0
0
SCADA systemsdevops~10 mins

Firewall and DMZ for SCADA in SCADA systems - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Firewall and DMZ for SCADA
External Network
Firewall: Block/Allow Rules
DMZ Zone: Isolated Network
SCADA Network: Protected Systems
Internal SCADA Devices & Controllers
Data flows from outside through the firewall, which filters traffic, then enters the DMZ, an isolated zone, before reaching the protected SCADA network.
Execution Sample
SCADA systems
firewall-cmd --zone=dmz --add-source=192.168.1.0/24
firewall-cmd --zone=dmz --add-port=502/tcp
firewall-cmd --zone=dmz --add-rich-rule='rule family=ipv4 source address=10.0.0.5 accept'
firewall-cmd --zone=public --remove-source=192.168.1.0/24
Commands to configure firewall zones and rules to isolate SCADA traffic in the DMZ.
Process Table
StepCommandActionResultSystem State
1firewall-cmd --zone=dmz --add-source=192.168.1.0/24Add source network to DMZ zoneSuccessDMZ zone includes 192.168.1.0/24
2firewall-cmd --zone=dmz --add-port=502/tcpAllow Modbus TCP port in DMZSuccessPort 502/tcp open in DMZ
3firewall-cmd --zone=dmz --add-rich-rule='rule family=ipv4 source address=10.0.0.5 accept'Allow specific SCADA device IPSuccess10.0.0.5 allowed in DMZ
4firewall-cmd --zone=public --remove-source=192.168.1.0/24Remove source from public zoneSuccess192.168.1.0/24 removed from public zone
5Traffic from 192.168.1.10 to port 502Check firewall rulesAllowedTraffic passes through DMZ to SCADA
6Traffic from 10.0.0.6 to port 502Check firewall rulesBlockedTraffic blocked by firewall
7Traffic from external network to SCADACheck firewall rulesBlockedExternal traffic blocked unless allowed
8EndNo more commandsN/AFirewall and DMZ configured correctly
💡 All firewall rules applied; traffic filtered according to DMZ and SCADA protection policies.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4Final
DMZ Sources[][192.168.1.0/24][192.168.1.0/24][192.168.1.0/24][192.168.1.0/24][192.168.1.0/24]
DMZ Open Ports[][][502/tcp][502/tcp][502/tcp][502/tcp]
DMZ Allowed IPs[][][][10.0.0.5][10.0.0.5][10.0.0.5]
Public Sources[192.168.1.0/24][192.168.1.0/24][192.168.1.0/24][192.168.1.0/24][][]
Key Moments - 3 Insights
Why do we remove the source network from the public zone after adding it to the DMZ?
Because a source network can only belong to one zone at a time. Removing it from public ensures traffic is filtered by DMZ rules, as shown in step 4 of the execution_table.
Why is traffic from 10.0.0.6 blocked even though port 502 is open in the DMZ?
Because only the IP 10.0.0.5 is explicitly allowed by the rich rule in step 3. Other IPs like 10.0.0.6 are blocked, as seen in step 6.
What is the purpose of the DMZ in SCADA network security?
The DMZ isolates SCADA systems from external networks, filtering traffic through firewall rules before it reaches sensitive devices, as shown in the concept_flow and execution_table steps.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table at step 3. Which IP address is allowed explicitly in the DMZ?
A192.168.1.10
B10.0.0.5
C10.0.0.6
D192.168.1.0/24
💡 Hint
Check the 'Command' and 'Result' columns at step 3 in the execution_table.
At which step does the source network 192.168.1.0/24 get removed from the public zone?
AStep 1
BStep 2
CStep 4
DStep 5
💡 Hint
Look for the command that removes the source from the public zone in the execution_table.
If we add 10.0.0.6 to the allowed IPs in the DMZ, what will happen to traffic from 10.0.0.6 at step 6?
AIt will be allowed
BIt will still be blocked
CIt will be redirected
DIt will cause an error
💡 Hint
Refer to the variable_tracker for DMZ Allowed IPs and the execution_table step 6.
Concept Snapshot
Firewall and DMZ for SCADA:
- Firewall filters traffic between external and SCADA networks.
- DMZ is an isolated zone for controlled access.
- Add source IPs and ports to DMZ zone.
- Remove sources from public zone to avoid conflicts.
- Only allowed IPs can access SCADA services through DMZ.
Full Transcript
This visual execution shows how a firewall and DMZ protect SCADA systems. Traffic from external networks first hits the firewall, which filters it based on rules. The DMZ acts as a buffer zone isolating SCADA devices. Commands add source IP ranges and ports to the DMZ zone and remove them from the public zone to avoid overlap. Specific SCADA device IPs are allowed explicitly. Traffic tests show allowed and blocked connections based on these rules. Variables track the state of sources, ports, and allowed IPs in each zone. Key moments clarify why sources must be removed from public when added to DMZ, why only allowed IPs pass, and the DMZ's role in security. Quizzes test understanding of IP allowances, zone changes, and traffic outcomes. This step-by-step trace helps beginners see how firewall and DMZ configurations protect SCADA networks.