mGuard OPC Inspector0 pages

protecting industrial networks

The intelligent protection for OPC Classic

OPC Classic and firewalls

Deep packet inspection for OPC Classic

OPC is one of the most widely accepted standards to

During the deep packet inspection process, the mGuard

meet the demands of universal data access in the world

literally looks deep into the transmitted data packets be-

of industrial automation. Originally developed as OLE for

fore analyzing and modifying these as necessary. Various

Process Control, it is now usually referred to as OPC

options can be configured, such as whether only OPC

Classic.

packets may be transmitted via the OPC Classic Port
135. The TCP ports negotiated within the first open connection are also reliably detected and opened for OPC
packets. If no OPC packets are transmitted via these
ports within a configurable timeout, they are closed
again. And certainly, granular firewall rules can be used
to precisely define which clients can communicate with
which servers via OPC. This connection tracking enables
the highest level of security!
Defense in Depth
Attackers use various means to obtain access to production facilities. Stuxnet has shown, for example, that attacks by means of compromised USB sticks are also
possible from within the system itself. This is remedied

OPC Classic is supported by a wide range of industrial

through the implementation of the “Defense in Depth”

and business applications, such as HMI workstations,

concept, based on ISA-99. This concept relies on the

PLCs and process control systems, but also by corporate

network segmentation of systems, along with the decen-

databases and other business-oriented systems.

tralized protection of these individual segments. With the
mGuard OPC Inspector, this concept can now be imple-

The basic concept of OPC Classic (i.e. not using fixed

mented in systems in which OPC Classic is used.

TCP port numbers, but instead negotiating new port
numbers within the first open connection) means that

Segmentation through NAT

intermediary firewalls can only be used with wide-open

And for an individual segmentation of OPC-based net-

gates, meaning they have virtually no effect. In addition,

works, the mGuard OPC Inspector’s intelligent deep

the communicated client and server IP addresses within

packet inspection even allows the use of NAT procedures

the OPC connection entail that conventional NAT (net-

such as masquerading or 1:1 NAT – a world first.

work address translation) routing cannot be used. The
mGuard OPC Inspector counters this problem by using
deep packet inspection for OPC Classic.