Address spaces (AS) enable operation of Kaspersky Industrial CyberSecurity for Networks in situations in which devices with identical addresses are used in different network segments. This section provides examples of using address spaces for the following options when duplicating device addresses in different network segments:
Address spaces for duplicating IP addresses of devices
This example examines a company that has 16 industrial sites with groups of PLCs at these sites. Each industrial site uses the same ranges of IP addresses: 10.4.0.0/16, 10.5.0.0/16, 10.8.0.0/16, 10.9.0.0/16. This means that devices at different sites may have identical IP addresses.
The network segments of industrial sites are completely isolated from the main enterprise network. Each segment contains operational PLCs, engineering workstations, and computers performing functions of application stations (hereinafter referred to as "Application Station" computers). A segment is integrated with the main enterprise network through an Application Station computer. This computer has a dedicated network interface with a unique IP address on the main enterprise network.
To ensure proper functioning of Kaspersky Industrial CyberSecurity for Networks in this configuration, the following objects must be added for each industrial site segment:
For example, you can add objects with the following names for the first segment:
The settings of address spaces for each segment are described in the table below.
AS for segments with identical IP addressing
AS name |
Data source |
OSI model layers |
VLAN ID |
IP addresses |
---|---|---|---|---|
Site_1 |
Monitoring points: MPoint_1-1 MPoint_1-2 |
Network (L3)
|
Any or not used |
10.4.0.0/16 10.5.0.0/16 10.8.0.0/16 10.9.0.0/16 |
Site_2 |
Monitoring points: MPoint_2-1 MPoint_2-2 |
Network (L3)
|
Any or not used |
10.4.0.0/16 10.5.0.0/16 10.8.0.0/16 10.9.0.0/16 |
Site_3 |
Monitoring points: MPoint_3-1 MPoint_3-2 |
Network (L3)
|
Any or not used |
10.4.0.0/16 10.5.0.0/16 10.8.0.0/16 10.9.0.0/16 |
... |
|
|
|
|
Site_16 |
Monitoring points: MPoint_16-1 MPoint_16-2 |
Network (L3)
|
Any or not used |
10.4.0.0/16 10.5.0.0/16 10.8.0.0/16 10.9.0.0/16 |
Address spaces for duplicating MAC addresses of devices
This example examines an industrial network that uses VLAN technology. The network has two dedicated segments for industrial sites distinguished by the IDs VLAN 3910 and 3915. The network segments contain devices with manually assigned MAC addresses (the devices and their software support this capability). This means that devices in different network segments may have identical MAC addresses.
To ensure proper functioning of Kaspersky Industrial CyberSecurity for Networks in this configuration, an address space must be added for each segment. For example, the names Site_1 and Site_2 can be assigned to the address spaces. Address spaces may contain one rule each.
The settings of address spaces for each segment are described in the table below.
AS for segments with identical MAC addressing
AS name |
Data source |
OSI model layers |
VLAN ID |
IP addresses |
---|---|---|---|---|
Site_1 |
Monitoring points: any |
Data Link (L2)
|
3910 |
Any |
Site_2 |
Monitoring points: any |
Data Link (L2)
|
3915 |
Any |
Address spaces for duplicating MAC addresses of devices with the same range of IP addresses
This example examines an industrial network that uses VLAN technology. The network has two dedicated segments for industrial sites distinguished by the IDs VLAN 3910 and 3915. The network segments contain devices with manually assigned MAC addresses (the devices and their software support this capability). The IP addresses in each segment are in the same addresses range: 140.80.0.0/16. This means that devices in different network segments may have identical MAC addresses and/or identical IP addresses.
To ensure proper functioning of Kaspersky Industrial CyberSecurity for Networks in this configuration, an address space must be added for each segment. For example, the names Site_1 and Site_2 can be assigned to the address spaces. Address spaces may contain one rule each.
The settings of address spaces for each segment are described in the table below.
AS for segments with identical MAC addressing and identical IP address ranges
AS name |
Data source |
OSI model layers |
VLAN ID |
IP addresses |
---|---|---|---|---|
Site_1 |
Monitoring points: any |
Data Link and Network (L2 and L3)
|
3910 |
140.80.0.0/16 |
Site_2 |
Monitoring points: any |
Data Link and Network (L2 and L3)
|
3915 |
140.80.0.0/16 |