Examples of using address spaces in Kaspersky Industrial CyberSecurity for Networks

Address spaces (AS) enable operation of Kaspersky Industrial CyberSecurity for Networks in situations in which devices with identical addresses are used in different network segments. This article provides examples of using address spaces for the following options when duplicating device addresses in different network segments:

• Duplication of IP addresses
• Duplication of MAC addresses
• Duplication of MAC addresses and use of identical ranges of IP addresses

Address spaces for duplicating IP addresses of devices

This example examines a company that has 16 industrial sites with groups of PLCs at these sites. Each industrial site uses the same ranges of IP addresses: 10.4.0.0/16, 10.5.0.0/16, 10.8.0.0/16, 10.9.0.0/16. This means that devices at different sites may have identical IP addresses.

The network segments of industrial sites are completely isolated from the main enterprise network. Each segment contains operational PLCs, engineering workstations, and computers performing functions of application stations (hereinafter referred to as "Application Station" computers). A segment is integrated with the main enterprise network through an Application Station computer. This computer has a dedicated network interface with a unique IP address on the main enterprise network.

To ensure proper functioning of Kaspersky Industrial CyberSecurity for Networks in this configuration, the following objects must be added for each industrial site segment:

• Monitoring point for receiving traffic within the segment
• Monitoring point for receiving traffic from the Application Station computer
• Address space containing one rule

For example, you can add objects with the following names for the first segment:

• MPoint_1-1
• MPoint_1-2
• Site_1

The settings of address spaces for each segment are described in the table below.

AS for segments with identical IP addressing

Address spaces for duplicating MAC addresses of devices

This example examines an industrial network that uses VLAN technology. The network has two dedicated segments for industrial sites distinguished by the IDs VLAN 3910 and 3915. The network segments contain devices with manually assigned MAC addresses (the devices and their software support this capability). This means that devices in different network segments may have identical MAC addresses.

To ensure proper functioning of Kaspersky Industrial CyberSecurity for Networks in this configuration, an address space must be added for each segment. For example, the names Site_1 and Site_2 can be assigned to the address spaces. Address spaces may contain one rule each.

The settings of address spaces for each segment are described in the table below.

AS for segments with identical MAC addressing

Address spaces for duplicating MAC addresses of devices with the same range of IP addresses

This example examines an industrial network that uses VLAN technology. The network has two dedicated segments for industrial sites distinguished by the IDs VLAN 3910 and 3915. The network segments contain devices with manually assigned MAC addresses (the devices and their software support this capability). The IP addresses in each segment are in the same addresses range: 140.80.0.0/16. This means that devices in different network segments may have identical MAC addresses and/or identical IP addresses.

To ensure proper functioning of Kaspersky Industrial CyberSecurity for Networks in this configuration, an address space must be added for each segment. For example, the names Site_1 and Site_2 can be assigned to the address spaces. Address spaces may contain one rule each.

The settings of address spaces for each segment are described in the table below.

AS for segments with identical MAC addressing and identical IP address ranges