3 Ways Firewall Learning Mode Simplifies ICS Security

That’s why our firewalls have graphical tools that help controls specialists build traffic rules using terms and concepts that are familiar to them. For example, most engineers who use Rockwell control products do not have any idea what CIP objects and services are flowing over their network. The system just works.

They might not even know what TCP and UDP port numbers their PLC to HMI traffic uses. But they do know that they want EtherNet/IP messages to go from a PLC to an HMI so they can read a set of analog values.

A capability of our devices (Firewall Learning Mode, FLM) removes a lot of the complexity involved in configuring and testing firewalls. It also greatly reduces a traditional installation risk, network interruptions.

The odds of control specialists successfully implementing effective ICS security are greatly increased when they select industrial firewalls with Firewall Learning Mode.

Firewall Learning Mode Makes it Easy to Identify Network Traffic 

One of the most challenging things to do when setting up a firewall is collecting the required information about which devices need to communicate with each other and what protocol they are using for communication.

Remember, a firewall is simply a device that monitors and controls traffic flowing within or between networks. It starts by capturing traffic passing through it and comparing that traffic to a predefined set of rules. Any messages that do not match the rules are discarded.

Rather than having to start specifying communication rules from scratch, Belden firewall products have the ability to identify the existing traffic on a network and present it to the person configuring the device. The feature that does this is called FLM and its first key benefit is that it describes the traffic currently occurring on the live network.

To do this, it is as simple as selecting “Start Learning" and allow the device to run for a while, and then select "Stop Learning". All traffic that passes through the firewall is identified and displayed in the graphical user interface.

Firewall Learning Mode (FLM) is turnedon in the EAGLE One security router.

An additional approach is the one our Tofino firewall takes. It provides predefined templates for over 25 families of popular industrial controllers, including rule definitions to protect devices with known vulnerabilities.

FLM Makes it Easy to Create Network Security Rules 

By default, FLM automatically creates rules that allow packets to pass through it in either direction. Using this captured data, the person configuring the firewall selects the rules for the traffic they want to allow. The “allow” rules are added to a temporary rule set. Traffic that doesn't match an "allow" will be blocked.

Rules generated by Firewall Learning Mode are accepted Interface shown is for the EAGLE ONE Security Router. 

As the screen shot above shows, EAGLE One provides the IP address of the computer sending messages and the IP address of the computer/device receiving messages. It also shows the Source and Destination ports indicating the application protocol being carried in the message.

FLM Makes it Easy Test Rules Without Impacting Network Traffic or Production

Let's think about this for a minute. A firewall has been installed in the network and is operating and has presented the traffic passing through it. Firewall rules have been selected. Wait! Once a rule is configured and active, isn’t the firewall using the rule to filter traffic? What about possible impacts on network traffic and production?

The good news is that FLM includes the capability of applying rules in a firewall operational mode called Test. In this state, all packets pass through the firewall filters, but the ones that would have been stopped are identified.

This allows the control engineer to study the blocked traffic and think through implications before activating the rule set. If the devices behind the firewall will work properly and if extraneous or malicious traffic would be stopped, then test rules can be saved into active configuration.

Implementing ICS Security is Easy with Today's Technologies

While many industrial protocols are insecure by design, controls specialists can readily secure their networks using new industrial firewalls that are designed to make it simple. At Belden, both the EAGLE One security router and the Tofino Xenon security appliance include Firewall Learning / Test Modes.