Free Trial

Safari Books Online is a digital library providing on-demand subscription access to thousands of learning resources.

Share this Page URL

Securing Enclave Perimeters > Selecting Perimeter Security Devices - Pg. 166

166 CHAPTER 7 Establishing Secure Enclaves referenced within a specific rule using $ControlSystem_Enclave01_Devices . This is a logical extension of the classic $HOME_NET variable used in many IDS policies, only applied to a specific enclave. This allows for exception-based detection of unauthor- ized behavior within the enclave, as seen in the following rule to detect any traffic with a destination IP of a device within the defined control system enclave: alert tcp any any - $ControlSystem_Enclave01_Devices With enclaves defined, and relevant variables defined for each, the enclaves can now be secured using perimeter and host security devices. SECURING ENCLAVE PERIMETERS Establishing an Electronic Security Perimeter (ESP) around a defined enclave provides direct protection against unauthorized access to the enclosed systems and also prevents the enclosed systems from accessing external systems from the inside out. To establish an ESP and effectively secure inbound and outbound traffic, two things must occur: 1. All inbound and outbound traffic must be forced through one or more known network connections that can be monitored and controlled. 2. One or more security devices must be placed in-line at each of these connections. For each enclave, appropriate security devices should be selected and imple- mented using the recommendations below. Selecting Perimeter Security Devices At a minimum, a firewall is typically required. Additional security--provided by IDS, IPS, and a variety of specialized and hybrid devices such as Unified Threat Management (UTM) devices, Network Whitelisting devices, Application Monitors, Industrial Protocol Filters, etc.--may be desired as well. Typically, the criticality of the enclave (see "Criticality") dictates the degree of security that is required. Table 7.1 maps the criticality of an enclave to required security measures of NERC CIP and NRC CFR 73.54, as well as recommended enhancements to improve security beyond regulatory requirements. Table 7.1 recommends that both a firewall and an IPS be used at each security perimeter. This is because firewalls and IPS devices serve different functions: firewalls enforcing what types of traffic are allowed to pass through the perimeter; and Intrusion Prevention Systems closely examining the traffic that is allowed through in order to detect "legitimate" traffic with malicious intent--that is, exploit code, malware, etc-- that is transferred over allowed paths. Using both devices together provides two mutual benefits: first, it allows the IPS to perform deep packet inspection (DPI) on all traffic allowed in through the firewall; second, the firewall limits the allowed traffic based on the defined parameters of the security enclave, freeing the IPS to focus its resources on just that traffic and therefore enabling it to enforce a more comprehensive and robust set of IPS rules.