I often speak with ICS asset owners who are just at the beginning of their next-generation firewall learning curve. They are usually pleasantly surprised at the capabilities it provides in identifying traffic at Layer 7, i.e. application, users and threat/content.
Beyond just being able to see network traffic at this very detailed level, the fact that these key pieces of information are intrinsically correlated -- a unique advantage of our single-pass, parallel processing architecture (SP3) -- is a major draw. The proverbial “light bulb” turns on very quickly and they understand why this approach means easier anomaly detection, faster forensics and better auditability in their ICS environment.
Understandably, the word “firewall” in the product name often invokes the question of whether the device can be used in a more passive, detection-only model. To support such monitor-only deployments, the Palo Alto Networks Next-Generation Firewall offers a deployment mode called “Tap Mode.” Using this deployment, the next generation firewall can be connected to a SPAN/mirror port on a network device, like a switch or router, to passively monitor the traffic going through this “hub.” Doing this provides not only better visibility, but more importantly, correlated visibility into useful pieces of network traffic information.
Why not deploy the device inline as a firewall is meant to be deployed? A common reason in ICS is that the owner has a monitor-only mindset or policy for critical areas of the ICS. Consider, for example, the core of a Distributed Control System (DCS) where there may be zero tolerance for any potential accidental blocking of traffic. They want to avoid any additional inline devices aside from the main equipment needed to run the process and provide connectivity. While this organization may put a security device inline at the IT-OT perimeter, they would never do so within the DCS core. However, a non-invasive visibility tool could prove useful and hence could be considered for deployment.
Another reason for putting the device in passive mode, even at the perimeter of the ICS, such as between corporate and the PCN (process control network), is because the asset owner is not quite ready to do a rip-and-replace of his existing security architecture. While the asset owner may admit that the existing system will need to be replaced eventually due to lagging capabilities, he still prefers a more gradual migration path that feels less disruptive. A device that can be easily dropped in with minimal impact to the current production system, while providing high value, is ideal. Eventually the owner may swap out the old with the new as he validates the new product and gets more comfortable with the technology.
Users of Palo Alto Networks next-generation firewalls now have access to a variety of rich and natively correlated network traffic information including the following:
Several areas where users are typically interested in gaining more situational awareness and capabilities for auditing traffic include:
In practice, many users start off in tap mode then eventually move into one of two inline deployments modes (VWIRE “bump-in-the-wire”, L2/L3 Firewall Replacement), realizing the powerful network segmentation capabilities of the device. In other scenarios they may deploy the devices in a hybrid model where some areas the firewall is inline with access controls and in some areas the device is in tap mode.
Not all organizations have the same network architecture or the same view on security posture. Our next-generation firewall’s support for multiple deployment modes highlights one of the ways our platform provides flexibility. In fact the multiple ports on a Palo Alto Networks firewall could be configured to support multiple deployment modes simultaneously (Tap, VWIRE, and L2/L3).
Interestingly enough, Palo Alto Network field teams often use the firewall in tap mode when conducting free Application Visibility and Risk (AVR) assessments. We basically connect the device in passive mode to the network cluster of interest then provide a report back to the end user on what applications and risks may be present in their network today.
It’s rare to have an AVR which does not result in immediately useful information regarding security risks. It is free and is an easy way to understand the value of correlated, layer-7 visibility and also perhaps to discover any exposures to your organization. Contact your local Palo Alto Networks representative to learn more or sign up for an AVR online.
To learn more about our platform approach to securing industrial control systems, please access the free white paper on 21st century SCADA security.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.