mGuard OPC Inspector0 pages
protecting industrial networks
The intelligent protection for OPC Classic
OPC Classic and firewalls
Deep packet inspection for OPC Classic
OPC is one of the most widely accepted standards to
During the deep packet inspection process, the mGuard
meet the demands of universal data access in the world
literally looks deep into the transmitted data packets be-
of industrial automation. Originally developed as OLE for
fore analyzing and modifying these as necessary. Various
Process Control, it is now usually referred to as OPC
options can be configured, such as whether only OPC
Classic.
packets may be transmitted via the OPC Classic Port
135. The TCP ports negotiated within the first open connection are also reliably detected and opened for OPC
packets. If no OPC packets are transmitted via these
ports within a configurable timeout, they are closed
again. And certainly, granular firewall rules can be used
to precisely define which clients can communicate with
which servers via OPC. This connection tracking enables
the highest level of security!
Defense in Depth
Attackers use various means to obtain access to production facilities. Stuxnet has shown, for example, that attacks by means of compromised USB sticks are also
possible from within the system itself. This is remedied
OPC Classic is supported by a wide range of industrial
through the implementation of the “Defense in Depth”
and business applications, such as HMI workstations,
concept, based on ISA-99. This concept relies on the
PLCs and process control systems, but also by corporate
network segmentation of systems, along with the decen-
databases and other business-oriented systems.
tralized protection of these individual segments. With the
mGuard OPC Inspector, this concept can now be imple-
The basic concept of OPC Classic (i.e. not using fixed
mented in systems in which OPC Classic is used.
TCP port numbers, but instead negotiating new port
numbers within the first open connection) means that
Segmentation through NAT
intermediary firewalls can only be used with wide-open
And for an individual segmentation of OPC-based net-
gates, meaning they have virtually no effect. In addition,
works, the mGuard OPC Inspector’s intelligent deep
the communicated client and server IP addresses within
packet inspection even allows the use of NAT procedures
the OPC connection entail that conventional NAT (net-
such as masquerading or 1:1 NAT – a world first.
work address translation) routing cannot be used. The
mGuard OPC Inspector counters this problem by using
deep packet inspection for OPC Classic.