Re: [fw-wiz] SCADA

On Tue, Apr 14, 2009 at 10:47 AM, Kaas, David D <David_D_Kaas@xxxxxx> wrote:

We have a few SCADA and process control networks firewalled from our corporate network which is connected to the Internet. Or policy has been to lock these down to a few specific IP addresses and secure ports and only to/from our corporate network. We have some owners of these networks that would like the firewalls to be more open.  Their initial requests are to be able to manage these networks from the Internet (from home), to be able to retrieve Microsoft patches and virus signatures and to do MS file sharing to our corporate network.  We currently have these services (patching and virus signatures) available on the corporate network but they believe it would be easier and simpler to retrieve them separately.

How do you answer this without just saying NO?

Thank you,


You just say no. Their MS updates aren't important. If its truly
segregated from the corporate network, their machines do not need
antivirus. A SCADA network should not even connect to your corporate
network for ANYTHING - or vice versa. We have a data logger system
that needs to be able to talk to both networks, it's in a DMZ with TWO
firewalls between the corporate network and the control network.
Traffic is not allowed to pass between networks, ONLY to and from that
system and only on the designated ports for the data logging
application (which isn't the same on both networks).

With the latest news of China breaching our power (SCADA) networks you
would think people wouldn't be so stupid as to ask for this kind of
firewall-wizards mailing list

Relevant Pages

  • RE: Home laptops on a corporate network
    ... as Citrix with Secure Gateway. ... communication allowed to the corporate network via the Secure Gateway ... Home laptops on a corporate network ...
  • Re: Give access based on location
    ... The next question would be how to do authentication from a MAC address? ... >> A user has an account on the Corporate network and his laptop has account ... >> on Corporate network. ...
  • Re: Granting access based on user location
    ... IPsec on the server with the sensitive shares that should not ... the IPs your vpn gives out. ... > A user has an account on the Cooperate network and his laptop has account ... > attaching to the Corporate network. ...
  • Re: pptp and ppp
    ... Here is part of the output from tcpdump. ... they want to connect to the corporate network using pptp. ... > network using pptp and then allow the clients to use the FreeBSD box as ...
  • Re: Granting access based on user location
    ... > on Corporate network. ... > to only seeing info from folder A and B ... > attaching to the Corporate network. ... > If the user is using his laptop it will most likely be VPN, ...