Re: [Fwd: Question]

[Chris Blask <chris () blask org>]

Brian Loe <knobdy () gmail com> wrote:
> I don't know how many of you have worked with process and control
> networks, let alone SCADA networks at a power producer. I do know that
> I have. In both cases there is generally only ONE need for the two
> networks to ever touch physically or logically - data logging reports.
> This should always be done with the data logger placed into a DMZ. The
> DMZ should not allow anything from the A network into the B network or
> vice versa. No connections should originate from the DMZ. This has
> been done and works well. Often you don't even run anti-virus on the
> process control or SCADA networks as there's VIRTUALLY no way for them
> to get a virus.


What you are saying is that these networks *do* in fact connect to the Internet by way of the business networks...

...but that you did it intelligently.

That there's my point.

The definition of "not connected to the outside world" is either black (not/air gap/can't-get-there-from-here) or 
important shades of gray (like you said/PCAnywhere/HMIs with modems/...).  

I had a very interesting knock-down-drag-out whiteboard argument with a control system VAR over whether the network 
they had installed in a sensitive context was connected to the outside world or not.  His opinion - "it absolutely is 
not" - was eventually clarified to "ok, it certianly is, but it's not a problem because we have a PIX 515 between 
them".  Not "A PIX configured with a DMZ to only allow the necessary and logical traffic...", just "a PIX installed".

None of this will make Olaf completely happy...

-chris


      
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards