Firewall Wizards mailing list archives
Re: [Fwd: Question]
From: Chris Blask <chris () blask org>
Date: Wed, 8 Apr 2009 20:47:40 -0700 (PDT)
Brian Loe <knobdy () gmail com> wrote:
I don't know how many of you have worked with process and control networks, let alone SCADA networks at a power producer. I do know that I have. In both cases there is generally only ONE need for the two networks to ever touch physically or logically - data logging reports. This should always be done with the data logger placed into a DMZ. The DMZ should not allow anything from the A network into the B network or vice versa. No connections should originate from the DMZ. This has been done and works well. Often you don't even run anti-virus on the process control or SCADA networks as there's VIRTUALLY no way for them to get a virus.
What you are saying is that these networks *do* in fact connect to the Internet by way of the business networks... ...but that you did it intelligently. That there's my point. The definition of "not connected to the outside world" is either black (not/air gap/can't-get-there-from-here) or important shades of gray (like you said/PCAnywhere/HMIs with modems/...). I had a very interesting knock-down-drag-out whiteboard argument with a control system VAR over whether the network they had installed in a sensitive context was connected to the outside world or not. His opinion - "it absolutely is not" - was eventually clarified to "ok, it certianly is, but it's not a problem because we have a PIX 515 between them". Not "A PIX configured with a DMZ to only allow the necessary and logical traffic...", just "a PIX installed". None of this will make Olaf completely happy... -chris _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- [Fwd: Question] Marcus J. Ranum (Apr 08)
- Re: [Fwd: Question] AMuse (Apr 08)
- Re: [Fwd: Question] Marcin Antkiewicz (Apr 08)
- Re: [Fwd: Question] Chris Blask (Apr 08)
- Re: [Fwd: Question] Brian Loe (Apr 08)
- Re: [Fwd: Question] Chris Blask (Apr 08)
- Re: [Fwd: Question] ArkanoiD (Apr 10)
- Re: [Fwd: Question] Anton Chuvakin (Apr 10)
- Re: [Fwd: Question] Chris Blask (Apr 11)
- Re: [Fwd: Question] Brian Loe (Apr 08)
- Re: [Fwd: Question] AMuse (Apr 08)
- Re: [Fwd: Question] ArkanoiD (Apr 10)
- <Possible follow-ups>
- Re: [Fwd: Question] Jean-Denis Gorin (Apr 14)
- Re: [Fwd: Question] Paul D. Robertson (Apr 14)
- Re: SCADA Brian Loe (Apr 14)