OTORIO’s OT Cyber Risk Management platform utilizes a dynamic plugin system to address the key challenges of security converged OT networks. This core technological differentiator allows the platform to adapt to the unique requirements of each environment without significant customization efforts.
The plugin system turns OTORIO’s platform into the only OT solution that is flexible enough to integrate natively with various IT, OT, and security systems. Instead of having to release full system updates, plugins can be downloaded from OTORIO’s marketplace individually.
This is the first blog of many to come, highlighting the power of OTORIO’s plugin system, one plugin at a time. And this time - the Firewall Configuration Analyzer.
Firewall is a core building block of a network’s infrastructure and security.
As protecting each individual asset is commonly a challenge in OT networks (due to patching and installing third-party applications on critical assets), Network Segmentation is an effective mitigation strategy for many of the critical attack vectors in the network. Hence, proper implementation of network segmentation via proper firewall configuration becomes a sensitive subject that requires close attention. This is where the Firewall Configuration Analyzer comes in - it ensures that the firewall configuration is intact and will suggest flaw fixes where needed.
Once a firewall configuration is reviewed by the Firewall Configuration Analyze plugin, the user receives alerts about:
Image 1: Security control configuration issue
Image 2: Potential segmentation issues
Image 3: Security misconfigurations of the firewall itself
Firewall Configuration Analyzer alerts provide a clear mitigation indicating the rule and the specific firewall to address. This recommendation can be taken to the IT/networking team to further analyze and determine whether these rules and configurations are critical for the normal operation of the network or whether changes can be made in order to harden and improve the security posture.
The Firewall Configuration Analyzer can operate as a one-time assessment (also offline) using a configuration export or as ongoing (online) monitoring of segmentation issues in the network using firewalls APIs.
Either way, the plugin ingests a firewall configuration, parses it, and adds new alerts to the management platform.
Image 4: Firewall Configuration Analyzer alerts
Due to the plugin’s flexible engine, it can be used in multiple scenarios:
|Method to ingest data
Offline assessment - Offline spOT assessment
Manual export of firewall policy using the user interface / firewall-specific tools
Online assessment - spOT assessment
Either manual policy ingestion or API integration with supported appliances
Ongoing monitoring - RAM2
Periodic, automated API-based policy ingestion, optional manual ingestions are also available
OTORIO has built a comprehensive, step by step playbook which enables security practitioners to export configuration from various firewall vendors and ensures the safest and most reliable process to follow in order to get maximum insights from the plugin.
The full list of supported firewalls is valid to the date this article was written. There are various versions supported in each firewall - Cisco (ASA, FTD, Meraki), Checkpoint, Hirschmann, Fortinet, Juniper, mGuard, Palo Alto (inc. Panorama exports), SonicWall and Sophos.
Image 5: Plugin configuration interface (RAM²’s edge device)
The plugin offers a comprehensive approach by not only generating alerts based on its configuration, but also integrating segmentation and networking information into the Central Management's Cyber Digital Twin.
This integration empowers advanced analysis engines such as the Attack Graph Analysis, which provides practical action items to effectively mitigate risk from realistic attack scenarios. These include potential attacks from internet-connected devices to OT devices or network propagation between different processes or areas.
Image 6: Identifying non-restricted process communication
Moreover, the Attack Graph Analysis effectively identifies and highlights vulnerabilities and security gaps that attackers can exploit. This capability reduces the effort required to address issues that are less likely to be exploited, allowing for a more focused and efficient mitigation approach.
Image 7: Example of an attack vector
Obviously, as the plugin also supports an offline spOT assessment, the value can be shown without a deployment in the customer’s network. Want to give it a try?
Want to explore & discuss it more? Reach out to me directly at [email protected].