Implementing Intra-Network Physical Firewalls for Windows Embedded OT Systems

By /

Listen to this Post

To protect Windows Embedded operational technology (OT) systems while maintaining ICMP PING monitoring, follow these steps:

1. Edit Windows Firewall Settings:

  • Navigate to Windows Firewall with Advanced Security.
  • Locate the ICMPv4 Inbound Rule (or create a new one).
  • Enable “Allow edge traversal” in the Advanced tab.
  • Modify Remote IP Addresses from Local Subnet to either:
  • The specific IP of the monitoring software.
  • A list of allowed IPs.

2. Configure NAT & Firewall Rules:

  • Original OT device IP: `10.1.1.42`
  • Firewall LAN1 IP: `10.1.1.199` (Primary LAN)
  • Firewall LAN2 IP: `172.19.19.1` (OT device connection)
  • New OT device IP: `172.19.19.2`
  • Virtual IP (NAT): `10.1.1.42`
  • NAT rule: `10.1.1.42 → 172.19.19.2`

3. Testing & Traffic Mapping:

  • Set a temporary Allow All inbound rule on LAN1.
  • Enable default LAN1 ↔ LAN2 traffic rules.
  • Monitor logs for 24 hours to map legitimate traffic.

4. Phase-2 Lockdown:

  • Replace Allow All with restrictive ALLOW/DENY rules.
  • Permit only verified IPs, protocols, and ports.
  • Restrict outbound traffic by IP/FQDN and specific ports.

You Should Know:

Windows Firewall Commands

 Enable ICMPv4 Echo Request (PING) 
netsh advfirewall firewall add rule name="ICMP Allow" dir=in action=allow protocol=icmpv4:8,any

Allow SMB Traffic (Port 445) 
netsh advfirewall firewall add rule name="SMB Inbound" dir=in action=allow protocol=TCP localport=445

Modify Edge Traversal via PowerShell 
Set-NetFirewallRule -DisplayName "ICMP Allow" -EdgeTraversalPolicy Allow

List Active Firewall Rules 
netsh advfirewall firewall show rule name=all

Linux Equivalent (iptables)

 Allow ICMP (PING) 
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

Allow SMB (Samba) 
iptables -A INPUT -p tcp --dport 445 -j ACCEPT

NAT Forwarding (Similar to Windows NAT) 
iptables -t nat -A PREROUTING -d 10.1.1.42 -j DNAT --to-destination 172.19.19.2 
iptables -t nat -A POSTROUTING -s 172.19.19.2 -j SNAT --to-source 10.1.1.42

Log Traffic for Analysis 
iptables -A INPUT -j LOG --log-prefix "OT_Firewall: "

Red Team Testing Commands

 Test ICMP Accessibility 
ping -c 4 10.1.1.42

Test SMB Access 
smbclient -L //10.1.1.42 -N

Port Scanning (Verify Lockdown) 
nmap -sS -p 445,135-139 10.1.1.42

What Undercode Say:

Securing OT systems requires layered defenses. Windows Firewall misconfigurations often break monitoring tools, so edge traversal and NAT rules must align. Always:
– Log traffic before locking down.
– Use allowlists, not denylists.
– Test with Red Team tools (nmap, Metasploit).
– Automate rules via scripts (netsh, iptables).

Expected Output:

  • ICMP PING succeeds post-NAT.
  • SMB shares remain accessible only to permitted IPs.
  • Unauthorized traffic is blocked and logged.
  • Red Team scans confirm no unintended exposures.

Related URLs:

References:

Reported By: Charlescrampton If – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: