Firewalls and Network Segmentation

This network design features a dual-infrastructure setup using two different firewall platforms, FortiGate and Palo Alto, to provide redundancy and segmentation. The design aims to ensure high availability and robust security for a network with critical assets, likely belonging to a mid to large-sized enterprise. The network is connected to two Internet Service Providers (ISPs) labeled ISP-A and ISP-B. The connections are managed through two switches (SW-15 and SW-16) on the FortiGate side, and two other switches (SW-19 and SW-110) on the Palo Alto side. These switches act as the primary and backup points of entry for the internet traffic, ensuring that if one ISP fails, the other can still provide connectivity. This setup provides resilience and fault tolerance. On the FortiGate side, two FortiGate firewalls are deployed in a high-availability (HA) configuration. This setup means that one firewall will take over if the other fails, providing uninterrupted security services. The firewalls are connected to layer 3 switches (L3-SW7 and L3-SW13) which manage internal routing and distribution of traffic. The layer 2 switches (L2-SW13) underneath connect to end devices or servers, shown as VPCs. This segmentation allows the internal network to be divided into different VLANs (VLAN 10, 21, 22, 23), each with its IP subnet, offering isolation and traffic management according to the organization’s requirements. Similarly, on the Palo Alto side, there are two firewalls, also configured in HA. They are connected to a layer 3 switch (L3-SW8) that performs a similar role in routing and distributing traffic. VLANs (30, 31, 32, 33) are used here as well, indicating that the network is segmented based on functions or departments. This helps in controlling and securing traffic flows, as well as in implementing policies such as access control lists (ACLs) or quality of service (QoS). The purpose of this design is twofold: to provide high availability and to ensure security and segmentation across the enterprise network. By using two different firewall platforms, the design can leverage the strengths of each while maintaining a diverse security posture, which is often recommended to avoid single points of failure or uniform vulnerabilities. The VLAN segmentation helps in managing and isolating traffic, ensuring that security policies can be applied more granularly. Additionally, the HA configurations on both the FortiGate and Palo Alto sides prevent downtime during hardware failures, contributing to the network's resilience. This setup offers a scalable, secure, and resilient architecture capable of supporting a range of enterprise applications and services while maintaining strict security controls and high availability.

The #1 cyber security control in ICS/OT to stop attackers? Secure network architecture. It might be one "control," but it has many parts. 1. IT-OT DMZ Most ICS/OT networks have some communication with the IT network. A DMZ with two layers of firewalls implemented between the IT and OT networks. The DMZ helps limit the flow of traffic between the two main networks. Forcing the traffic through systems that act as intermediaries. Intermediaries that can help enforce security. Ultimately, the DMZ limits the damage that can be done WHEN an attacker gains access to the IT network. The main goals here are to: -> Prevent an attacker from moving into the OT network from IT -> Limit communication from the OT network to IT side -> Ensure DMZ hosts are hardened against attack -> And monitor for potential attacks 2. OT Network Segmentation Besides the IT-OT DMZ, further network segmentation should be performed within the OT network. As a starting part, many reference the expanded Purdue Model. Even though this was not its intent (and you should jump to "Zones and Conduits" below). An attacker could gain access to the IT network, but placing additional segmentation through firewalls and ACLs on switches can limit them. The goals here are to: -> Provide necessary communication for the plant to operate -> Limit damage in the event an attacker gains access -> Give systems the ability to spot malicious activity -> Slow down an attacker in the OT network 3. Zones and Conduits As organization mature, they look to ISA/IEC 62443 as the gold standard for building an ICS/OT cyber security program. A main focus of ISA/IEC 62443 is to break up the OT network overall into zones. Zones are logical groupings of assets that share the same function and/or security requirements. Conduits help reflect the paths of communication between assets in different zones. Zones help segment the network further and allow operators to wrap Access Control Lists around those zones. Only allowing required traffic to communicate between zones. That HMI needs to talk to that PLC? Great! That HMI doesn't need to talk to anything else? Then don't let it! Give your assets what they need. No more. No less. If you give more, an attacker will take advantage of it one day! 4. Further Microsegmentation Zones can help limit communication between parts of the network. But they do not limit traffic between hosts within the same zone. Just like above, we want to limit pathways an attacker could use against us. If an attacker gained a foothold in the DMZ, would they have access to the other hosts? And then the pathways accessible to those hosts? Perhaps they cannot directly access a PLC or DCS from the DMZ. But is there a pathway through other zones and hosts from the DMZ that would allow it? Is there a pathway that would allow access to your SIS? P.S. What else would you include or change? #CyberSecurity #Automation #Engineering #ICS #Technology

One flat VLAN. One big blast radius. A huge mistake is treating OT like it’s off the grid. Like it doesn’t need modern control. The truth? Modern plants are digital. Sensors, HMIs, SCADA; all plugged into corporate networks. And attackers know it. OT downtime costs real money. Now that IT and OT share networks and risk... ...every leader should be asking: Do we know what’s in our plant network? Can we stop lateral spread before it starts? Who responds when the alarms light up? Visibility must come before control. Here’s the risk: Most plants still run flat. No asset inventory. No real segmentation. That means: → One infected sensor = plant-wide exposure → No logs. No alerts. No response window. Why? → No passive discovery → No segmentation by function or risk → No playbooks for real-world events These aren’t tech misses. They’re signals of unowned risk: → No Purdue-level firewalls → No ops-friendly rulesets → No drills. No handoffs. What works in live plants: ⤷ Nozomi Networks + Claroty for passive asset mapping ⤷ Fortinet OT + Microsoft Defender for IoT for layered visibility ⤷ Cisco + IEC 61850 profiles for contextual segmentation Proven rollout: ᝰ.ᐟDiscover via SPAN ports; no inline risk ᝰ.ᐟSegment by function; rules ops can read ᝰ.ᐟMonitor passively; tune alerts with plant teams ᝰ.ᐟDrill the bad day; assign owners and response SLAs Ops leads: sign the playbook. PMs: add OT gates to the delivery plan. CISOs: measure time to contain, not just alert count. 📁 Share if IT and OT now share a wall. السلامة لا تبدأ من الأمن، بل من الرؤية. Safety doesn’t start with security — it starts with visibility.

Why Hardware Wins Against Software in the Real World of Microsegmentation An Interview with BYOS CEO Matias Katz Hardware micro segmentation is a security architecture that uses dedicated, often embedded, hardware enforcement points to create tightly controlled network segments. Unlike purely software-defined solutions, these enforcement points operate independently of the operating system or application stack, enabling segmentation even where software agents can’t be deployed—such as on outdated or proprietary platforms. By enforcing isolation at the hardware level, organizations can precisely control allowed communication flows between systems and block all others, aligning naturally with Zero Trust principles where every connection must be explicitly verified. This approach not only limits lateral movement within the network but also severely restricts access to protected elements, ensuring that no device or user has more access than absolutely necessary. When implemented on hardware hardened to FIPS 140-2 cryptographic standards, hardware microsegmentation provides strong, independently validated protection for both control-plane communications and data in transit. FIPS 140-2 certification ensures that cryptographic modules have undergone rigorous testing, making it much harder for attackers to exploit weaknesses or tamper with security controls. Because these protections are built into tamper-resistant hardware rather than dependent on potentially compromised software layers, they are far less susceptible to common attack methods like malware injection, OS-level exploits, or privilege escalation. This makes breaching segmentation boundaries significantly more difficult, even for well-resourced adversaries. From an attacker’s point of view, hardware microsegmentation is often nearly invisible. The enforcement points sit outside the view of endpoint processes, have no detectable software footprint, and can silently block or allow traffic based on Zero Trust access policies. This invisibility, combined with strict policy enforcement at the network hardware level, creates a hardened perimeter around protected systems. For vulnerable legacy assets—such as medical equipment, industrial control systems, or unsupported servers—this means they can be wrapped in an impenetrable security layer without altering or patching the systems themselves. The result is a stealthy, high-assurance containment strategy that severely limits unauthorized access while enabling secure operation of even the most sensitive and outdated infrastructure. #CyberSecurity #Microsegmentation #LegacySystems #ZeroTrust #NetworkSecurity #FIPS140-2 #IoT #OTSecurity #CriticalInfrastructure #CyberResilience  #SecurityArchitecture

SCADA Cybersecurity Your Practical Defense Playbook After 3 decades in industrial controls, I've seen SCADA systems evolve from isolated workhorses to connected, vulnerable targets. Your SCADA system is a target. The Four Deadly SCADA Vulnerabilities You Can Fix Today Legacy Systems Running on Borrowed Time: That Windows XP HMI you've been nursing along? It's a ticking time bomb. Unpatched systems are low-hanging fruit for attackers. Quick Win: Inventory every piece of software in your control network. Anything without vendor support gets isolated or replaced. Protocols That Trust Everyone: Some industrial protocols send commands in plain text with zero authentication. It's like leaving your front door wide open. Watch Out For: Any industrial protocol traffic crossing network boundaries without encryption. Attackers can read every command and forge new ones. The IT/OT Bridge That Became a Highway: Connecting control networks to corporate networks creates direct attack paths. The Oldsmar hacker exploited poorly secured remote access. Rule of Thumb: Never allow direct IT/OT connections. Use industrial firewalls, an industrial DMZ, and, if needed, data diodes for one-way data flow. Remote Access Convenience vs. Security: TeamViewer, VNC, and similar tools are security nightmares. Shared passwords, direct internet exposure, and always-on connections invite attackers. Your Defense-in-Depth Action Plan 1. Network Segmentation (The Purdue Model): Segment your network into security zones. >>> Level 0-1 (sensors, PLCs) stay as isolated as possible.  >>> Level 2 (SCADA masters and HMIs) gets limited access.  >>> Everything above level 2, like corporate networks, stays separate or connects through an industrial demilitarized zone (DMZ). 2. Access Control That Actually Controls >>> Implement Multi-Factor Authentication (MFA) for ALL remote access >>> Use role-based permissions, operators view data, engineers modify logic >>> Kill shared passwords immediately 3. Monitor What Matters: Deploy ICS-aware intrusion detection systems. Set up baseline monitoring, when pump pressures spike at 2 AM, you need to know why. 4. The Human Firewall: Train operators to recognize cyber incidents as process anomalies. That unresponsive pump might not be a mechanical failure; it could be a cyberattack. The Bottom Line The Oldsmar incident was stopped by an alert operator, not sophisticated cybersecurity. Most attacks succeed through basic failures: weak passwords, unpatched systems, and poor network design. You don't need a million-dollar security budget. You need disciplined execution of fundamentals. Remember: in industrial cybersecurity, availability and safety come first. But unsecured systems won't stay available long. The attackers are already here, make sure you're ready. If you want to go deeper, I've got a video on my YouTube channel with more detail. Check the link to my channel in my profile.

ICS Architecture: Control DMZ-Relevant under ISA/IEC 62443 & NIST 800-82r3 1. Control DMZ under ISA/IEC 62443 > A DMZ is "a common, limited network of servers joining two or more zones for the purpose of controlling data flow between zones." It ensures separation and mediates communication between zones, preventing direct connections. > Used to control and secure data flows, minimizing risk from direct IT-OT communication. >> Zone Boundary Protection (SR 5.2) > The system must enforce restrictions on communication between zones through mechanisms like firewalls and IDS/IPS. > Fail-Close Mode: Essential ICS functions must operate even if zone boundary protection fails, using "fail-close" or "island mode." >> Network Segmentation (SR 5.1) > Logical or physical segmentation must isolate zones, including the DMZ, ensuring secure data flow across defined conduits. >> Restricted Data Flow (FR 5) > Prevent unauthorized data movement between zones, with the DMZ acting as an intermediary. >> Data Confidentiality (FR 4) > Encryption: Communication traversing the DMZ must use secure methods to prevent eavesdropping. > Authentication: Robust identification and authentication mechanisms for all users/devices accessing the DMZ. >> Timely Response to Events (FR 6) > Continuous Monitoring: The DMZ must support real-time monitoring and logging for all traffic. > Audit Logs: Logs must be securely stored and accessible for review without impacting operations. >> Resource Availability (FR 7) > DoS Protection: The DMZ must be resilient to Denial-of-Service attacks. > Fail-Safe Operation: Critical OT functions must continue uninterrupted during DMZ failures. >> Compensating Countermeasures > If certain controls (e.g., firewalls or IDS) are infeasible, alternative measures (e.g., physical access controls) must compensate. --- 2. NIST SP 800-82r3 > The DMZ creates a logical separation between corporate and OT networks, preventing direct traffic and enforcing secure mediation. > Employ DMZ architecture to manage data flow, ensuring only authorized traffic passes between IT and OT environments. > Use stateful firewalls and unidirectional gateways to establish secure boundaries. > Limit communications to predefined, secured paths. > Incorporate protocol enforcement and network monitoring to detect suspicious activity. > Use multi-factor authentication for access to systems within the DMZ. > Separate authentication mechanisms for IT and OT networks ensure traceability. > Persistent monitoring for all DMZ traffic, logging, and anomaly detection to ensure security. > Logs must be securely maintained and accessible for analysis without affecting performance. > Fail-safe mechanisms must maintain critical functionality or degrade gracefully during failures. This is just the beginning—the guidelines are so extensive to be covered in a single post. Enjoy reading, and feel free to share your thoughts in the comments! #icssecurity #otsecurity

From a network design perspective, the Cisco ASA plays a critical role in securing and segmenting traffic flows across different trust zones within an enterprise environment. Its importance stems not just from its packet filtering or NAT capabilities, but from its integration into the overall architecture as a stateful security gateway—often placed at the intersection of internal, DMZ, and external networks. The ASA serves as a key policy enforcement point, where traffic decisions are made based on application, identity, and context, rather than just IP and port. In a well-designed network, the ASA forms the perimeter boundary that controls ingress and egress traffic. By assigning security levels to interfaces and enforcing hierarchical trust relationships, the ASA enables granular control over how and where traffic flows, minimizing the attack surface. This is particularly important in zone-based architectures, where separating user, server, and internet-facing zones can prevent lateral movement and contain threats more effectively. Beyond perimeter security, the ASA contributes to overall network resiliency and scalability. It supports features like high availability, VPN termination, and advanced inspection policies without introducing unnecessary complexity into the routing topology. Its integration with identity services, logging systems, and centralized policy platforms allows for centralized visibility and control—key principles in modern network designs that prioritize operational simplicity and threat response agility. Ultimately, the Cisco ASA is not just a firewall; it is a policy enforcement node embedded in a broader security architecture. Its placement and configuration directly impact the network's ability to defend, detect, and respond to threats while supporting business-critical connectivity in a manageable and scalable way. #CISCO #ASA #FIREWALL #CCDE

🔒 Where does a firewall make sense in your OT architecture? 🧱 I'm currently deep into OT network security — especially the question: Where exactly do firewalls make sense in an industrial Ethernet network — and where are they overkill? ➡️ IEC 62443 offers clear guidance: use zones and conduits — with firewalls as barriers. ➡️ CPwE architecture from Cisco & Rockwell Automation goes even further and shows typical firewall locations, e.g. between IT & OT or between Level 3 (Site Operations) and Level 2 (Control). But what works in real-world settings? 👉 Are VLANs with ACLs enough? 👉 Do you use Layer 3 firewalls to isolate cells? 👉 Or do you deploy DPI-capable firewalls in every cell? I’d love to know: How do you implement firewalls in your OT environment? What works, what doesn’t? #OTSecurity #IEC62443 #CPwE #IndustrialSecurity #Firewall #VLAN #Automation #CyberSecurity #Industry40 #NetworkSegmentation

💡 Enterprise Network Design Project | Multi-VLAN – OSPF – Firewall – NAT – Data Center Excited to share another project I've worked on — a fully integrated enterprise network infrastructure that simulates a real-world corporate environment using industry-standard technologies and best practices. 🧠 Project Highlights: 🔹 Routing and Redundancy: OSPF dynamic routing across multiple areas Redundant core routing with fallback paths Router-on-a-stick and inter-VLAN routing 🔸 Layer 2 & VLAN Design: Multiple VLANs configured for segmentation (VLAN 20, 30, 120, 130, etc.) Traffic isolation between departments Trunk and Access port configuration for proper VLAN propagation 🔐 Firewall & NAT: Implemented firewall zones to secure data flow between internal networks and the Internet NAT (Network Address Translation) for private-to-public IP conversion Security policies applied on interfaces and DMZ zones 🖥️ Data Center Integration: DHCP server to dynamically assign IPs DNS server with forwarding to external public DNS Active Directory services Application servers (IIS, File Server) Backup server connectivity Isolated VLANs for security-sensitive servers 🧰 Tools Used: GNS3 for emulation Routers, Switches, Firewalls Windows Servers (AD, DNS, DHCP, etc.) Virtual PCs for client simulation 🔍 This project allowed me to practice and demonstrate advanced network design, routing, layer 2 segmentation, security enforcement, and data center connectivity. It reflects a realistic enterprise deployment model with resilience, scalability, and security in mind. 📌 #Networking #EnterpriseNetwork #OSPF #VLAN #Firewall #NAT #DHCP #DNS #ActiveDirectory #ITInfrastructure #NetworkSecurity #SysAdmin #CCNA #CCNP #GNS3 #NetworkDesign #CyberSecurity