The Ultimate Guide to Transparent Firewalls: Securing Critical Infrastructure with Stealth Mode Defenses

Listen to this Post

Featured Image

Introduction:

In the evolving landscape of Operational Technology (OT) cybersecurity, the transparent firewall has emerged as a critical tool for securing industrial environments without disrupting existing network architecture. Also known as stealth, bump-in-the-wire, or layer 2 firewalls, these devices are physically inserted into a network segment to perform deep packet inspection and traffic filtering between its interfaces, all while maintaining the same logical subnet on both sides. This allows security teams to enforce granular policies—such as limiting source IPs and services allowed to communicate with a Programmable Logic Controller (PLC)—without any IP changes to the existing network, making them ideal for sensitive industrial control systems (ICS).

Learning Objectives:

  • Understand the core function and deployment scenarios for transparent firewalls in OT/ICS environments.
  • Learn to configure and validate transparent firewall rules on major platforms.
  • Develop strategies for selecting and integrating hardware-based firewalls with features like hardware bypass and centralized management.

You Should Know:

1. Core Concepts and Deployment Rationale

Transparent firewalls operate at Layer 2 of the OSI model, making them invisible to the network. Unlike traditional routed firewalls, they do not perform routing; instead, they bridge traffic and apply security policies within a single broadcast domain. This is particularly valuable in OT networks where IP re-addressing is often impractical or too risky. A common use case is deploying a transparent firewall directly in front of a critical asset like a PLC to restrict communications to only authorized engineering workstations and specific protocols (e.g., Port 44818 for EtherNet/IP). Key vendors offering specialized solutions include Siemens, Moxa, Fortinet, TXOne Networks, and Phoenix Contact, with features ranging from built-in hardware bypass to centralized management consoles.

  1. Configuring a Siemens SC Firewall in Transparent Mode
    The Siemens SC-6000 series is a hardened appliance designed for industrial environments. Configuring it for transparent operation involves accessing its web interface or CLI.

Step-by-Step Guide:

Access the firewall’s management interface via its default IP.
Navigate to Network > Interfaces. Change the operation mode from “Routed” to “Transparent”.
Assign both the internal and external interfaces to the same bridge group (e.g., br1).
Navigate to `Policy > Security Policy` to create a new rule. For example, to allow only a specific HMI (192.168.1.10) to access a PLC (192.168.1.20) on port 44818:

Source Zone: External

Destination Zone: Internal

Source Address: 192.168.1.10/32

Destination Address: 192.168.1.20/32

Service: TCP/44818

Action: PERMIT

Add an explicit `DENY ALL` rule at the bottom of the policy.

Commit the changes and verify connectivity.

3. Setting Up a Moxa EDR-G903 Series Firewall

Moxa’s EDR-G903 series offers robust Layer 2 firewall capabilities with a user-friendly interface.

Step-by-Step Guide:

Log into the web management console of the Moxa EDR-G903.
Go to `Firewall > Operation Mode` and select “Transparent Mode”.
Ensure all relevant physical ports are members of the same LAN segment.
Proceed to `Firewall > Policy` to define ACLs. To create a rule permitting ICMP (ping) from a single network scanner (192.168.1.15) to a device (192.168.1.100):

Action: Allow

Service: `ping` (pre-defined service)

Source IP: 192.168.1.15

Destination IP: 192.168.1.100

Below this, add a new rule with `Action: Deny` for `Service: Any` and `Source/Destination: Any` to block all other traffic.

Save the configuration and test the policy.

4. Critical Linux iptables Commands for Software-Based Transparency

While hardware appliances are preferred for OT, understanding the underlying Linux `iptables` commands is essential for concepts and software testing.

Verified Command List & Tutorial:

modprobe br_netfilter: Loads the necessary kernel module for bridging with netfilter.
sysctl -w net.bridge.bridge-nf-call-iptables=1: Ensures bridged traffic is processed by iptables.
brctl addbr br0: Creates a bridge interface named br0.
brctl addif br0 eth0 && brctl addif br0 eth1: Adds physical interfaces `eth0` and `eth1` to the bridge.
ifconfig br0 up: Brings the bridge interface online.

Building the Firewall Policy:

iptables -A FORWARD -s 192.168.1.50 -d 192.168.1.75 -p tcp --dport 102 -j ACCEPT: Allows a specific IP to communicate with a PLC on port 102 (S7comm).
iptables -A FORWARD -i br0 -o br0 -j DROP: Drops all other forwarded traffic within the bridge. This is a critical rule for enforcing the policy.

5. Leveraging Windows PowerShell for Network Isolation

In IT-dominated segments adjacent to OT, Windows Server can be used to create filtering layer 2 bridges.

Step-by-Step Guide:

Open PowerShell as Administrator.

Get-NetAdapter: List all network interfaces. Identify the two you wish to bridge (e.g., `Ethernet1` and Ethernet2).
New-VMSwitch -Name "OT-Bridge" -NetAdapterName "Ethernet1", "Ethernet2" -AllowManagementOS $false: Creates a hyper-v virtual switch in transparent mode. Note: This requires the Hyper-V role.
Use the Windows Firewall with Advanced Security (WFAS) to create inbound and outbound rules specifically for the bridge interface to filter traffic. This provides a basic software-based bump-in-the-wire capability.

6. Advanced Feature: Hardware Bypass

Many industrial firewalls, like those from Moxa and Fortinet, feature hardware bypass relays. If the appliance loses power or fails, the relay closes, creating a direct physical connection between the interfaces to maintain network continuity—a non-negotiable feature for high-availability processes. Configuration is typically automatic and hardware-based, but should always be verified during deployment by simulating a power failure.

7. Vendor Comparison and Selection Criteria

The original post highlights a vast market with options from Siemens, Moxa, Dynics, Fortinet, TXOne, and Phoenix Contact. Selection must be driven by:
Lead Time & Availability: A primary factor in OT projects, as noted by the author.
Management: Centralized vs. standalone management (e.g., Fortinet’s FortiManager).
Hardware Bypass: Essential for critical processes to avoid downtime.
OT-Specific Deep Packet Inspection (DPI): Pre-built signatures for industrial protocols (ModbusTCP, DNP3, S7comm) are a major advantage of platforms like TXOne Networks or Belden’s HiSecOS, which incorporates Tofino technology.

What Undercode Say:

  • The shift towards proactive, preventive security controls in OT is accelerating, moving beyond mere detection.
  • The diversity of vendor solutions provides flexibility but necessitates deep technical evaluation against specific operational requirements.
  • Analysis: The discussion underscores a pivotal moment in industrial cybersecurity. The move to deploy transparent firewalls represents a maturation from merely monitoring for threats to actively enforcing segmentation and least privilege at the network layer, even in the most sensitive control system environments. The emphasis on hardware bypass and minimal network disruption highlights the unique availability and safety constraints that define OT security, separating it from standard IT practices. The breadth of options signifies a healthy and competitive market, but also places the burden on engineers to thoroughly evaluate lead times, management capabilities, and hardware features to ensure a resilient implementation.

Prediction:

The widespread adoption of transparent firewalls will become the foundational norm for segmenting and protecting critical infrastructure assets. As ransomware and state-sponsored threats increasingly target OT, these stealth-mode defenses will be the first line of protection for PLCs, RTUs, and other controllers. Future advancements will see these devices increasingly integrated with AI-driven OT SOC platforms, enabling dynamic policy adaptation based on real-time threat intelligence and behavioral analysis of network traffic, moving from static rule sets to actively learning and defending industrial processes.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Varghesejm Transparent – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky