we will begin in just a few minutes as more people come on ... · we will begin in just a few...
TRANSCRIPT
![Page 1: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/1.jpg)
Thanks for joining!
We will begin in just a few minutes as more people come on line.
![Page 2: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/2.jpg)
IoT Security Talks –Industrial FirewallDeployment Models2016 August 25
Robert Albach – Product Line Manager IoT Security
Sunil Maryala – Technical Marketing Engineer IoT Security
![Page 3: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/3.jpg)
Agenda
:00
Welcome to Tech Talks
:03
Industrial FW
Deployments
@ :45
Question and Answer
Mechanics of Tech TalksStandards & Verticals
Review
Industrial FW Attributes
Configuration
Considerations
Deployment Scenarios
![Page 4: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/4.jpg)
Tech Talk MechanicsHow these events will operate
• With many people on-line we will mute all but the presenters
• We will try to answer questions at the end
• Please use the “Question and Answer” feature for questions
• If we don’t get to your question, we will try to answer them off-line
• The presentation and recording will be placed on the Community support site:
https://supportforums.cisco.com/
![Page 5: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/5.jpg)
Who This Presentation is For:
• Cisco customers, partners, employees
• Assumption:
• Your background is primarily in classic IT environments
• OR
• You are an OT practitioner with security responsibility
• You have SOME amount of firewall basic understanding
• You are likely to have some responsibility in OT in the future or do so already.
![Page 6: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/6.jpg)
![Page 7: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/7.jpg)
Standards / Regulations / Guidelines
ISA 95 / 99
![Page 8: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/8.jpg)
Evolve to Security: Phased Security ArchitectureFirst Phase –
Secured Connectivity
Second Phase –
Secured Visibility &
Control
Third Phase –
Converged Security &
Depth
Level 5
Level 4
Level 3
Level 2
Level 1
Enterprise Network
Site Business Planning & Logistics Network
Enterprise Zone
DMZ
Manufacturing Zone
Cell/Area Zone
Site Manufacturing Operationsand Control
Area Supervisory Control
Basic Control
ProcessSensors Drives Actuators Robots
FactoryTalk
ClientHMI Magelis
HMI
Engineering
Workstation
Operator
Interface
Batch
Control
Discrete
Control
Drive
Control
Continuous
Process
Control
Safety
Control
FactoryTalk
App Server
FactoryTalk
Directory
Engineering
Workstation
Domain
Controller
Terminal Server RDP Server App Server Patch Mgmt.
E-Mail, Intranet, etc.
Zone Segmentation
Controlled Conduits
ISA – 95,99 / IEC 62443
NERC / NIST /
Application Control
Threat Control
ISA – 95,99 / IEC 62443
NERC / NIST /
Policy Driven Response
Deeper Vision / Control
ISO / IEC 27001:2013
Level 0
v v
![Page 9: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/9.jpg)
Use Case Themes
• Secure Connectivity
• Threat Control
• Safe Environment
• Secure Remote Access
• What can connect
• What can talk to what
• What is vulnerable
• Protect the vulnerable
• Network protection
• Device protections
• How to secure access
• What are the controls for access
![Page 10: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/10.jpg)
Cisco / Rockwell Validated Designs
![Page 11: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/11.jpg)
Utilities – Sub-Station Deployment• In-Line
• Between Sub-Station router and “cell” switch boundary
• Transparent or Routed Operation
• Normally an HA pair
• Cisco Validated Designs
• OT operation configurations
• Multi-Function Role
• Operation Control
• Threat Control
• VPN Access
![Page 12: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/12.jpg)
Cisco ValidatedDesigns:SubstationSecurity
![Page 13: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/13.jpg)
Cisco IoT System Security in ActionProtect Critical Infrastructure – Through Network Segmentation
![Page 14: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/14.jpg)
Cisco Connected PipelinesCisco combines its own expertise in oil and gas systems with entities such as Schneider Electric for deployment services.
• An end-to-end smart connected solution based on industry best practices for pipeline infrastructures and network architectures.
• Flexible, modular, approach from assessment, design, and test to deploy install and support.
• Collaborative expertise and service from the leaders in SCADA, network connectivity, and security resulting in cost savings and optimized operations.
![Page 15: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/15.jpg)
Commonality: Segmentation
• Zones / Conduits
• Sub-Nets
• Cells
• Stations
• Distinct Functionality
![Page 16: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/16.jpg)
Registration - Survey Results• Just Below PLC
• 6%
• Between PLC and Zone Switch
• 21%
• On Span Zone Switch
• 7%
• Between Zone and Agg Switch
• 36%
• On Span at Aggregation Switch
• 6%
• Upstream of Aggregation Switch
• 23%
![Page 17: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/17.jpg)
![Page 18: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/18.jpg)
Industrial FireWall Options
ISA 3000
ASA 5506H
ASA 5525X
Configured for OT Configured for IT
![Page 19: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/19.jpg)
ISA 3000 – Hardware Features
RJ Console
Power Input A,
5.0 mm Centers
Reset
Front Serial
Label
Mini USB
Console with
Hazloc Covers
Dual USB-A
With Hazloc
Covers
Power Input B,
5.0 mm Centers
Alarm Connector,
3.81 mm Centers
Chassis Ground
Connection
RJ Management Port
Dual Ethernet Ports
Dual Ethernet Ports
(Copper Bypass)
SD Card Slot
Industrial
Security
Appliance
![Page 20: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/20.jpg)
Features that drive deployment considerations
• Hardware Bypass
• Software Bypass
• Rule Options
• Latency Controls
• Hitless Updates*
• High Availability
• NAT
• VPN
• RDP Access
![Page 21: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/21.jpg)
ISA 3000 – SW Architecture
Industrial
Security
Appliance
ASA Firewall
Access Control – Device / User
VPN
Quality of Service
NAT
FirePower Services
Application FW
Threat Control
Device ID
Behavior Control
ASDM – OnBox Managment
![Page 22: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/22.jpg)
![Page 23: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/23.jpg)
• Interface configurationISA-3000 Default Config (Cont’d)
interface GigabitEthernet1/1
bridge-group 1
nameif outside1
no shutdown
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside1
security-level 100
no shutdown
!
interface GigabitEthernet1/3
bridge-group 1
nameif outside2
no shutdown
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside2
security-level 100
no shutdown
interface BVI 1
no ip address
![Page 24: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/24.jpg)
Management
Computer
ASA Mgmt IP=192.168.1.1/24
FirePOWER Mgmt IP=192.168.1.45/24
Interface Management 1/1
Connecting ISA3000
Interface Gigabit 1/1
Interface Gigabit 1/2
Interface Gigabit 1/3
Interface Gigabit 1/4
Public 1/Outside 1 NetworkPrivate 1/Inside 1 Network
Public 2/Outside 2 Network
Private 2/Inside 2 Network
![Page 25: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/25.jpg)
• By default provide bridge mode transparency with “connectivity over security” paradigm.
ISA-3000 Default Configuration
Firewall Operation Mode
firewall transparent
![Page 26: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/26.jpg)
Traffic flow between Firewall & IPS
Inline
Mode
Passive (monitor-only) Mode
ISA3000 Default
![Page 27: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/27.jpg)
ISA-3000 Default Config – Firewall - ACL
access-list allowAll extended permit ip any any
access-list sfrAccessList extended permit ip any any
!
access-group allowAll in interface outside1
access-group allowAll in interface outside2
!
same-security-traffic permit inter-interface
![Page 28: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/28.jpg)
• FirePower (SFR) Traffic re-direct
ISA-3000 Default Config – Firewall
class-map sfrclass
match access-list sfrAccessList
!
policy-map global_policy
class sfrclass
sfr fail-open monitor-only
!
service-policy global_policy global
![Page 29: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/29.jpg)
ASA Modular Policy Frameworkclass-map sfr
match access-list sfr-access-list
Policy-map sfrpolicy
class sfr
sfr fail-close monitor-only
ciscoasa(config)# show service-policy sfr
Global policy:
Service-policy: global_policy
Class-map: match_all
SFR: card status Up, mode fail-open
packet input 71505, packet output 71563, drop
56, reset-drop 0
![Page 30: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/30.jpg)
• Historically these terms have been used conversely and thus caused confusion
• For Firewall use:
• “Open” means – like an electric switch – no signal
• “Closed” means – electric switch / signal can go through
• For IPS use:
• “Open” means – like a door– signal / packets goes through
• “Closed” means – door is closed – no signal / packets
Fail Open / Fail Close Firewall vs. IPS
Firewalls – deny all unless it matches a rule
IPS – ignore all unless it matches a rule
More OT Centric
![Page 31: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/31.jpg)
• Hardware bypass is useful to maintain connectivity when system loses power. It is available on copper interfaces, and only in transparent mode
Hardware Bypass Overview
Regular data path
(PHY/ MAC/CPU)
Interface
G1/1Interface
G1/2
HW
bypass
enabled
HW
bypass
disabled
Bypass works at layer 1, supported by hardware relay devices
Bypass works on interface pairs
On ISA3000-2C2F, G1/1 and G1/2
On ISA3000-4C, G1/1 and G1/2, G1/3 and G1/4
![Page 32: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/32.jpg)
• Hardware bypass
ISA-3000 Default Config (Cont’d)
no hardware-bypass boot-delay module-up sfr
!
hardware-bypass Gigabit Ethernet 1/1-1/2
hardware-bypass Gigabit Ethernet 1/3-1/4
![Page 33: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/33.jpg)
• Enable bypass at next powerdown
• ciscoasa(config)# hardware-bypass gigabitEthernet 1/1-1/2
• Enable bypass at next powerdown AND powerup
• ciscoasa(config)# hardware-bypass gigabitEthernet 1/1-1/2 sticky
• Disable bypass at next powerdown AND powerup
• ciscoasa(config)# no hardware-bypass gigabitEthernet 1/1-1/2
• Disable bypass only after module sfr is ready
• ciscoasa(config)# hardware-bypass boot-delay module-up sfr
• Manually enable/disable bypass
• ciscoasa# hardware-bypass manual gigabitEthernet 1/1-1/2
• ciscoasa# no hardware-bypass manual gigabitEthernet 1/1-1/2
HW Bypass Configuration Commands
![Page 34: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/34.jpg)
HA (Active / Passive) Configuration Requirements
Be in the same firewall mode
(routed or transparent).
Have the same major and
minor software version. .
![Page 35: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/35.jpg)
Visibility Options: Packet Capture / NetFlow
• Available broad visibility options:
• NetFlow capture
• Packet capture
• (separate from rule driven packet capture)
![Page 36: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/36.jpg)
Know Your Rules – Impact of Inspection Process
![Page 37: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/37.jpg)
Modbus IPS rule options Writing a Modbus rule
Operations Control for UptimeOT Pre-processors – command inspection -Modbus
![Page 38: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/38.jpg)
Latency Controls OptionsPacket and Rule Handling
![Page 39: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/39.jpg)
Deployment Scenarios
![Page 40: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/40.jpg)
Span
• Span off switch
• No “touch” of traffic
• Only see copies
• TCP reset possible
• Visibility only / no traffic control
• Some possible diffs from on-port traffic
• Use Cases:
• Passive ID of devices
• Passive ID of applications
• Passive ID of activity
• Good for transient visibility
• Impossible to detect
• Testing of Rules
![Page 41: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/41.jpg)
Machine #2Machine #1
Catalyst 2960
HMIServer
Catalyst3750-X
Stratix5700
Stratix5900
Stratix5900
Line Controller
ISA3000
Single Up-Stream / Down-Stream Path
Direct in-line Deployment
Can be passive or in-line mode
Bypass should work normally
Can be an HA pair
Possible termination point for VPN (secured comms)
NAT
Remote Desktop Jump Point
Higher potential to impact traffic
Zone / Cell Firewall:Boundary Protection Above Switch
![Page 42: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/42.jpg)
AggegationLayer Firewall
Machine #2Machine #1
Catalyst 2960
HMIServer
Catalyst3750-X
Stratix5700
Stratix5900
Stratix5900
Line Controller
ISA3000 ISA3000
ISA3000Firewall above Aggregation level.
Direct in-line Deployment
Can be passive or in-line mode
High Availability
Broader Visibility
Broader potential impact.
Less Detailed view
VPN termination point
secured comms less close to
equipment
![Page 43: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/43.jpg)
Zone / Cell Firewall:Control Within the Zone
Machine #2Machine #1
Catalyst 2960
HMIServer
Catalyst3750-X
Stratix5700
Stratix5900
Stratix5900
Line Controller
IP enabled devices connect directly to the Firewall and then up to switch
Direct in-line Deployment
Can be passive or in-line mode
Possibly limited bypass capabilities due to port pairings
Highest visibility
NAT capable
VPN termination point (secured comms very close to equipment)
Highest potential for impact.
ISA3000
![Page 44: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/44.jpg)
Zone / Cell Firewall:Control Within the Zone
Firewall participates in ring.
Direct in-line Deployment
Can be passive or in-line mode
Possibly limited bypass capabilities due to port pairings
Highest visibility
NAT capable
VPN termination point (secured comms very close to equipment)
Highest potential for impact.
ISA3000
![Page 45: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/45.jpg)
Phased Deployments of Industrial Firewalls
FirstIT / OT DMZ:
Immediate Control and Visibility
SecondBroad Visibility – Span at Aggregation Levels
NetFlow
Some application level identification
ThirdDetailed Visibility – Span at Cell / Zone Levels
NetFlow / Packet Captures
Application ID / Command levels
Test Rules
FourthIn-Line Passive Visibility – Cell / Zone + Aggregation Levels
FifthIn-Line Control – Cell / Zone + Aggregation Levels
![Page 46: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/46.jpg)
Before the Q&A Session
• Thanks for attending.
• Let us know:
• Was this session worth while to you?
• What future topics would you like to see?
• How might we improve these events?
• Send an email to:
• Sunil Maryala
• Robert Albach
![Page 47: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/47.jpg)
Q&APlease use the Question and Answer section of WebEx
![Page 48: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/48.jpg)
THANKS!
![Page 49: We will begin in just a few minutes as more people come on ... · We will begin in just a few minutes as more people come on line. ... Workstation Operator Interface Batch Control](https://reader030.vdocument.in/reader030/viewer/2022021505/5ac078637f8b9ad73f8bc6bf/html5/thumbnails/49.jpg)