Understanding firewall technology for industrial cybersecurity — Part 2
By Dr Tobias Heer, Dr Oliver Kleineberg and Divij Agarwal*
Wednesday, 20 July, 2022
By combining different firewall functions in an overall network defence strategy it is possible to design networks that are prepared for the future.
In Part 1 of this article we discussed the general functions of a security firewall, and its placement within, and at the boundaries of, an industrial network. Once the required locations of firewalls have been determined, the type of filtering and the ongoing management of the firewalls needs to be considered.
Security in other network infrastructure
As part of Defence in Depth, it is useful to restrict communication to the desired patterns and communication relationships at all other points in the network. Because firewalls introduce transmission latency (delay in transmission) and reduce network throughput, the use of a dedicated firewall may not be feasible throughout all parts of the network. Instead, internal network protection comes from high-quality network switches and routers with powerful stateless filtering rules as further described in the next section. These rules are usually not referred to as firewall rules but rather as access control lists (ACL). ACLs are suited for any situation where rapid filtering must take place within a network.
Differences in filtering
The environment and the placement within the network are not the only factors that determine the requirements of a firewall. Different use cases place different requirements on the filtering mechanisms that are needed. It is important to differentiate how deeply a firewall can observe the communication between different devices. A broad range of solutions is available that covers this aspect. The available spectrum ranges from firewalls that can only perform simple pattern recognition on packets (often called signatures) all the way up to firewalls that understand the functions and procedures in industrial protocols and thus can prevent individual communication templates in a targeted manner.
The simultaneous combination of differing security characteristics, like firewall mechanisms for instance, can ensure additional security when implementing Defence in Depth. Once again, the master builders of the Middle Ages provide the inspiration for this concept of diversity in defence mechanisms: in castles and other fortifications, high walls were often combined with other methods of defence, such as moats. Thus, an attacker had to develop a much more sophisticated strategy in order to overcome not only the wall, but also the moat.
In modern communications networks, it is equally advisable to implement diverse firewall mechanisms and combine them with Defence in Depth measures or other security mechanisms. The following filter mechanisms are commonly known.
Stateless firewalls
Communication relationships between devices may be in various phases (states). For example, the communication relationship is usually initiated in a first phase. Active communication is conducted in a second phase and the connection is ended in a third phase. A concrete example of a protocol that uses this procedure is the Transmission Control Protocol (TCP). TCP is often combined with the Internet Protocol (IP) to form TCP/IP. As the name implies, stateless firewalls1 do not react to the state of a communication connection nor do they differentiate between the various phases. Thus, stateless firewalls only determine which individual devices or applications may communicate with one another but cannot determine whether the participants are conducting the communication according to the normal procedure. In particular, a stateless firewall cannot recognise or prevent any attacks resulting from abnormal protocol behaviour. This puts especially vulnerable industrial devices with minimal self-defence at risk of being hit by, for example, a so-called denial of service attack. Such an attack can be performed by deliberately flooding the communication interface of an industrial device with traffic and overloading it with forged or erroneous communication requests.
Stateful firewalls
In contrast to stateless firewalls, stateful (state-aware) firewalls monitor the communication process of the participants and use this recorded information, such as the initiation or termination of the connection, as the foundation for the packet filtering. Thus, attacks that attempt to communicate over connections that are already established can be recognised and prevented. Equally, attacks that use a known faulty connection in order to load and overload a system can be prevented.
Deep packet inspection
Deep packet inspection (DPI)1 is an extension of stateful packet inspection. Stateful firewalls normally only examine the header at the beginning of the packet because the header contains all the information needed for the firewall to determine and monitor the communication state such as sequence numbers and the communication flags used by TCP. Deep packet inspection goes one step further and allows examination beyond the communication header all the way to the payload of a packet (eg, the control protocols of the industrial applications). In this way, highly specialised attack patterns that are hidden deep in the communication flow can be discovered.
To do this, the firewall must be capable of interpreting the respective communication protocol in order to differentiate between a well-formed, ‘good’ packet and a malicious packet or harmful payload. Therefore, deep packet inspection firewalls are often implemented as additional components of a stateful packet inspection firewall and only for select protocols and application purposes, such as industrial protocols.
A deep packet inspection firewall offers a high degree of security, often with a rule set that can be highly individualised and finely configured, but it demands more computing power. Equally necessary is a specialised configuration interface for establishing the firewall rules. Fortunately, leading products have built-in tools, making this process straightforward.
Because of their ability to provide very granular protection for not only which devices communicate with one another but also the ability to understand control protocols and allow only certain types of communications, deep packet inspection firewalls are well suited to secure the conduits between various industrial zones. By carefully deploying them at select points within the network they can significantly harden industrial communications.
Sometimes, the term “deep packet inspection” is used when describing a very different security mechanism that is implemented using a signature database rather than by fully decoding the application protocol. Signature files provide a very different type of protection. Signature files match the bits with a packet to a set of signatures to identify and block a set of previously identified vulnerabilities. So, while signature files can protect against known vulnerabilities, they do not provide the broad protection against malformed packets that protocol-level DPI provides, nor do they allow the message flow to be tightly configured to only allow messages that make sense in the operation of our specific system.
Management of firewalls
Just as there are differences in the application areas and the capabilities of the packet filter, there are differences in the additional functions of firewalls. An easy-to-use firewall can be the difference between a solution that is feasible for use or a solution that is more of an obstacle than an enabler in the implementation of a security strategy. This can be demonstrated by reviewing two typical management tasks: a) the integration of a new firewall in an existing industrial network and b) the management of multiple firewalls with network management tools.
Learning firewalls
Deploying a new firewall in an existing industrial network is no trivial matter. In such an application, there are generally numerous communication relationships that are only completely and correctly summarised and documented in the rarest of cases. Since the main function of a firewall is the prevention of unknown network traffic, the initial configuration of these devices is especially difficult.
If the firewall is configured too liberally, the control and monitoring traffic of the facility can flow without problems; however, the firewall also presents no great obstacle to an attacker or protection against misbehaving devices or malware.
If the firewall is configured too restrictively, it blocks the communication of a potential attacker, but it also hinders regular traffic so that the facility no longer operates faultlessly in all situations. This can lead to delays and costly repairs.
It is therefore important to configure the firewall properly in order to permit desired communication while simultaneously preventing undesired traffic. Without a complete view of all communication relationships, the integration of a firewall into an existing network can be a nerve-wracking situation (see Figure 1).
Modern, high-quality industrial firewalls support employees during commissioning by offering special analysis modes. Such a mode (eg, a Firewall Learning or Test Mode) enables the firewall to analyse the communication relationships in a network during a learning phase. During this learning phase, the firewall records all communication relationships without restricting any of them. With the help of the connection analysis, an administrator can then detect the desired or undesired communication relationships quickly and easily create a custom configuration of the firewall (semi-)automatically. This saves times and enables a functional and secure configuration without risking downtimes and failures. The duration of the learning period must be freely configurable since the firewall must observe all communication relationships during the learning phase. In particular, in the case of sporadic communication relationships, eg, during regularly scheduled maintenance, the timeframe must be set accordingly to also capture this sporadic communication.
Management of multiple firewalls
The use of firewalls to isolate various devices and facility components from one another is an important aspect of a Defence in Depth strategy. If an attacker has overcome an initial obstacle and penetrated the network, additional firewalls with more specific rules can prevent penetration into additional and more sensitive facility components.
But take note, the use of multiple IP firewalls and transparent Layer 2 firewalls requires management and configuration of these devices. Without a powerful management tool for simple (mass) configuration of firewalls, this task can be very time-consuming and error-prone in the case of changes to the network infrastructure. Hence, it is important that the firewalls can be managed and monitored centrally by network management tools to assist this process.
With proper management tools, standard configurations can be implemented quickly on newly installed firewalls, and mass configuration changes can likewise be made to adapt to network infrastructure changes. An example of such a change would be on a new log server that can be reached by all devices in the production network. If all firewalls must be configured individually, the IP address and the port of the log server must be set on each firewall. This is time-consuming and subject to errors. With mass configuration via a network management tool, this task can be simultaneously and reliably performed for all firewalls at once.
Summary
Even though firewalls are just one of many essential parts in modern security practices, they are still a pivotal element that no security model can do without. For implementing important principles from international standards and best practices, firewalls are absolutely essential to operations.
Firewalls are not a single type of device but rather a diverse collection of devices with differing technical characteristics, hardware features and equipment and regulatory and industry approvals that impact the types of industrial environments they can be used in and the use cases they best serve. It is therefore crucial to choose the correct firewall for each area in the industrial network. To maximise the effectiveness of firewalls, network designs need to follow the rules set forth with the best practices of Zones and Conduits as well as Defence in Depth. By combining different firewall functions in an overall network defence strategy and by positioning the different types of firewalls in the network where they can play to their strengths, it is possible to design networks that are prepared for the future and will stand the test of time.
Reference
- National Institute of Standards and Technology NIST 2011, Guide to Industrial Control Systems (ICS) Security.
Mineral processing: a eulogy for analog
Leading mines have already accomplished an automated, digitally connected mine and are reaping...
What is TSN and do we really need it?
Whether or not TSN becomes an industry-wide standard remains to be seen.
AI and condition monitoring
The rise of artificial intelligence is seen as particularly useful in the field of condition...