← Home

Network Security Devices

Network security devices control and monitor network traffic to protect systems from unauthorized access, cyberattacks, and malicious communications. Selecting the correct device depends on the security objective, network architecture, performance requirements, and operational constraints.

Network Security Devices
Figure – Network security devices used to control, monitor, and protect industrial network communications.

Device Selection

Choosing the correct security device is a critical design decision.

Consider:

Not every connection requires a firewall—a managed switch, router ACL, or other network control may be sufficient depending on the required level of security.


Firewalls

A firewall is a hardware or software device that regulates communication between two connected networks by inspecting and filtering traffic according to predefined security rules.

Firewalls:

Typical examples include separating:

Firewalls may be:

Hardware Firewalls

A hardware firewall is a dedicated appliance installed at the network perimeter or between network zones.

Unlike software firewalls, hardware firewalls:

They are commonly used to protect:

Traffic is evaluated against configured security policies to determine whether communication is allowed or denied.


Firewall Classes

1. Packet Filtering Firewall

The simplest firewall type.

Operation

Inspects only packet headers, including:

Filtering decisions are based on Access Control Lists (ACLs).

Advantages

Limitations


2. Stateful Inspection Firewall

Stateful firewalls monitor active communication sessions rather than individual packets.

Operation

Tracks:

Traffic is only permitted if it belongs to a valid established session.

Examples include:

Advantages

Limitations


3. Application Proxy Firewall

Acts as an intermediary between communicating devices.

Operation

Can inspect application-specific information such as:

Advantages

Limitations


4. Deep Packet Inspection (DPI) Firewall

Provides the highest level of inspection.

Operation

Examines:

Can identify:

Advantages

Limitations


Firewall Policies

A firewall's effectiveness depends far more on its configuration than its installation.

Good firewall policies should:

Poorly configured firewalls provide little real protection, regardless of the hardware used.


IACS Firewalls

Industrial Automation and Control System (IACS) firewalls are purpose-built for Operational Technology (OT) environments.

They are designed to protect industrial devices that often have limited built-in cybersecurity capabilities.

Typical protected devices include:

Key Features

Industrial Design

Built to withstand:

Suitable for installation in industrial control panels and field environments.

Control System Friendly

Designed for automation personnel with features such as:

Industrial Protocol Awareness

Supports Deep Packet Inspection (DPI) for industrial protocols including:

This allows filtering based on industrial commands rather than only IP addresses and ports.

Advanced Security Functions

Often include:


Unidirectional Gateways (Data Diodes)

A unidirectional gateway (also called a data diode) is a hardware-enforced security device that physically allows communication in only one direction.

Unlike a firewall, this protection is enforced by hardware rather than software configuration.

Operation

Data flows:

Source Network → Destination Network

There is no physical return path.

This prevents:

Because many network protocols require two-way communication (e.g., TCP's SYN → SYN-ACK → ACK handshake), unidirectional gateways emulate this behaviour to support one-way data transfer.

Typical Uses

Unidirectional gateways are commonly deployed in:

Typical applications include:

while preventing any inbound communications to the OT network.


Firewall vs Data Diode

Feature Firewall Unidirectional Gateway
Communication Two-way (controlled) One-way only
Security Enforcement Software policies Physical hardware
Configuration Rules and policies Hardware enforced
Remote Access Can be permitted Impossible
Traffic Inspection Yes No (only one-way transfer)
Primary Purpose Network segmentation and access control Absolute network isolation
Typical Use Most enterprise and industrial networks Critical infrastructure requiring maximum protection

Key Takeaways