Basically the computers involved in the information exchange have to understand the “state” of the exchange at all times.
This understanding of the previous traffic is what we call “state”. If your computer never sent a message asking for the page, then the only reasonable thing to do with the message is to discard it. For example, if your computer receives a message containing a web page from a web server, it can only be interpreted with the knowledge of what request was sent earlier. There is a constant exchange of packets, where each is in some way dependent on previous packets.
Just like communications between people, communications on a network rarely just involves a single message. This is where the concept of “state” becomes important. It is also possible for appliances to offer what is called “Shallow Packet Inspection” or SPI, which looks at data lower in the protocol stack. An example of an industrial firewall that offers this is the Tofino Modbus TCP Enforcer. function code 6).Ĭlearly this DPI provides the highest level of granularity when it comes to managing communication between hosts on a network. function code 2) or a Modbus Write Single Register (e.g. This layer is where you would typically see specific application operands such as a Modbus Read Coil (e.g. The DPI that was previously discussed is actually analyzing and making decisions based on the information contained in the upper layer of the model. The figure below illustrates the model.įigure 1: The abstraction layers typically used in TCP/IP communications for ICS and SCADA systems. In order to understand exactly what is meant when we talk about “state”, we need to look at the specifics behind the TCP communication sessions that are most common in modern day industrial control systems (ICS) and SCADA applications.
Following on from Eric Byres’ discussion of Deep Packet Inspection (DPI), this article discusses a second and equally important aspect of effective firewall security referred to as “stateful inspection.”
0 kommentar(er)
