The Importance of Multiple Firewalls Between IT & OT Networks

By /

Listen to this Post

Featured Image
Firewalls are essential for securing the boundary between IT (Information Technology) and OT (Operational Technology) networks. While a single firewall can provide basic protection, deploying multiple firewalls enhances security by introducing redundancy and enabling advanced architectures like IT/OT DMZs.

Key Benefits of Multiple Firewalls:

  • Resilience: Reduces single points of failure.
  • Attack Mitigation: Slows down attackers attempting lateral movement.
  • Malware Containment: Prevents malware from spreading between IT and OT.
  • Operational Safety: Helps avoid environmental disasters caused by cyber-physical attacks.
  • High Availability: Ensures continuous plant operations even if one firewall fails.

You Should Know: Practical Firewall Implementation

1. Configuring Firewalls for IT/OT Segmentation

Use iptables (Linux) or Windows Firewall with Advanced Security to enforce strict rules:

Linux (iptables) Example:

 Allow only specific OT protocols (e.g., Modbus TCP) 
iptables -A FORWARD -p tcp --dport 502 -j ACCEPT 
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT 
iptables -A FORWARD -i eth1 -o eth0 -j DROP  Default deny OT → IT

Windows Firewall Rule (PowerShell):

New-NetFirewallRule -DisplayName "Allow Modbus TCP" -Direction Inbound -Protocol TCP -LocalPort 502 -Action Allow

2. Setting Up an IT/OT DMZ

A DMZ (Demilitarized Zone) acts as a buffer between IT and OT, hosting secured data transfer services.

Steps to Implement:

1. Deploy Two Firewalls:

  • Firewall 1: IT → DMZ (Restrictive rules)
  • Firewall 2: DMZ → OT (Strictly whitelisted traffic)

2. Use Jump Hosts:

  • Only allow OT access via a secured jump server in the DMZ.

Example Jump Host SSH Rule (Linux):

iptables -A INPUT -p tcp --dport 22 -s 192.168.1.100 -j ACCEPT  Only allow from DMZ 
iptables -A INPUT -p tcp --dport 22 -j DROP

3. High Availability (HA) Firewalls

Use pfSense/OPNsense or Cisco ASA in failover mode to ensure continuous protection.

Linux HA Firewall (Keepalived):

 Install Keepalived 
apt install keepalived

Configure /etc/keepalived/keepalived.conf 
vrrp_instance VI_1 { 
state MASTER 
interface eth0 
virtual_router_id 51 
priority 100 
advert_int 1 
authentication { 
auth_type PASS 
auth_pass securepassword 
} 
virtual_ipaddress { 
192.168.1.1 
} 
}

4. Monitoring & Logging

  • Linux (UFW Logs): 
    tail -f /var/log/ufw.log
  • Windows (Event Viewer): 
    Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5152}  Firewall events

What Undercode Say

Deploying multiple firewalls between IT and OT networks is a minimum requirement for industrial cybersecurity. A single firewall is a single point of failure—attackers only need to bypass one barrier. Implementing a DMZ with strict traffic rules, high availability, and continuous monitoring ensures robust protection against evolving threats.

Expected Output:

  • A resilient, multi-layered firewall architecture.
  • Reduced risk of OT network compromise.
  • Compliance with industrial security standards (IEC 62443, NIST SP 800-82).

Prediction

As OT systems become more connected, zero-trust architectures will replace traditional firewalls, requiring identity-based micro-segmentation and continuous authentication.

Relevant URL:

References:

Reported By: Https: – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: