Hirschmann EAGLE One Firewall Learning Mode

A common call received in support is "Hey, I just bought this firewall and I need to set it up so that the only allowed traffic is between this HMI in front of the firewall and this PLC behind it. How do I set that up?"

With most firewalls, the customer would need to know what TCP and UDP port numbers are used by communication between their HMI and PLC, but often this information is not known up front. Rather than the customer spending hours on the phone with support from the SCADA vendor, or attempting to learn how to use Wireshark for the first time, Belden/Hirschmann includes an awesome feature in their EAGLE One firewall to simplify this entire process of "What ports do I need to open/close and how do I configure the firewall for that?"

The feature is called Firewall Learning Mode (FLM) and its first key benefit is that it can capture and summarize the traffic currently moving across the firewall. To perform this capture, simply select “Start learning,” let the device run for a while, and then select “Stop learning.”

All traffic that passed through the firewall is identified and shown in the graphical user interface. As the screenshot shows below, EAGLE One provides the source and destination IP addresses of devices exchanging messages. It also shows the source and destination ports, which typically indicates the application protocol being carried in the message. Using this captured data, the engineer configuring the firewall selects rules for traffic they want to allow. The “allow” rules are added to a temporary rule set. Traffic that does match an “allow” rule should be blocked.

Now, let’s pause for a minute. A firewall has been installed in the network and after some learning, firewall rules have been configured to block unwanted traffic. But what if you made a mistake? What about possible impacts on network traffic and production?

The good news is that FLM includes the ability to apply rules in an operational mode called Test. In this state, all packets pass through the firewall filters, but traffic that would normally be blocked is simply logged. This allows the control engineer to study the would-be-blocked traffic and think through implications before activating the rule set. Once the engineer is more comfortable, the test rules can be saved into an active configuration.

FLM enables engineers to add security to their network without requiring IT expertise. FLM also greatly helps successfully implement effective security, without negatively impacting production during the implementation process. Give us a shout today to discuss your network security needs!

Links of Interest