quoted from: "Intelligent Manufacturing Information Security Technology" (author: Qin Zhiguang, Nie Xuyun, Qin Zhen)
Industrial firewall is a device that must be configured for information security in industrial control systems. Industrial firewall technology is the basis of information security technology in industrial control systems. industrial control system firewall technology can realize regional control, divide control system security areas, implement isolation protection of security areas, and protect legal users from accessing network resources ; at the same time, the control protocol can be deeply analyzed, abnormal data traffic of application layers such as Modbus and DNP3 can be parsed, and dynamically tracked the OPCh port to protect key registers and operations. The purpose of the firewall of
industrial control system is to establish security control points between different security domains, and to parse and filter data flow through the industrial control firewall according to the predefined access control policy and security protection policy to achieve the provision of access controllable service requests to the protected security domain.
" 1. Characteristics of industrial firewalls"
Industrial control firewalls and traditional firewalls differ depending on their environment. In comparison, traditional firewalls do not have the following characteristics:
(1) The traditional firewalls do not load the industrial protocol parsing module, and do not understand that they do not support industrial control protocols. industrial network uses a dedicated industrial protocol. There are many categories of industrial protocols, including protocols based on industrial Ethernet (based on layer 2 and layer 3), and protocols based on serial links (RS232, RS485). These protocols all require special industrial protocol resolution modules to filter and parse protocols.
(2) The traditional firewall software and hardware design architecture does not meet the requirements of industrial network real-time and production environment. First of all, industrial control equipment in industrial network environments have very high requirements for real-time transmission feedback. Secondly, industrial production has very high requirements for environmental adaptability of network security equipment , and many industrial sites are even in harsh environments with unattended attention. Therefore, industrial control firewalls must have support for predictable performance support and anti-interference level for industrial production environments.
Therefore, in addition to the access control, security domain management, network address translation (NATh) and other functions, the industrial control firewall also has a protocol filtering module and a protocol in-depth analysis module specifically for industrial protocols. These built-in modules can identify, filter and analyze various industrial protocols in the ICS environment.
" 2. Category of industrial firewalls"
In the industrial network system, according to the different deployment locations, industrial control firewall [2] can be roughly divided into two types:
(1) Rack-type industrial control firewall. rack firewall is generally deployed in the factory computer room. Therefore, its specifications are the same as traditional firewalls. Most of them adopt a 1U or 2U rack design, with fanless and IP40 protection requirements, and are used to isolate the factory from the management network or other factory networks.
(2) Rail-type industrial control firewall. Most of the rail-type firewalls are deployed in the production site in the production environment. Therefore, most of this firewalls are designed with rail-type architecture, which is convenient to be stuck on the rail without screws, making them easy to maintain. At the same time, its internal design is more closed and tight, and the internal components are all embedded computing motherboards. This motherboard generally adopts an integrated cooling design, ultra-compact structure, and an internal wireless design. It also has an onboard CPU and memory chips to avoid vibrations from the industrial production environment.
" 3. Main application scenarios of industrial firewalls"
(1) is deployed between the isolation management network and the control network. industrial firewall controls cross-layer access and deeply filters data exchange between levels to prevent attackers from launching attacks on the control network based on the management network, as shown in Figure 1.
Figure 1
(2) is deployed between different security areas of the control network. industrial firewall can divide the control network into different security areas, control access between security areas, and deeply filter traffic data between regions to prevent the spread of security risks between regions, as shown in Figure 2.
Figure 2 The different security areas of the control network
(3) is deployed between key devices and the control network. industrial firewall detects the IP of accessing key devices, blocks access to non-service ports and illegal operation instructions, records all access and operation records of key devices, and realizes security protection and traffic audit of key devices, as shown in Figure 3.
Figure 3 Between key equipment and control network
" 4. Performance requirements of industrial firewalls"
industrial control system security target priority order. The first consideration is that the availability and integrity of all system components are in the second place, and confidentiality is usually considered at the last time. (Figure 4)
Figure 4 The overall goal of industrial control firewall to deploy
industrial control security isolation and information exchange products is to resist malicious damage and attacks on industrial control systems through various forms, and prevent industrial control system failures and industrial equipment damage caused by information security level. The specific content is as follows:
(1) Prevent attacks and intrusions initiated through external boundaries, especially preventing industrial control system failures and equipment damage caused by attacks.
(2) Prevent unauthorized users from accessing the system or illegally obtaining information, intrusion and major illegal operations.
Technical requirements for industrial control firewalls are divided into two categories: security function requirements and security guarantee requirements. Among them, the security function requirements put forward specific requirements on the security functions that industrial control firewalls should have, including network layer control, application layer control and security operation and maintenance management; the security guarantee requirements put forward specific requirements on the content of the development and use documents of industrial control firewalls. Product safety function requirements mainly require the functions implemented by the product. It mainly includes three parts: network layer control, application layer control and secure operation and maintenance management.
Since the industrial firewall is located in the environment [3] and application scenarios, the following requirements must be met during design.
1) Meets the hardware requirements of the industrial environment
Hardware architecture selection of industrial control firewall first needs to meet the hardware requirements of the industrial environment, such as fanless, wide temperature (-40~70℃), humidity (5%~95% no condensation), protection level IP40 (dust-proof but not waterproof), etc.
Therefore, according to the hardware requirements of the industrial environment, the hardware of the industrial control firewall generally uses a fanless embedded industrial control machine as the carrier platform, and then the corresponding hardware combination needs are proposed through research during design.
2) Meets the high speed requirements for data packet processing performance
In the industrial control firewall, there are rule templates that have been modeled in advance for known protocols, and there are rule templates that can be automatically learned to model later. Since the industrial control firewall process data packets one by one, including verification of data packets and processing of each layer of packet header, the smaller the packet, the shorter the arrival time, and the higher the server's requirements for processing data packets.
and the different equipment in the industrial environment and the industrial protocol [4] used are different. The industrial control firewall needs to process multiple industrial protocol messages in industrial network traffic at the same time. At the same time, the rule base continues to increase with time, which requires support for firewall processing performance to ensure that the transmission speed of network data and the detection speed of pattern matching meets the real-time needs of industrial networks.
3) Meet the industrial environment stability requirements
From the perspective of meeting the industrial environment stability requirements, the industrial firewall needs to consider the impact of its own stability on the industrial network from the hardware and software level.
Industrial firewall needs to have the functions of software and hardware Bypass. Once the device is abnormal or restarted, the Bypass function will be activated without worrying about the industrial network being disconnected due to problems with the industrial firewall itself.
" 5. Industrial Firewall Technology"
Industrial firewalls are similar in types to general IT firewalls. They are generally divided into several types such as packet filtering, status packet detection and proxy servers, such as [1].
1) Packet filtering technology
Packet filtering technology is to select data packets at the third network layer of OSI. The basis for selection is the filtering logic set in the system, called the access control table. Determine whether the packet is allowed to pass by checking the source address, destination address, port number used, protocol status and other factors of each packet in the data stream, or a combination of them. Packet filtering firewall has simple logic, low price, easy to install and use, and has good network performance and transparency.
Industrial Firewall is based on access control technology 's package filtering firewall . It can ensure secure communication between different security areas. By setting access control rules, it manages and controls the information flow entering and leaving different security areas [5], ensuring that resources can be effectively used and managed within the legal scope.
2) Status Package Detection Technology
Status Package Detection monitors the status of each valid connection and determines whether the network data packet can pass through the firewall based on this information. It intercepts data packets at the bottom of the protocol stack, then analyzes these data packets, and compares the current data packet and its status information with the data packet and its status information at the previous moment to obtain the control information of the data packet to achieve the purpose of protecting network security. The
status packet does not require rules matching for each packet in this session. It only requires a trajectory status check of the data packet, thereby speeding up the processing speed of the data packet. Compared with the access control rules list of traditional packet filtering firewalls, it has better performance and security, and is increasingly in industrial control applications.
3) proxy service technology
proxy service technology is a firewall technology introduced to the shortcomings of data packet filtering and application gateway technology. Its characteristic is that all network communication links across the firewall are divided into two segments. The "link" of the application layer between computer systems inside and outside the firewall is realized by the "link" on two terminated proxy servers. The network link of the external computer can only reach the proxy server, thus playing the role of isolating computer systems inside and outside the firewall. In addition, the proxy service also analyzes, registers and forms reports. When signs of attack are found, it will alert the network administrator and retain traces of attack. However, the proxy server will generate delays and affect performance.
The above three firewall technologies are all relatively traditional firewall technologies. With the in-depth development of network security technology, firewall technology is also constantly developing. The following is the new industrial firewall technology developed [6]:
(1) transparent access technology. The main feature of the transparent mode of is that it is transparent to users, and users are not aware of the existence of the firewall. If you want to implement transparent mode, the firewall must work without an IP address, and there is no need to set an IP address for it, and the user does not know the IP address of the firewall. The firewall adopts a transparent mode, so users do not have to reset and modify the route. The firewall can be installed and placed directly on the network. Like a switch, there is no need to set an IP address.
(2) Distributed firewall technology. distributed firewall is responsible for security protection between network boundaries, subnets and nodes within the network. Therefore, distributed firewall is a complete system, not a single product. According to the required functions, the distributed firewall architecture includes the following three parts: ① Network firewall: can be used in pure software or corresponding hardware support, for protection between the internal network and the external network, as well as between the subnets of the internal network; ② Host firewall: used to protect servers and desktop machines in the network; ③ Center management: responsible for planning, management, distribution and summary of overall security policies. The workflow of a distributed firewall is as follows: First, the center that formulates the firewall access control policy will convert the policy language description into an internal format through the compiler to form a policy file; then, the center uses system management tools to distribute the policy files to each "internal" host, and the internal host will determine whether to accept the received packets based on the two aspects of IP security protocol and the server-side policy files.
(3) Intelligent firewall technology. The structure of the intelligent firewall consists of internal and external routers, intelligent authentication servers, intelligent hosts and bastion hosts. Internal and external routers build a secure subnet between the Intranet and the Internet network, called the Demilitarized Zone (DMZ). The working principle of an intelligent firewall can be understood as the same IP address is used when the Intranet host connects to the Internet host according to the working process of the internal and external routers in the intelligent firewall. When an Internet host connects to an intranet host, it must be mapped to the intranet host through a gateway. It makes the Internet network invisible to the intranet network. At any time, the application filtering manager in the DMZ. upper bastion host can communicate in two-way confidentiality with the smart authentication server in the intranet through a secure tunnel. The smart authentication server can modify the routing tables and filtering rules of the internal and external routers through confidential communication. The coordination work of the entire firewall system is mainly controlled and executed by specially designed application filtering management programs and intelligent authentication service programs, and runs on the bastion host and intelligent server respectively.
References
[1] Su Jie, Yuan Junpeng. Firewall technology and its progress [J]. Computer Engineering and Application, 2004(09): 147-149+160.
[2] Zhang Jian. Industrial Control System Network Security [M]. Beijing: University of Electronic Science and Technology Press, 2017.
[3] Lu Guangming. Current Situation and Challenges Facing Industrial Control Security in my country [J]. Cyberspace Security, 2018(03).
[4]STOUFFERK, FALCOJ, SCARFONEK. Guide to industrial control systems (ICS) security. NIST Special Publication, 2008:800:82.
[5]Rafael Ramos Regis Barbosa, Ramin Sadre, Aiko Pras. Exploiting traffic periodicity in industrial control networks[J]. International Journal of Critical Infrastructure, 2016.
[6]Security for Industrial Automation and Control Systems: Terminology, Concepts and Models. ANSI/ISA-99.01.01-2007, 2007.
