Companies use firewalls to protect the factory floor environment from the business environment. The challenge is to ensure these firewalls are configured to effectively protect the factory floor.
We created an automated system that will provide a security score for a given firewall. The system will analyze the firewall configuration including the rule base to provide a high-level score.
The firewall score is based on the items shown below, which total 100. There are 9 sections for firewall scoring, one is for overall configuration settings, and the remainder are for firewall policy rule base settings. The main configuration is worth 15% of the score and the rule base is worth the remaining 85%. The final solution should provide options to adjust scoring.
There are 15 main items that are considered best practices for firewall configurations. A point will be deducted for each item that is not configured correctly.
The firewall configuration best practice indicates there should be 3 main zones in the Factory Floor Security setup. These are IT, where our business processes exist; DMZ, which is the buffered zone between IT and Manufacturing; and MFG, where our manufacturing equipment is located. Given the 3 zones, and the option to have multiple DMZ & MFG zones, there are 8 combinations of zone communications. Each of those communications paths have ratings of Poor, Fair, Good, Better and Best.
Rules defining the communications for each combination are rated. The lowest rating identified for any given combination will be the designated rating for score measurement. For example, if the DMZ to MFG communications section has mostly ‘Best’ rules with one ‘Poor’ rule, the rating for the section is ‘Poor’.
The given rating will result in points being deducted from the overall Firewall Score. Certain combinations are more security relevant than others; this results in higher penalties for ‘Poor’ ratings.
For the tool to work correctly, the interfaces (or alias) must start with IT, DMZ or MFG.