Pseudonym | Vector InfoTech
A firewall is a device or set of application programs that prevents unauthorised access to a small network or complex industrial networks.
The term “firewall” had long been referred to a device or application managing traffic from physical to transport layers. Though it has been touted as the security tool up till now, traditional firewalls required the coordination of other external intelligence devices to bring industrial-grade security. For industrial applications, several questions arise on complexity, mobile network layers or security devices, add-ons, attacks on other layers and so on.
Nowadays, the “firewall” has become an industrial dialect that broadly refers to diverse technologies or a device with specific processes and technologies. Thus, industrial firewall solutions are either cyber security hardware/software or a set of techniques. The seamless integration of data, end points, applications and cloud becomes crucial for end-to-end protection. In addition to NAT, VPN and SPI, next-generation firewalls (NGFWs) support granular intelligence features such as deep packet inspection (DPI), file management, intrusion protection, directory access, application control and encryption. They extend the functionalities from the transport to application layer.
Principle of Firewalls
Despite being a device or application, a firewall has the basic function of filtering packets. It operates with a pre-defined set of rules that correspond to some patterns. Firewalls provide integrated security solutions via an information security concept known as “defence in depth”. It may be defined as the management of internal network loops or segmentation of different networks.
Design of Firewalls
The design of firewalls depends on the scale and functionality for the particular industrial application. An example for the first factor is an IP firewall establishing the WWAN connection filtering packets between different networks. An example for the second factor is an Ethernet firewall differing in design specifications and considered for industrial hardening. The block diagram of a typical industrial hardened NGFW connection is as follows:
Types of Firewalls
Based on filtering mechanisms, firewalls are classified into stateless, stateful and DPI.
Stateless firewalls track the packet content instead of traffic and hence it is unable to diagnose connection faults. Stateful firewalls permit only those packets based on the details of connection. DPI firewalls only investigate the header information to identify the states such as flags and sequences. Further taking one step ahead, DPI firewalls examine the industrial protocols. They may also scrutinize encryption and perform intrusion protection. Thus, DPI firewalls can be best deployed for industrial hardening.
It is no surprise that firewalls may be custom configured based on industrial requirements. Lightly configured firewalls may show the vulnerability level or DMZs but may not shield against attacks. In contrast, strictly configured firewalls may impose so many constraints and pop-ups. Hence, they may not suffice the business purposes.
Network communication devices may ensure internal security of the connected devices through the coding embedded in their packages. The coding will be in the form of a set of rules called access control list (ACL), which is not a firewall. It is noted that it is practically not possible to use firewalls at many points of a network. That is to say, the overuse of firewalls may impose latency and low throughput.
Many enterprises or industries have developed their firewalls for distinct purposes. A simplified operation with the complex industrial infrastructure is possible only with NGFWs. For business networks, the interconnection of diverse firewall networks, though widely scattered, is possible without sacrifice in performance. Some of the benefits of NGFWs are caveats at the right locations, checks for vandals and pre-determined traffic control.