To connect Kaspersky Industrial CyberSecurity for Networks to an industrial network, you can additionally use special devices that provide unidirectional transmission of data from the industrial network. These devices are called data diodes.
Receiving industrial network traffic via data diodes
To transmit industrial network traffic to Kaspersky Industrial CyberSecurity for Networks, data diodes must support unfiltered transmission of network packets for all link layer protocols, including service protocols. Data diodes are installed on the connection links of Kaspersky Industrial CyberSecurity for Networks monitoring points and on SPAN ports of network switches.
The figure below shows a deployment scenario with a connection to a monitoring point on the Server via a data diode. The data diode transfers traffic from a SPAN port of a network switch in an industrial network. In this scenario, the Server is installed without external sensors.
Standard scenario for connecting the Server via a data diode
The figure below shows a deployment scenario where several Kaspersky Industrial CyberSecurity for Networks sensors are connected via data diodes. The data diodes transfers traffic from SPAN ports of network switches in an industrial network. In this scenario, the Server is installed with three sensors.
Standard scenario for connecting sensors via data diodes
If you want to additionally separate the segments of the industrial network where the sensors are installed, from the segment of the Kaspersky Industrial CyberSecurity dedicated network where the Server is installed, you can use a firewall on the connection links between the sensors and the Server.
Receiving industrial network traffic and Integrating with EPP applications via data diodes
For integration with EPP applications, support for data transfer over diodes is required both on the diode side and within the EPP applications.
The figure below shows a deployment scenario where Kaspersky Industrial CyberSecurity for Networks sensors receive network traffic via SPAN ports on network switches and telemetry from EPP applications deployed across several sites.
Diagram of EPP application traffic and data acquisition by sensors
Network traffic from SPAN ports on network switches is routed to the monitoring points of Kaspersky Industrial CyberSecurity for Networks sensors through data diodes, which support unfiltered transmission of network packets for all link layer protocols, including service protocols.
Sensors receive telemetry data from EPP applications via network interfaces which are not used as monitoring points. Because this data is transmitted via MQTT, the data diodes require MQTT broker functionality to enable transmission. Subscriber computers with installed EPP applications are used to receive and process incoming MQTT messages.
Endpoint Agent software components handle the sending and receiving of telemetry data via MQTT messages. For more information about configuring EPP applications for this telemetry transmission scenario, contact your technical account manager (TAM).
Industrial site segments and the demilitarized zone (DMZ) network segment are separated by a firewall.
Page top