The Importance of Dual Firewalls in IT/OT Network Security

By /

Listen to this Post

Featured Image
Firewalls are critical in ensuring secure traffic flow between IT and OT networks while preventing unauthorized access. A single firewall can fail, leaving your OT network vulnerable. Implementing dual firewalls enhances security by:

  • Improving resilience against attacks
  • Slowing down attackers with layered defenses
  • Preventing malware spread across networks
  • Avoiding environmental disasters caused by OT breaches
  • Ensuring operational continuity

An IT/OT DMZ can further secure data transfers between networks by hosting secured intermediary systems.

You Should Know: Key Firewall Configurations & Best Practices

1. Setting Up Dual Firewalls (Linux/Windows)

Linux (iptables/nftables)

 Allow only necessary traffic between IT and OT 
iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 443 -j ACCEPT 
iptables -A FORWARD -i eth1 -o eth0 -p tcp --sport 443 -j ACCEPT 
iptables -P FORWARD DROP

Enable logging for dropped packets 
iptables -N LOG_DROP 
iptables -A LOG_DROP -j LOG --log-prefix "DROPPED: " --log-level 4 
iptables -A LOG_DROP -j DROP

Apply to unwanted traffic 
iptables -A FORWARD -j LOG_DROP

Windows (PowerShell Firewall Rules)

 Allow specific OT protocols (Modbus, DNP3) 
New-NetFirewallRule -DisplayName "Allow Modbus TCP" -Direction Inbound -LocalPort 502 -Protocol TCP -Action Allow 
New-NetFirewallRule -DisplayName "Allow DNP3" -Direction Inbound -LocalPort 20000 -Protocol TCP -Action Allow

Block all other inbound traffic 
Set-NetFirewallProfile -DefaultInboundAction Block

2. Implementing an IT/OT DMZ

  • Deploy a hardened Linux host as a secure intermediary: 
    Install and configure fail2ban for intrusion prevention 
sudo apt install fail2ban 
sudo systemctl enable fail2ban

  • Use Ansible for automated firewall deployment: 

    </p></li>
<li>name: Configure OT firewall rules 
hosts: ot_firewalls 
tasks: </li>
<li>name: Allow OT protocols 
iptables: 
chain: FORWARD 
protocol: tcp 
destination_port: "{{ item }}" 
jump: ACCEPT 
loop: </li>
<li>502  Modbus </li>
<li>20000  DNP3

3. High Availability (HA) Firewalls

  • Keepalived for Linux HA Firewalls: 

    Install Keepalived 
sudo apt install keepalived

Configure /etc/keepalived/keepalived.conf 
vrrp_instance VI_1 { 
state MASTER 
interface eth0 
virtual_router_id 51 
priority 100 
advert_int 1 
authentication { 
auth_type PASS 
auth_pass securepassword 
} 
virtual_ipaddress { 
192.168.1.100 
} 
}

What Undercode Say

Dual firewalls are a minimum for securing IT/OT convergence. Beyond firewalls:
– Network Segmentation: Use VLANs to isolate critical OT assets.
– OT-Specific IDS/IPS: Tools like Suricata with OT protocol detection.
– Zero Trust Architecture: Enforce strict device authentication.

Expected Output:

  • A resilient OT network with reduced attack surface.
  • Automated traffic logging for forensic analysis.
  • High availability preventing single-point failures.

Prediction

As OT attacks rise, AI-driven firewalls will dynamically adapt rules based on threat intelligence, reducing manual configuration errors.

(Relevant NIST Guidelines for OT Security)

References:

Reported By: Mikeholcomb Whats – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: