Eyal Rashelbach

SCADA protocols DPI Visibility and Enforcement

Discussion created by Eyal Rashelbach Employee on Jul 19, 2017
Latest reply on May 21, 2018 by Dameon Welch Abernathy

#There is a confusion with our SCADA support definitions.

  • What is DPI (Deep Packet/Protocol  Inspection)?
  • Which protocols are supported in DPI level ?
  • What are our enforcement capabilities with regards to DPI?

 

So, let’s use the following update from R&D to make some order in this repeated question.

 

 

We have 3 levels of Protocol support by Application Control Blade:

  • 1st level -  Protocol Identification – we have over 15 different identified protocols
  • 2nd level - Function (Command) level.  
    An updated list may be found in appwiki.checkpoint.com  – currently 918 commands support >15 different protocols.
  • 3rd level - Deep Protocol Inspection 
    Ability to identify Parameters within the commands, such as Values and Addresses
    (can’t be seen in appwiki.checkpoint.com and therefore the report below gives the current status).

 

 

 

All the 4 protocols below are identified in the 3 levels:

Protocol

Ability to identify protocol

Ability to identify commands within protocol

Ability to identify parameters within protocol

Modbus

YES

YES

YES

IEC104

YES

YES

YES

DNP3

YES

YES

YES

CIP

YES

YES

YES

 

As you can see below, the ability to Log detailed information (Addresses and Values) and supply high visibility (in DPI level), doesn’t equal to our ability to Enforce policies based on all details – See the differences in the following tables:

 

Ability to log:

Protocol

Unit ID

Function

Address

Group

Value

Modbus

V

V

V

 

V (only for registers)

IEC104

V

V

V

 

V

DNP3

 

V

V

V

V

CIP

V

V

V

 

V

 

 

Ability to enforce :

 

 

Protocol

Unit ID

Function

Address

Group

Value

Modbus

V

V

V

 

V (only for registers)

IEC104

V

V

V

 

V

DNP3

 

V

V

V

 

CIP

V

V

V

 

 

 

  

SCADA Set-Up and Troubleshooting

  1. Follow installation instructions from Release Notes at SK106020:

    For Management Side:

    • Install R77.30
    • Install R77.30 add-on
    • Update Deployment Agent
    • Install CFG jumbo hotfix take 225
    • Install SCADA hotfix
    • If managing 1200R, then install BC package

     

    For Gateway Side:

    • Install R77.30
    • Update Deployment Agent
    • Install CFG jumbo hotfix take 225
    • Install SCADA hotfix

  2. Install SmartConsole from Release Notes at SK106020
    Installing it will allow the administrator to create custom SCADA applications for relevant protocols 





  3. Rulebase: Make sure “complete log” is the selected tracking option


  4. Application Control blade. SCADA is run as application, Make sure it is checked under Gateway properties



  5. For each protocol you wish to apply Deep Packet Inspection (DPI), you will need to first create a custom SCADA application for that protocol and then create a rule with “complete log

 

Feel free to ask any question you might have. 

 

Thanks to Mati Epstein for this elaboration

Outcomes