Network security devices control and monitor network traffic to protect systems from unauthorized access,
cyberattacks, and malicious communications. Selecting the correct device depends on the security objective,
network architecture, performance requirements, and operational constraints.
Figure – Network security devices used to control, monitor, and protect industrial network communications.
Device Selection
Choosing the correct security device is a critical design decision.
Not every connection requires a firewall—a managed switch, router ACL, or other network control may be
sufficient depending on the required level of security.
Firewalls
A firewall is a hardware or software device that regulates communication between two connected networks by
inspecting and filtering traffic according to predefined security rules.
Firewalls:
Act as gatekeepers between network segments
Define and enforce security boundaries between zones
Permit or deny traffic based on configured policies
Monitor network communications
Reduce unauthorized access and cyberattack risk
Typical examples include separating:
Enterprise Zone ↔ Industrial Control Zone
DMZ ↔ Control Network
Remote Access ↔ Control Systems
Firewalls may be:
Software running on a computer
Dedicated hardware appliances
Hardware Firewalls
A hardware firewall is a dedicated appliance installed at the network perimeter or between network zones.
Unlike software firewalls, hardware firewalls:
Protect entire networks rather than individual computers
Filter all inbound and outbound traffic
Act as the network gateway
Operate independently of endpoint devices
They are commonly used to protect:
PLCs
SCADA systems
DCS controllers
RTUs
Industrial servers
Traffic is evaluated against configured security policies to determine whether communication is allowed or denied.
Firewall Classes
1. Packet Filtering Firewall
The simplest firewall type.
Operation
Inspects only packet headers, including:
Source IP
Destination IP
Port numbers
Protocol
Direction
Filtering decisions are based on Access Control Lists (ACLs).
Advantages
Very fast
Low cost
Minimal processing overhead
Limitations
Cannot inspect application data
Limited visibility into attacks
Header information only
2. Stateful Inspection Firewall
Stateful firewalls monitor active communication sessions rather than individual packets.
Operation
Tracks:
Connection state
Session history
Packet sequence
Relationship between packets
Traffic is only permitted if it belongs to a valid established session.
Examples include:
Cisco ASA
Tofino
Check Point Firewall-1
Advantages
Better security than packet filtering
Flexible rule enforcement
Relatively fast
Limitations
Higher resource usage
Established sessions may be exploited if compromised
3. Application Proxy Firewall
Acts as an intermediary between communicating devices.
Operation
Terminates the client connection
Inspects application traffic
Creates a new connection to the destination
Can inspect application-specific information such as:
HTTP requests
FTP commands
Email traffic
Advantages
Strong application-layer security
Detailed filtering
Limitations
Increased latency
More processing overhead
4. Deep Packet Inspection (DPI) Firewall
Provides the highest level of inspection.
Operation
Examines:
Packet headers
Packet payloads
Application commands
Files
Protocol-specific messages
Can identify:
Malware signatures
Policy violations
Industrial protocol commands
Application-specific traffic
Advantages
Advanced threat detection
Granular traffic control
Excellent visibility
Limitations
Resource intensive
Higher complexity
Increased latency
Firewall Policies
A firewall's effectiveness depends far more on its configuration than its installation.
Good firewall policies should:
Allow only required communications
Block unnecessary ports and protocols
Follow the Principle of Least Privilege
Be documented
Be regularly reviewed and updated
Match operational and security requirements
Poorly configured firewalls provide little real protection, regardless of the hardware used.
IACS Firewalls
Industrial Automation and Control System (IACS) firewalls are purpose-built for Operational Technology (OT)
environments.
They are designed to protect industrial devices that often have limited built-in cybersecurity capabilities.
Typical protected devices include:
PLCs
RTUs
DCS controllers
HMIs
Industrial servers
Key Features
Industrial Design
Built to withstand:
Dust
Vibration
Electrical noise
Extreme temperatures
Suitable for installation in industrial control panels and field environments.
Control System Friendly
Designed for automation personnel with features such as:
DIN rail mounting
Simple configuration
Easy wiring
Reduced dependence on IT specialists
Industrial Protocol Awareness
Supports Deep Packet Inspection (DPI) for industrial protocols including:
Modbus
DNP3
IEC 61850
EtherNet/IP
PROFINET
This allows filtering based on industrial commands rather than only IP addresses and ports.
Advanced Security Functions
Often include:
Logging
Security alerts
Intrusion detection
Zone-based segmentation
Fail-safe operation
Centralised management
Unidirectional Gateways (Data Diodes)
A unidirectional gateway (also called a data diode) is a hardware-enforced security device that physically
allows communication in only one direction.
Unlike a firewall, this protection is enforced by hardware rather than software configuration.
Operation
Data flows:
Source Network → Destination Network
There is no physical return path.
This prevents:
Remote access
Command injection
Malware propagation
External network attacks
Because many network protocols require two-way communication (e.g., TCP's SYN → SYN-ACK → ACK handshake),
unidirectional gateways emulate this behaviour to support one-way data transfer.
Typical Uses
Unidirectional gateways are commonly deployed in:
Critical infrastructure
Nuclear facilities
Defence systems
Utilities
High-security industrial environments
Typical applications include:
Sending historian data to IT systems
Operational monitoring
Performance reporting
Regulatory reporting
while preventing any inbound communications to the OT network.
Firewall vs Data Diode
Feature
Firewall
Unidirectional Gateway
Communication
Two-way (controlled)
One-way only
Security Enforcement
Software policies
Physical hardware
Configuration
Rules and policies
Hardware enforced
Remote Access
Can be permitted
Impossible
Traffic Inspection
Yes
No (only one-way transfer)
Primary Purpose
Network segmentation and access control
Absolute network isolation
Typical Use
Most enterprise and industrial networks
Critical infrastructure requiring maximum protection
Key Takeaways
Network security devices protect systems by controlling and monitoring network communications.
Device selection should consider network architecture, security requirements, performance, and operational constraints.
Firewalls enforce security boundaries through configurable traffic filtering rules.
Firewall types include Packet Filtering, Stateful Inspection, Application Proxy, and Deep Packet Inspection (DPI), each offering increasing levels of inspection and security.
Effective firewall protection depends on well-designed, maintained security policies.
IACS firewalls are purpose-built for industrial environments, supporting harsh conditions and industrial protocols.
Unidirectional gateways (data diodes) provide the highest level of network isolation by physically enforcing one-way communication, eliminating the possibility of inbound network attacks.