Documentation · 05
Annex D - Firewall config register
Annex D: firewall configuration register, conduit-by-conduit rules, change control.
Annex D — Mutual Firewall Configuration Register
Referenced by MSA § 4.6 and § 8.3. Both sides disclose firewall configuration; each side administers its own. This annex is the shared register of what each side has agreed to enforce. Changes require pre-commit notification under § 8.3.
Two firewalls, not one
A common misreading is that the “IT/Manufacturing Operations firewall” is one device with two interfaces. It is not. Per MSA § 4.2 and § 4.6:
- Manufacturing Operations Firewall — administered by MO, lives between the One Big Switch and the IT layer-3 switch on the MO side of the boundary.
- IT Firewall — administered by IT, lives on the IT layer-3 switch facing MO downlinks.
Each side configures its own. Neither side touches the other’s. The register below records what each side has committed to enforce, so the other side can plan against it.
Baseline ruleset — Manufacturing Operations Firewall (per MO network)
Inbound from IT side, default deny. Explicit allows only:
| # | Direction | Source | Destination | Protocol | Port | Purpose |
|---|---|---|---|---|---|---|
| 1 | IT → MO | IT services-gateway address | MO services server .2 | TCP | 53, 443 | DNS pull (authorized records), schedule pull |
| 2 | IT → MO | IT services-gateway address | MO services server .2 | TCP | 1883, 8883 | MQTT subscribe (authorized topics only) |
| 3 | IT → MO | IT services-gateway address | MO services server .2 | TCP | 514, 6514 | Syslog pull |
| 4 | IT → MO | IT NTP source | MO services server .2 | UDP | 123 | Time sync (MO is authoritative for its network) |
| 5 | IT → MO | IT monitoring host | MO services server .2 | ICMP | — | Reachability check (MO grants this; reverse is also required) |
Outbound from MO to IT — these are the testability and publication paths MO needs:
| # | Direction | Source | Destination | Protocol | Port | Purpose |
|---|---|---|---|---|---|---|
| 6 | MO → IT | MO services server .2 | IT layer-3 switch downlink | ICMP | — | Reachability test (per § 3.5) |
| 7 | MO → IT | MO services server .2 | IT layer-3 switch downlink | UDP/TCP | 33434–33534 | Traceroute (per § 3.5) |
| 8 | MO → IT | MO services server .2 | IT publication endpoint | TCP | 443 | Asset inventory push / link-quality pull |
| 9 | MO → IT | MO controller subnet | Peer MO controller subnet via IT | UDP | (interlock-specific) | Long-distance interlock traffic per Annex B |
Hard denies — MO Firewall blocks unconditionally:
| # | Direction | Source | Destination | Protocol | Port | Reason |
|---|---|---|---|---|---|---|
| D1 | IT → MO | * | MO controller subnet | UDP | 67, 68 | Block DHCP from IT side (MSA § 3.8) |
| D2 | IT → MO | * | MO controller subnet | * | * (broadcast) | Block IT broadcast traffic into MO |
| D3 | IT → MO | * | MO IO subnets 192.168.x.x | * | * | IO subnets are never reachable from IT |
| D4 | IT → MO | * | Any MO host except services server .2 | * | * | All inbound terminates at services server; no direct controller access from IT |
| D5 | IT → MO | * | MO DHCP server | UDP | 67, 68 | Even queries are denied; per § 3.8 |
| D6 | IT → MO | * | MO services server .2 | TCP | 22 | No SSH from IT side. MO admin is from inside MO only |
Baseline ruleset — IT Firewall (per MO downlink)
Inbound from MO side, default permit-with-policy (the IT side is the “carrier,” MO is the customer):
| # | Direction | Source | Destination | Protocol | Port | Purpose |
|---|---|---|---|---|---|---|
| 1 | MO → IT | MO services server .2 | IT services-gateway | TCP | 443 | Asset publish, link-quality pull |
| 2 | MO → IT | MO services server .2 | IT layer-3 switch | ICMP | — | Testability (IT must allow per § 3.5) |
| 3 | MO → IT | MO services server .2 | IT layer-3 switch | UDP/TCP | 33434–33534 | Traceroute (IT must allow per § 3.5) |
| 4 | MO → IT (transit) | MO controller subnet | Peer MO controller subnet | UDP | (interlock-specific) | Long-distance interlock — IT transits, does not inspect payload |
| 5 | MO → IT (transit) | MO services server .2 | Peer MO services server .2 | TCP/UDP | various | Cross-MO published services per § 6 |
Priority enforcement on IT side (per MSA § 3.2):
| Class | Match | Priority | Behavior |
|---|---|---|---|
| CS-HIGH | Annex B-registered interlock 5-tuples | Highest | Reserved bandwidth, never shed |
| CS-NORMAL | MO cross-boundary published services | High | Best-effort with bias |
| IT-NORMAL | All other IT backbone traffic | Normal | Standard QoS |
Hard denies — IT Firewall blocks unconditionally:
| # | Direction | Source | Destination | Protocol | Port | Reason |
|---|---|---|---|---|---|---|
| D1 | IT → MO | IT side host (any) | MO controller subnet | * | * (except permitted in MO inbound rules) | IT side does not initiate to MO except via MO inbound allowlist |
| D2 | IT → MO | * | MO IO subnets 192.168.x.x | * | * | IO subnets never advertised, never routed |
| D3 | IT (transit) | * | Any | * | * (broadcast/multicast from IT) | No IT-originated broadcast/multicast enters any MO downlink |
Per-network overrides
If a Manufacturing Operations network needs an exception (e.g., a vendor remote-support session for a specific PLC), it goes in this section as a time-bounded exception with explicit start/end timestamps, scope, and approver from both sides.
Active exceptions
(none — fill as registered)
Recently expired exceptions
(none — fill as expired)
Disclosure cadence
- At commit time: Either side proposing a rule change posts the diff to the joint register 14 days before commit (per § 8.3 and § 3.7 where applicable).
- At quarterly review: Full rule tables for both sides are re-reviewed at § 8.1 joint review. Drift between this annex and the actual running config is itself a § 7 Minor Incident.
- At incident: After any § 7 Major Incident, the affected firewall configuration is snapshotted and attached to the incident record.
What this register deliberately does not contain
- Vendor-specific syntax. This is policy intent, not config files. Each side translates these rules into their own firewall vendor’s language. The intent is what’s binding.
- Encryption keys, certs, or credentials. Those live in the respective domain’s secret store, never in this register.
- The DMZ. Per MSA § 1.3 and § 8.4 — the DMZ is an IT-internal construction protecting IT-from-IT. It has no role here and no rules in this annex.
Open items
- IT-side QoS implementation. § 3.2 priority enforcement requires per-interlock 5-tuple matching on the IT backbone. Many IT shops do not have this baseline. Joint review to identify what IT needs to upgrade.
- Symmetric path enforcement. Currently nothing in this register prevents asymmetric routing of interlock traffic on the IT side. Annex C § 1.4 flags this as a traceroute check; it should ideally be enforced rather than detected.
- Exception process formal SLA. Time-bounded exceptions are described above but the approval/rollback workflow is not yet defined. Add at first real exception request.