network firewall

A network firewall is a security device or service that monitors and controls network traffic between different network zones based on a defined set of rules. In industrial and manufacturing environments, it is commonly placed between corporate IT networks and OT or control networks to restrict which systems, ports, and protocols are allowed to communicate.

Network firewalls can be physical appliances, virtual appliances, or cloud-hosted services. They typically inspect packet headers and sometimes payloads to decide whether to allow, deny, or log specific traffic. In regulated or validated environments, firewall behavior is usually documented, change controlled, and periodically reviewed or tested.

How network firewalls are used in manufacturing and OT

• IT/OT segmentation: Creating a controlled boundary between business systems (ERP, MES, corporate IT) and plant-floor networks (PLCs, HMIs, historians).
• Zone and conduit control: Implementing segmentation aligned with standards-based concepts, such as separating safety, control, and supervisory zones.
• Remote access control: Restricting inbound maintenance and vendor connections to jump hosts, VPN gateways, or specific OT assets.
• Protocol filtering: Allowing required industrial protocols (for example, Modbus/TCP, OPC UA, Profinet) while blocking unnecessary or higher-risk services.
• Monitoring and logging: Recording connection attempts and policy violations for incident investigation, change tracking, and audit evidence.

In legacy or brownfield plants, network firewalls are often one of the few practical controls that can be added without modifying existing OT assets. They are usually one element in a layered architecture that also includes secure remote access, endpoint hardening, backups, and monitoring.

What a network firewall is not

• It is not a substitute for endpoint security on servers, workstations, or controllers.
• It does not by itself validate software changes, enforce procedures, or manage user accounts across systems.
• It is not a complete OT security architecture; effectiveness depends on network design, rule configuration, testing, and governance.

Common confusion

• Network firewall vs. host-based firewall: A network firewall controls traffic between network segments or devices. A host-based firewall runs on an individual server or workstation and controls traffic to and from that host only.
• Firewall vs. IPS/IDS: Traditional firewalls focus on allowing or blocking traffic based on addresses, ports, and basic protocol information. Intrusion detection or prevention systems add deeper inspection and behavioral analysis. Some next-generation firewalls combine these functions, but they are conceptually distinct.

Context: legacy and regulated environments

In legacy OT and regulated manufacturing environments, network firewalls are commonly used to limit exposure of older systems that cannot be easily patched or reconfigured. They are often combined with jump hosts for remote access and integrated into change control so that rule updates are documented, reviewed, and tested before deployment.