It is important to understand and define a list of firewall access-list rules in order to help implement an effective network segmentation strategy. Users must consider any unique requirements for their environments, as well as the list of expected ports, protocols, and services for each software component in the solution. Also, it is essential to confirm and test different use cases once network segmentation has been implemented. It is also recommended to define a baseline of expected traffic to further enhance these rules or define additional rules.
In Information Technology (IT) environments, the DMZ is used to segment between external and internal networks to prevent direct access between the two network zones. The DMZ can host publicly accessible services such as web servers. The same principle can be applied by using firewalls and technologies like proxies or VPN tunneling to help segment internal networks from untrusted networks or segments.
In Operational Technology (OT) environments, it is encouraged to implement an Industrial DMZ (IDMZ). Just like in regular DMZs, the IDMZ is used as a buffer between two different networks or zones. Specifically, for IDMZs, it helps segment the control or OT network and the enterprise or IT networks. This is so that potentially harmful traffic do not easily propagate from the IT network into the OT network. The key consideration for implementing the IDMZ is to make sure that any and all traffic going between IT and OT networks has to terminate in the IDMZ. For this reason, the IDMZ hosts different services such as proxies, reverse proxies, and mirror historians.