Connecting Kaspersky Industrial CyberSecurity for Networks to an industrial network via data diodes

To connect Kaspersky Industrial CyberSecurity for Networks to an industrial network, you can additionally use special devices that provide unidirectional transmission of data from the industrial network. These devices are called data diodes.

Receiving industrial network traffic via data diodes

To transmit industrial network traffic to Kaspersky Industrial CyberSecurity for Networks, data diodes must support unfiltered transmission of network packets for all link layer protocols, including service protocols. Data diodes are installed on the connection links of Kaspersky Industrial CyberSecurity for Networks monitoring points and on SPAN ports of network switches.

The figure below shows a deployment scenario with a connection to a monitoring point on the Server via a data diode. The data diode transfers traffic from a SPAN port of a network switch in an industrial network. In this scenario, the Server is installed without external sensors.

Diagram illustrating the connection of a data diode on the communication channel between the SPAN port of a network switch in an industrial network of an enterprise and a monitoring point on the Application Server. The application receives network traffic only through this data diode.

Standard scenario for connecting the Server via a data diode

The figure below shows a deployment scenario where several Kaspersky Industrial CyberSecurity for Networks sensors are connected via data diodes. The data diodes transfers traffic from SPAN ports of network switches in an industrial network. In this scenario, the Server is installed with three sensors.

Diagram illustrating the connection of data diodes on each communication channel between SPAN ports of network switches in an industrial network of an enterprise and monitoring points on application sensors. The application receives network traffic only through these data diodes.

Standard scenario for connecting sensors via data diodes

If you want to additionally separate the segments of the industrial network where the sensors are installed, from the segment of the Kaspersky Industrial CyberSecurity dedicated network where the Server is installed, you can use a firewall on the connection links between the sensors and the Server.

Receiving telemetry data from EPP applications via data diodes

Endpoint Agent software components that interact with EPP applications can send telemetry data via data diodes. Telemetry data must be received by Kaspersky Industrial CyberSecurity for Networks nodes via network interfaces that are not being used as monitoring points. Therefore, to simultaneously receive telemetry data and industrial network traffic, you will need to install separate data diodes connected to the corresponding network interfaces of Kaspersky Industrial CyberSecurity for Networks nodes. Telemetry data must be sent to ordinary network interfaces, and traffic from SPAN ports must be sent to the network interfaces of monitoring points.

Depending on the versions of the EPP applications, Endpoint Agent components can send telemetry data via data diodes using the following protocols:

MQTT over TCP.
This protocol is used when working in integration mode with Kaspersky Industrial CyberSecurity for Nodes. For detailed information on configuring an EPP application for this data transfer method, please refer to the appropriate Help system: Kaspersky Industrial CyberSecurity for Nodes 4.5 or Kaspersky Endpoint Agent 4.0.
UDP.
This protocol is used when working in integration mode with Kaspersky Industrial CyberSecurity for Linux Nodes version 2.0. For detailed information on configuring an EPP application for this data transfer method, please refer to the Help system of Kaspersky Industrial CyberSecurity for Linux Nodes 2.0.

In Kaspersky Industrial CyberSecurity for Networks, integration servers facilitate the receipt of telemetry data from EPP applications. To receive data from Endpoint Agent components, the mode corresponding to the utilized data transfer protocol (TCP mode or UDP mode) must be configured and enabled on the integration server.

The figure below shows the deployment scenario for receiving telemetry data from EPP applications via the MQTT protocol over TCP and traffic sent from SPAN ports of network switches from multiple industrial sites to Kaspersky Industrial CyberSecurity for Networks sensors. In this scenario, telemetry data is transmitted in MQTT messages. To transmit MQTT messages via data diode, this diode must support MQTT broker functionality. To receive and process MQTT messages after the data diode, you must use additional subscriber computers that have EPP applications installed.

Diagram illustrating the transmission of telemetry data from EPP applications using the MQTT protocol over TCP via data diodes to application sensors.

Receiving traffic and data from EPP applications using the MQTT protocol over TCP

The figure below shows the deployment scenario for receiving telemetry data from EPP applications via the UDP protocol and traffic sent from SPAN ports of network switches from multiple industrial sites to Kaspersky Industrial CyberSecurity for Networks sensors. This scenario does not require additional subscriber computers with EPP applications installed.

Diagram illustrating the transmission of telemetry data from EPP applications using the UDP protocol via data diodes to application sensors.

Receiving traffic and data from EPP applications over UDP

Page top