen as synonymous with secure networks. Nevertheless, firewalls continue to be core elements in the segmentation of networks and are therefore an essential part of any network security strategy.

In general, firewalls are systems that protect other network devices such as industrial PCs, controllers or cameras from unauthorized access by preventing the forwarding of network traffic to or from these systems. A distinction can be made between host and network firewalls. The former are installed as a software function on a computer (host) or are already provided by the operating system. Examples of these firewalls are the Windows system firewall or the IPtables firewall already supplied with most Linux systems.

In contrast, network firewalls are devices that have been specially designed to function as a firewall and are not placed on a PC but in the network. These network or hardware firewalls are important elements in industrial systems, especially if they are connected to other networks (e.g. office networks) or if wired transmission is combined with less secure network technologies (e.g. wireless transmission). In these cases, a network firewall helps to set up the network boundary as the first line of defense against attacks and to allow only desired network traffic into and out of the network.

The basic technical function of every firewall is to filter packets to determine whether they match a desired pattern. A firewall at a network boundary can contain various rules - such as "A communication connection may only be established from within the network to a specific server" or "Only the login PCs for remote maintenance are accessible from outside the network, not the other devices". Rules for industrial protocols such as Modbus/TCP are also possible; one such rule could be: "Write commands for the ModBus/TCP protocol, Coil 56, are only permitted from the maintenance terminal".

Areas of application and requirements

Firewalls are used at various points in the network. On the one hand, they can secure a company network from the outside. On the other hand, they can also seal off different machines from each other within a system or allow communication between machines. This concept is usually referred to as 'defense in depth'. In other words, a staggered defense with several security levels connected in series.

This concept is not new, but was already taken into account in the construction of castles and other defenses in the Middle Ages. Particularly vulnerable areas were secured with multiple layers of masonry, with the keep inside the castle serving as the last line of retreat for the defenders. To make it more difficult for attackers to move around, the individual segments of the castle were separated from each other by gates and portcullises.

In communication networks, segmentation by gates and portcullises corresponds to the concept of precisely configuring network participants into zones and conduits. This method is often used in conjunction with a layered defense in depth. Zones and conduits almost always require the use of defense in depth, as gates and portcullises are useless without walls. 'Zones and conduits' is a central component of the international standard IEC 62443 (formerly ISA99). In order to implement these tried and tested procedures in communication networks, firewalls are used in large numbers at different locations in the network.

Firewall within a local network: Different parts of the network or even individual machines can be isolated from each other precisely. The configuration of the machines can remain untouched.

© Belden

The global protection of a company from the outside world is usually the domain of IT firewall solutions that are placed in a company's data center. However, they can also be used in production to effectively separate it from the rest of the company network. Industrial firewalls with a router function are suitable for smaller branch offices. For example, distribution stations can be connected to the rest of the company infrastructure via a WWAN network. The firewall takes over the restriction of network traffic from and to the local network of the branch office.

As a firewall for connecting a branch office represents the transition from the company's own network (the branch office) to an external network (a provider network or the Internet), this firewall must have full packet filtering capabilities and be able to filter traffic between different networks. Such a firewall is called an IP firewall because it processes Internet Protocol (IP) traffic. As such firewalls are often installed very close to the actual systems, care must be taken to ensure industrial hardening (extended temperature ranges/application approvals for special areas of use).

It is rarely sufficient to protect only the outer boundaries of the network. This is because attacks often also take place from within a network. If only communication to a single device in a system from outside the system is to be possible, the firewall can specifically allow these connections, while preventing other communication attempts. However, the requirements of a firewall differ when it is used within a network compared to when it is used between networks. A transparent 'layer 2 firewall' at Ethernet level is required here and not an IP firewall.

Transitions from wireless to wired networks can also be protected by firewalls. For example, the communication of a tablet that has connected to the WLAN of a machine can be restricted so that it can only access the data of the user interface, but not other subsystems or devices connected to the machine. If a client is integrated into a WLAN, it is in principle possible to communicate directly with all other devices in the same (sub)network. The problem of a successful attack on a WLAN client spreading to any devices connected to the Ethernet network can be countered by using a firewall to limit the forwarding of messages between WLAN clients at the WLAN access point. This also requires a transparent layer 2 firewall that can filter within a network (directly between the WLAN devices in the network). This firewall function must be implemented directly on the access point.

At any other point in a network, it may also make sense to limit communication to the desired communication relationships. However, as firewalls can also have a negative impact on transmission latency and network throughput, the use of a dedicated firewall is not always possible. In such a case, however, higher-quality network switches can also apply less powerful stateless filter rules. These rules are usually referred to as Access Control Lists (ACL). ACLs are always a good choice where fast filtering is required within a network.

Differences in filtering

In addition to the environment and location of the firewall, the filter mechanisms play an important role. And there are major differences in this respect:

Stateless firewalls:
Communication relationships between devices can be in different phases (states). For example, the communication relationship is usually established in a first phase. In a second phase, active communication takes place before the connection is terminated in a third phase. A concrete example of a protocol that uses this method is the Transmission Control Protocol (TCP), which is usually combined with IP to form TCP/IP.

As the name suggests, stateless firewalls cannot react to the status of a communication connection and cannot differentiate between the various phases. Although it is possible to specify that individual devices or applications may communicate with each other, it is not possible to check whether the communication participants are adhering to the normal course of such communication. In particular, the firewall cannot detect and prevent attacks resulting from abnormal protocol behavior. This exposes particularly vulnerable industrial devices with minimal protection of their own to danger - for example a so-called denial of service attack - by deliberately flooding and overloading the communication interface of an industrial device with communication requests.

Stateful firewalls:
In contrast to stateless firewalls, stateful (state-aware) firewalls can monitor the communication history of the communication partners and thus also use the behavior of the partners during basic communication operations, such as establishing or terminating a connection, as a basis for packet filtering. This also makes it possible to detect attacks that attempt to communicate via connections that have already been terminated. Attacks that use a deliberately faulty connection setup in order to burden and overload 'victim systems' can also be avoided.

Deep packet inspection:
Deep packet inspection is a further development of stateful packet inspection. Stateful firewalls usually inspect the packets in the network down to the so-called header at the beginning of the packet. This header contains information that the firewall can use to determine and monitor the communication status. This can be, for example, sequence numbers and communication flags for the widely used TCP.

Stateful packet inspection goes one step further and enables the examination of the payload of a packet (for example, the control protocols of industrial applications). In this way, highly specialized attack patterns that are hidden deep in the communication streams can be discovered. However, the firewall must understand the respective communication protocol in order to distinguish a 'good' from a 'bad' packet or 'bad' payload. Deep packet inspection firewalls are therefore often used as additional components of a stateful packet inspection firewall.

A deep packet inspection firewall offers a high level of security with an often very individually and finely configurable rule set, but requires a high level of computing power on the network firewall. A sophisticated configuration interface is also necessary to master the given complexity.

Management of firewalls

Learning firewalls can make it easier for the administrator to take many traffic situations into account.

© Belden

Integrating a new firewall into an existing industrial network is by no means trivial, as there are usually a large number of communication relationships that are rarely recorded and documented completely and correctly. As the main function of a firewall is to block unknown network traffic, the initial configuration of the device is particularly difficult in such a case. If the firewall is configured too liberally, it allows the system's control and monitoring traffic to pass through without any problems; however, it does not represent a major obstacle for a potential attacker. If the firewall is configured too restrictively, it blocks the communication of a possible attacker, but also hinders the traffic of the system, so that it no longer functions correctly in all situations. This can lead to downtime and increased maintenance costs. In short: without a complete view of all communication relationships, the integration of a firewall into an existing network becomes a doddle.

Modern industrial firewalls therefore support employees during commissioning by offering special analysis modes. In 'Firewall Learning Mode', for example, the firewall records all communication relationships during a freely definable learning phase without restricting them. An administrator can use the analyzed connections to quickly and easily identify the desired or undesired communication relationships and (semi-)automatically create a custom-fit configuration of the firewall.

The use of firewalls to isolate different machines and system parts from each other is an important aspect of the defense-in-depth strategy. Once an attacker has overcome an initial hurdle by penetrating the network, further firewalls with increasingly specific rules can prevent penetration into further and more sensitive parts of the system. However, using IP firewalls and transparent layer 2 firewalls in this way requires the administration and configuration of several firewalls. Without a powerful management tool for simple (mass) configuration of firewalls, such configuration can be very time-consuming when changes are made to the network infrastructure. Firewalls that can be centrally managed and monitored by network management tools can help here. This allows standard configurations to be quickly rolled out to newly installed firewalls and changes to be made to the configurations.

Authors:
Prof. Dr. Tobias Heer is a specialist in secure industrial communication at Hirschmann Automation and Control;
Dr. Oliver Kleineberg is head of the Advance Development department at Hirschmann Automation and Control.