What is a DPI (Deep Packet Inspection) Industrial Firewall?

The whitepaper “Best Practices for Segmentation and Fortification of Industrial Networks” introduced the concept of a firewall. It was defined as a hardware device or software application that monitors and controls the traffic flowing between two networks and intercepts unauthorized traffic by comparing each unit of information (packet, segment, datagram, or frame, depending on the level at which it operates) with a series of predefined rules.

Why can a firewall be classified as industrial? Because:

• They have been designed specifically with the environmental and operational aspects of industrial networks in mind.

• Its installation and deployment are non-intrusive and non-invasive.

• Its configuration and rule management modules are easy to use.

• They incorporate specific functionalities that allow for increased security of OT networks.

What is meant by DPI (Deep Packet Inspection)?

Depending on the type of operation, there are different types of firewalls.

• The simplest are firewalls that operate at the network level (layer 3 of the OSI model). Among these are Packet Filter Firewalls, that is, those that define basic rules without considering relationships between packets, and Stateful Firewalls, which allow you to parameterize and apply segmentation rules considering relationships between information packets.

• Those that operate on layer 7 of the OSI model are called Application Firewalls or Proxy Firewalls. In this case, they are based on an analysis at a higher level that takes into account the specific parameters of each application. Some examples of typical protocols on which segmentation rules are performed are HTTP, SMTP, Telnet, FTP…

• Finally, a DPI firewall (the most sophisticated) is one that can filter by specific protocols/file types, such as SOAP or XML (for example, in transactional environments).

And what does it mean for a firewall to perform DPI in industrial or infrastructure environments?

• It is a firewall that is physically deployed between SCADA, HMI systems (level II of ISA95) and field devices such as PLCs, DCSs, RTUs (level I of ISA95).

• It blocks malware built on typically IT protocols. That is, most malware is not built on industrial protocols. By being able to define specific segmentation rules by industrial protocol (Modbus, Profinet, OPC, Ethernet/IP, DNP3), this traffic would not be allowed.

• It segments traffic that does not conform to the “standard” of the selected industrial protocol.

• It allows defining segmentation rules by specific Function Codes of protocols such as Modbus or Ethernet IP.

The following table summarizes the main differences between traditional and industrial firewalls.

For more information, we recommend that you read this whitepaper.