mGuard OPC Inspector
2Pages

protecting industrial networks The intelligent protection for OPC Classic Deep packet inspection for OPC Classic OPC is one of the most widely accepted standards to During the deep packet inspection process, the mGuard meet the demands of universal data access in the world literally looks deep into the transmitted data packets be- of industrial automation. Originally developed as OLE for fore analyzing and modifying these as necessary. Various Process Control, it is now usually referred to as OPC options can be configured, such as whether only OPC packets may be transmitted via the OPC Classic Port 135. The TCP ports negotiated within the first open connection are also reliably detected and opened for OPC packets. If no OPC packets are transmitted via these ports within a configurable timeout, they are closed again. And certainly, granular firewall rules can be used to precisely define which clients can communicate with which servers via OPC. This connection tracking enables the highest level of security! Defense in Depth Attackers use various means to obtain access to production facilities. Stuxnet has shown, for example, that attacks by means of compromised USB sticks are also possible from within the system itself. This is remedied OPC Classic is supported by a wide range of industrial through the implementation of the “Defense in Depth” and business applications, such as HMI workstations, concept, based on ISA-99. This concept relies on the PLCs and process control systems, but also by corporate network segmentation of systems, along with the decen- databases and other business-oriented systems. tralized protection of these individual segments. With the mGuard OPC Inspector, this concept can now be imple- The basic concept of OPC Classic (i.e. not using fixed mented in systems in which OPC Classic is used. TCP port numbers, but instead negotiating new port numbers within the first open connection) means that intermediary firewalls can only be used with wide-open And for an individual segmentation of OPC-based net- gates, meaning they have virtually no effect. In addition, works, the mGuard OPC Inspector’s intelligent deep the communicated client and server IP addresses within packet inspection even allows the use of NAT procedures the OPC connection entail that conventional NAT (net- such as masquerading or 1:1 NAT – a world first. work address translation) routing cannot be used. The mGuard OPC Inspector counters this problem by using deep packet inspection for OPC Classic.

^OPC) INSPECTOR 1. The OPC Inspector checks to see if a connection from the client to the server is allowed and if the content contains a valid OPC request, 2. The OPC Inspector checks if the content contains a valid OPC response from the server to the client, and remembers the port for the next connection. 3. OPC Inspector temporarily opens precisely the negotiated port for valid OPC data traffic between the client and server. 4. Attempts to bypass the firewall even via the open ports, from other participants or with invalid packets, are blocked. Figure: Detailed functionality mGuard OPC...