Home / Blog / Transparent firewalls, cristal bricks

Transparent firewalls, cristal bricks

Posted on 08/31/2017, by INCIBE
Transparent firewalls

Firewalls are devices which are used to control the traffic between points. Basically they are in charge of inspecting network frames and apply rules, making decisions about the actions to be taken by said frames.

There are various classifications of firewalls depending on the characteristics that we want to highlight. One of the classifications of firewalls that we normally value is the level to which the framework is capable of applying security policies and what type of control it is capable of storing and managing within a communication. This classification will determine certain types of firewalls:

Firewall classification by their level of frame inspection

- Firewall classification by their level of frame inspection

The classification that interests us for this article is by the type of connectivity, of which there are two options:

Firewall classification by the type of connectivity

- Firewall classification by the type of connectivity

Routed Firewall Mode

The majority of the firewalls used are routed. These devices, apart from the level of packet inspection and filters they have available, are also able to route packets. These firewalls have two interfaces, the external and the internal. They are named so because they were generally used to filter either exterior traffic (or from the internet) or the internal network's interior traffic. What is clear is that these firewalls have level 3 entrance and exit interfaces and they therefore have IPs within the network's architecture. When a packet is received they inspect it (applying the packet inspection level firewall rules within its capabilities) and afterwards they route it (decreasing the packet's number of jumps, TTL, of the frame and applying their routing tables towards the final destination or next jump), thus modifying the original packet.

One of the disadvantages of these routed firewalls in industrial networks is the impact in the network's recovery time because of protocols such as STP and RSTP. When appearing in the link table, should that table have to be recalculated because of the loss of a link, they are considered with a medium time delay which is the same as the time estimated for the recovery of the routes tables, therefore this cannot be considered as "zero" time for transmitting packets.

Transparent Firewall Mode

The first thing that we should set straight when we refer to firewalls in transparent mode, is that we are referring to the mode which is used to connect to the network, not the internal functioning mode. Therefore, a firewall can be transparent with an application level of packet inspection. The saving of resources by not routing can be seen reflected in the increase in the capacity of deep inspection of packets, creating "logs" which are very specific to certain industrial protocols or a more reduced size.

The transparent firewall mode has a specific, differentiating characteristic: They do not have an IP within the network's architecture, which is really why they are known as transparent. They may have a management IP through a different interface, but that is not strictly necessary. This is going to give way to a series of advantages when choosing this type of firewall in our facilities:

  • These devices do not need to reconfigure the network's architecture.
  • They are the best solution when we have a complex network which we cannot modify all that much.
  • We want to add security to certain devices without having to modify the IP of the rest of the network's architecture.

As they do not have an IP, these devices are not visible on the network, meaning that they will not be detected should the network be scanned. Not being detected means that they cannot be a target for direct attacks, unlike level 3 firewalls.

When passing through these transparent firewalls, packets do not notice that their TTL has been modified, as they are not routed and the transmission time of the packet is no different (considered as 0). For these reasons, we can install as many industrial firewalls in the same network as we wish. For example, we may be able to have a specific firewall for each industrial protocol that is considered weak. These devices may also be installed in redundancy networks, such as HSR rings, due to the fact that they do not cause significant delays; this may be the only viable solution within this type of topology.

Ease to Increase the Level of Security

When applying regulations, such as ISA/IEC 62443, in which we talk about the creation of "zones" and "conducts" for our networks; these devices may be of great help.

This regulation defines a "zone" as a group of industrial devices which either have, or need, the same level of security. The control network should be considered as a "high level security zone", and thus a device with an inferior level of security would not be permitted in this zone. But if for some reason we cannot replace said device, increasing its security by means of a dedicated transparent firewall may be the only viable option; it is the quickest to implement and has the least impact and risk for the integrity of the rest of the architecture.

Example of different zones of a control system

- Example of different zones of a control system

The new transparent firewall solutions are especially designed for industrial environments which have packet inspection mechanisms for the majority of industrial protocols (MODBUS, DNP3, BACNET, etc.). If we add these industrial protocols to the group of protocols (SNMP, FTP, SMTP, etc.) which are implemented by default, they allow these firewalls to control almost all the traffic which exists in an industrial network.

The recommendations advise increasing the security of all devices which are considered as having a lower level than the rest. In other words, strengthening "the weakest link" by use of these firewalls in said devices and carrying out the most exhaustive configuration of rules possible. We will apply filtration rules to all levels of the packet inspection realised by said firewalls, including rules at an industrial protocol level.

Example of the high level rules for the Modbus protocol (considered as having weak security):

  • Allow frames from "engineering stations" with "IPs: x.x.x/N" to device "IP: x.x.x.y" through port "502" (all of which "Modbus Reading" and "Modbus writing" types).
  • Allow frames from "SCADA" with "IP: x.x.x.z" to device "IP: x.x.x.y" through port "502", all of which "Modbus Reading" types and only "Modbus Writing" types in Writing in Holding register (H1, H2, H3...HN).
  • Allow frames from a "HMI" with "IP:x.x.x.h" to device "IP:x.x.x.y" through port "502" of the "Modbus Reading" type only (Holding register and Coils)
  • Deny Modbus protocols to all other IPs.

This allows for the level of security to be increased in any previously weak device until it is at a level of risk which the company or regulations deem acceptable, by considering it as a group formed by the device and the firewall.

Homogenised security of a zone thanks to a transparent firewall

- Homogenised security of a zone thanks to a transparent firewall

The "conducts", according to that stated in the regulations, are any paths in which information flows between two zones. An easy way of implementing the security that our conducts need, without having to modify the network's architecture, is, as the following image shows, through these transparent firewalls.

Security management of a conduct by means of a transparent firewall

- Security management of a conduct by means of a transparent firewall

One, Two, Three...Testing

The ease of installing and creating new rules for these transparent firewalls can lead us to the error of not going through a testing stage. Here is where another two of these device's most noteworthy functions are tested: alert and logged on functions and, above all, the 'Test Mode' function.

The possibility of leaving a firewall in 'Test Mode' once all of the rules have been created means that its behaviour can be observed during any of our industry's operating cycles. At this point the transparent firewall lets all the traffic pass, it just analyses and logs. The logging and alert system allows us to register if one of the current rules has been triggered during normal operating, this allows us to refine them until we consider them prepared. Once these rules have been defined, and it has been tested that our transparent firewall is not going to block any of our operations, we can consider it ready to step into production, or 'Operative Mode'.

This change from 'Test Mode' to 'Operative Mode' permits the transparent firewall to be deployed, almost without having to stop in our systems, and afterwards it grants us the necessary configuration and testing time.

One of the questions that generates the most uncertainty about these firewalls is what happens if there is a large amount of traffic and it starts to rule about packets considered as critical? Or even, how does it affect HIGH AVAILABLILTY? The answer is easy, this does not happen. These firewalls are designed to support high levels of traffic, but as with similar devices, it creates alerts should there be an elevated level and when it gets saturated (which is very unlikely), not only does it alert us, but it puts itself into 'Test Mode'. This happens because these devices are designed to give priority to High Availability, and thus it would simply stop blocking packets and would allow the complete flow of traffic.

Buying this type of firewall and installing them in each industrial device is not the solution. We should have a very clear security policy, carry out internal and external audits and, with the results gathered, everyone involved in the company (operators, systems managers, executives, manufactures, etc.) should discuss the risks found, the assumed risks and how the different solutions on the market can help us to increase security levels.