Big network protection with a small firewall
It doesn’t always have to be an all-round router: a microwall bridge is often the better solution for network segmentation in the factory. It protects against hacker attacks and does not require complex reconfiguration of the IP addresses.
In many companies there is this one machine that has always been there, that has been doing its job without failure for decades and that no one knows anymore how it is configured. The last employee who was still able to do this retired last year. However, one person is particularly interested in this machine: the new IT manager. A network scan has shown that the controller is still running Windows XP and is connected to the company network. This is a treat for hackers: they can hack into the controller via open interfaces for remote maintenance and from there penetrate the entire network. In a ransomware attack, they encrypt data and only release it after paying a ransom.
Limit damage, increase performance
Many industrial companies are faced with the same problem: in order to be able to reap the benefits of digitization and Industry 4.0, you also have to network old machines, but this involves considerable security risks. Buy new machines? That would be best, but is not an option for many businesses on a tight budget. The way out: network segmentation. Insecure parts of the company network are separated. If hackers penetrate a segment, they cannot access the main network or other segments from there, and the damage remains limited. Performance also increases with segmentation because unnecessary data traffic is avoided. Hospitals, for example, prioritize the communication of large amounts of data from medical devices over visitor WiFi.
Network segmentation therefore has many advantages, especially for companies with aging machines. The disadvantage: The segmentation process is often time-consuming and error-prone in established network structures. Network segmentation usually takes place via a firewall in an industrial router. To do this, however, the IP addresses in the segment must differ from those in the main network, otherwise there will be address conflicts. Adjusting IP addresses is tedious and requires IT professionals. This is not very enthusiastic about this task, because true to the IT wisdom “Never touch a running system” one prefers to keep one’s hands off it.
An alternative is the Microwall Bridge. The small box is looped separately between the machine to be segmented and the main network. Accordingly, it only has two LAN ports, and switches can be used to bring several machines together on a bridge. The bridge contains a firewall that is configured via whitelisting. This list shows which external device and application is allowed to communicate with the machine in the segment. All other connections are blocked.
A microwall bridge protects devices and machines through segmentation. What is special is that the IP set-up does not have to be touched. Source: RAGE
The most important difference to previous segmentation solutions: The Microwall Bridge does not require any intervention in the IP setup. This avoids errors and failures and is sometimes the only option when configuration data has retired with an employee. From the point of view of the IP ranges, the Microwall Bridge works transparently, i.e. the IP ranges of the surrounding network and within the island are identical. Nevertheless, the bridge does not simply pass the data traffic through – cross-network connections are only possible after setting up release rules based on the IP addresses and port numbers involved.
Safe, easy and less error-prone
In addition, the bridge has a very simple user interface that only shows the necessary functions and is freed from the ballast of an industrial router. Setting up and creating a rule only takes a few minutes. The user only has to enter the IP addresses of a device in the main network and a device in the separate segment, eg a PC and a machine controller, in order to then allow the selected communication between the two via the port number. Access attempts that are not specified in the whitelist are blocked with “The website cannot be reached”.
Small hardware firewalls like the Microwall Bridge are not only configured in a few minutes. They can also be easily installed directly on site. Source: RAGE
Customer experience shows that this makes network segmentation simpler and less error-prone, with no need to stop production in most cases. At the same time, protection against hacker attacks increases significantly. Simple retrofitting saves costs for new purchases and lengthy retrofitting. By the way: If there is a device failure, the bridge can be unplugged in a matter of seconds, as if it had never been there.