Industrial Firewall

Industrial Firewall

 > Products>Network Security>Industrial Firewall >Related Resources >Technical White Paper >DPtech IFW1000 Industrial Firewall Technical White Paper
DPtech IFW1000 Industrial Firewall Technical White Paper

\ Download

1  Overview

1.1  Industrial security situation

The rapid development of industrial information application and the arrival of Industry 4.0 era bring about the increasing integration of industrialization and informatization. As a result, industrial control systems are using the latest computer network technology to improve the integration, interconnection and information management among systems. Looking ahead, a higher degree of openness will be widely seen in the industrial control networks in an effort to improve productivity and efficiency. When information network and the control network are interconnected, it has become a severe issue to ensure the security of process control systems. In oil, petrochemical, electric power, steel, coal, and other manufacturing industries which have higher requirements for the security and reliability of continuous production, interconnection between the information network and the control network is exposing the control network directly to the potential threats and attacks from the external networks.

According to monitoring data, many key control systems are running on the Internet, involving key infrastructure areas such as municipal water supply, heating, and water conservancy. Attacks on these systems are highly destructive.

However, the issue of security is rarely considered at the beginning of industrial control network construction, such as using plain text files to transmit industrial control protocols and lacking in authentication methods, causing key data to leak easily and increasing the possibility of bypassed systems.

1.2  Market situation

Traditional firewalls cannot meet the protection requirements of industrial control networks in the following aspects:

■  Traditional firewalls cannot accurately detect industrial protocols, especially their signatures;
■  Traditional firewalls cannot perform in-depth filtering on industrial protocols, for example, they cannot block access requests that do not comply with the protocol, or violating operation instructions;
■  Traditional firewalls cannot accurately track and control the OPC Classic dynamic ports.

2  Product Introduction

Dedicated to industrial control systems, the DPtech IFW1000 Industrial Firewall not only meets the basic requirements of traditional firewalls, but also special needs in industrial control environments. It is widely used in isolation of industrial control layers and between regions of each layer, providing effective security protection of industrial control systems including SCADA, DCS and PLC.

IFW1000 Industrial Firewallsupports packet filtering, NAT, status detection and other features of traditional firewalls, as well as accurate detection of industrial protocols such as OPC, Modbus, IEC104, and IEC61850/MMS and in-depth analysis and filtering of protocol contents, enabling multi-level protection and ensuring the security of industrial networks.

3  Technology Architecture

\
Fig. 3-1 Diagram of technology architecture

As shown in Fig. 3-1, the DPtech IFW1000 integrates the Conplat platform and the driver adaptation module based on a professional hardware platform to build a stable framework layer. DPtech is dedicated to develop basic modules for system management, configuration management, log management, and routing management. The hardware layer, framework layer, and basic layer work together to ensure the proper operation of business layers, including the network layer control and the industrial protocol security modules.

4  Main Functions

4.1  Network Layer Control

DPtech IFW1000 provides multiple network layer control functions, including packet filtering, NAT, status detection, user/MAC/IP binding:

Packet filtering is applicable to IPv4 and IPv6 environments. It refers to the process of determining whether a packet should be released by inspecting the source IP address, destination IP address, source port number, destination port number, protocol type or their combinations in accordance with the packet filtering rules. Through customized packet filtering rules, users can provide basic protection for the packets.

NAT functions, including source NAT, destination NAT, static NAT and port block NAT, can meet the needs of IP addresses by address multiplexing, alleviating the pressure caused by exhausted IP address space to some extent.

Status detection function performs testing on the logical relationship of interacted packets on TCP and ICMP to block abnormal requests or connections.

By user/MAC/IP binding, user, MAC and IP are bound in pairs to effectively prohibit illegal user access and facilitate management by preventing users from authorized modification of host IP addresses.

4.2  Application layer control

With application layer protection of industrial protocols, DPtech IFW1000 provides two core functions in terms of access control and content security of industrial protocols:

Relying on the powerful protocol identification capabilities of DPtech IFW1000, the access control of industrial protocols provides the most accurate access control function by identifying the packet header features; in addition, it enables expanded protocols through customization, maximizing the role of access control.

Based on in-depth analysis of the industrial protocols and inspection of protocol formats, the content security of industrial protocols is capable of blocking abnormal requests that do not comply with rules of protocols, such as non-standard function codes, abnormal lengths, and exceeding standard values. Meanwhile, according to pre-set security rules, it checks and matches the content of industrial protocols to realize granular control on commands and parameters..

4.3  Attack prevention

As one of the important features of DPtech IFW1000, attack prevention determines whether the packets contain attack characteristics by analyzing the content and behavior characteristics of packets, and takes actions to protect network hosts or network devices.

Attacks that can be detected by DPtech IFW1000 include DoS (Denial of Service), scanning and snooping, malformed packets and others. Appropriate measures can thus be adopted to protect against these attacks. Attack prevention is realized by various functions, such as blacklist filtering, packet feature identification, anti-DDoS, and intrusion detection statistics.

Apart from the conventional IPv4 security protection technologies, DPtech IFW1000 provides all-round IPv6 security protection against huge-icmp-pak, icmp-flood, ip-sweep, ip-spoofing (l2/l3), udp-flood, tear-drop, ip-fragment, ping-of-death, port-scan, syn-flood, syn-proxy, tcp abnormal, land-attack, NDP defender, etc..

4.4 VPN

In integration with professional VPN functions, professional tunnel encryption protection for data transmitted in industrial control networks is enabled on DPtech IFW1000 through encryption, authentication and tunneling, thus avoiding leakage of important data and safeguarding the integrity and confidentiality of data transmission. It not only enables a simplified network structure, but also greatly improves the cost performance of network security construction.

5  Product advantages

5.1 Full support of industrial protocols

Preset with nearly 100 protocols, including Modbus, OPC, IEC104, DNP3, EN IP, IEC61850, BACnet, and FINS, the DPtech IFW1000 supports custom extensions of industrial protocols, including layer-2 protocols and layer-3 network port numbers, to meet the requirements of various industrial scenarios based on the scalability of device-identifiable network protocols.

5.2 Precise and in-depth filtering of industrial protocols

DPtech IFW1000 supports deep analysis and filtering of various industrial protocols, enabling command-level control on industrial protocols. Please refer to Table 5-1 for details.

Tab 5-1 Introduction to in-depth filtering of industrial protocols

Name of protocols

Deep filtering

Modbus/TCP

Modbus security rules:
Unit ID access control
access control of function codes (including read-only and read-write control);
access control of address range;
access control of the range of values;
inspection of protocol formats and status;
alerts and blockage (support session reset and abnormality response during blocking);
Modbus scanning protection:
Effectively prevent scanning of Modbus and other scanning tools, including PLC-Scan, and Installer_CAS-Modbus-Scanner;    alerts and blockage (support session reset and blacklist during blocking);
alerts and blockage (support session reset and blacklist during blocking);

OPC Classic

Support OPC dynamic port restriction;
Support deep security of OPC DA, HDA and A&E;
Support global read and write control of TAG control points;
Support DCE/RPC standard format checks;
alerts and blockage (support session reset during blocking);

IEC104

Support remote adjustment, remote control, telemetry, remote signaling, and station calling;
Support public address, information object address, value range control;
Support protocol format check and transmission reason check;
alerts and blockage (support session reset during blocking);

IEC61850/MMS

Support MMS PDU type control;
Support MMS service type control;
Support logical node name control;
alerts and blocking (support session reset during blocking);

IEC61850/GOOSE

Support malformed packet inspection;
Support GOOSE ID access control;
Support point value type, length and range control;
alerts and blocking

IEC61850/SV

Support malformed packet inspection;
Support multiple ASDU inspection control;
Support configuration version, data set length control;
alerts and blocking

5.3  Multi-service modes

DPtech IFW1000 Series provides all-pass, testing, and protection modes to perform security test during deployment of policies and minimize any possible impact brought by launching an Industrial Firewall on business. Please see below for details.

■  Protection mode: Industrial firewall blocks behaviors unlisted in the whitelist policy and sends corresponding logs;
■  Testing mode: verify the legitimacy of the policies, and issue an alert on behaviors unlisted in the whitelist policy, instead of interception.
■  All-pass mode: All packets passing through the device are released.

5.4  Self-learning of the whitelist policy

Capable of self-learning of industrial protocol traffic, the DPtech IFW1000 supports intelligent generation of whitelist policies and allows users to check deployment policies with a single click, eliminating any difficulty of configuration caused by unfamiliarity with protocols. Meanwhile,as the depth of self-learning is in consistent with that of inspection of industrial protocols, easy deployment and deep protection can be achieved.

5.5  Rich Network Features

DPtech IFW1000 provides rich network features, such as STP, VLAN, ARP and other layer-2 features, as well as BGP, OSPFv2/v3, MPLS and other layer-3 features in IPv4/IPv6 environments. Please see below for details.

Available networking modes include transparent mode, routing mode, and hybrid mode.

■  Support IPv4/IPv6 protocol stack, with complete and rich IPv6 protocol transition and tunnel technology
■  Access, Trunk VLAN, port aggregation, port mirroring
■  policy-go-together, static routing, multicast IPv4/6 routing (IGMP, PIM, MSDP, multicast VPN)
■  IPv4 routing (supports RIP v1/2, OSPF, IS-IS, BGP, Guard routing)
■  IPv6 routing (supports RIPng, OSPFv3, Guard routing), IPv6 tunneling technology
■  Support complete MPLS VPN
■  Support DNS, DHCP, ARP, BFD, STP, QOS

With the rich network features, DPtech IFW1000 provides users with flexible networking capabilities in transparent mode and routing mode, adapting to various networking environments.

5.6 High performance and low-latency processing capabilities

DPtech IFW1000 packet filtering and NAT functions compile security policies into a series of quick matching entries with the decision tree algorithm. When a packet passes through the device, the five elements are extracted and forwarded to the quick matching entry for policy matching at a time. In this way, all corresponding matches can be found to form a parallel processing architecture of data stream, while maintaining high performance and low-latency processing capabilities. In addition to meeting the administrator's requirements for ultra-high performance and low transmission delay, the firewall helps eliminate network transmission bottleneck.

5.7  High Reliability

DPtech FW1000 supports complete dual-system hot standby technologies, including regular, advanced, asymmetric, and silent dual-system hot standby. In the transparent mode, IFW1000 provides powerful software and hardware Bypass feature, enabling the flow of traffic in the event of power failure, abnormal operation, and version upgrade. In this way, it helps minimize single point of failure and impact on the industrial networks.

6  Applications

6.1  Isolation of industrial control layers

\

Fig 6-1 Diagram of layer isolation

 As shown in 6-1, the DPtech IFW1000 is applicable to the isolation between the management network and the control network.

6.2 Isolation between regions of each layer      

\

Fig 6-2 Diagram of regional isolation

 As shown in 6-2, the DPtech IFW1000 is applicable to the isolation between regions of each layer.

6.3  Isolation of onsite control layer

\

Fig 6-3 Diagram of onsite controller isolation

As shown in 6-3, the DPtech IFW1000 is applicable to the isolation of key controllers and the control network.

7  Values

7.1  Security isolation

With IFW1000, users can perform logical isolation and protection among the security regions of an industrial network, which not only reinforces the industrial control network, but also is in full compliance with industrial policies and technical requirements. IFW1000 provides accurate and in-depth filtering of industrial protocols, thereby avoiding potential security incidents caused by tampered manipulation instructions and production parameters.

8  Appen dix

8.1  List of abbreviations

Tab 8-1 Common abbreviations

Abbreviations

English

ICS

Industrial Control System

SCADA

Supervisory Control And Data Acquisition System

DCS

Distributed Control System

PCS

Process Control System

PLC

Programmable Logic Controller

RTU

Remote Terminal Unit

IED

Intelligent Electronic Devices

HMI

Human-Machine Interface

MES

Manufactoring Execution System

ERP

Enterprise Resource Planning

OLE

Object Linking and Embedding

OPC

OLE for Process Control

VPN

Virtual Private Network

IFW

Industrial Firewall

 

Subscription account Service account