Network security layer for IEC 61850 substations
More and more complex applications are realized with virtualization host platforms carrying multiple virtual machines. For securing the communication, hardware-based firewalls installed in addition to the virtualization host platforms are used. These hardware-based firewalls can monitor and control the traffic coming out of the virtualization host’s ethernet interfaces.
Each virtual machine in such a virtual environment has its own very specific task. This leads to different requirements when it comes to communication protocols/services. With a firewall capable only to monitor/control traffic running through the host systems interfaces, it is impossible to define rules for specific traffic for each single virtual machine. The necessary protocols and services can only be defined for the external interfaces, which in most cases will be used by several different virtual machines. Furthermore, controlling the traffic between the virtual machines inside of a virtual environment is not possible on a protocol or service basis.
We extend the virtualization host system by a specialized firewall-based security layer to be able to control and monitor traffic more specific.
With a Fortinet FortiGate-VM64-HV virtual machine we are able to replace a hardware firewall. As we can redirect the whole communication from/to a physical interface on the hostsystem the firewall can monitor and control the whole traffic in a substation and between virtual machines.