search
Ctrlk

Network Security

Choosing a network security model is about balancing risk, cost, and operability. The goal is to protect production systems from external threats while still allowing the platform to be deployed, configured, updated, and monitored.

Edge devices always communicate with a cloud based management endpoint for identity, configuration and deployment information. Edge devices always initiate connections to management endpoints outbound. This means that there are no inbound exposure. Authentication is done using either X.509 device certificates (preferred for lifecycle control and revocation) or Shared Access Signature (SAS) keys.

Designing the network security is a compromise between complexity and the level of security. By adding additional security layers you reduce exposure but also increase the design complexity, operational effort, and the number of components to maintain.

Some of the most relevant security layers that can be applied are:

  • Segmentation: Place the edge device on its own VLAN/subnet and control traffic with firewalls at each zone boundary (e.g., IT ↔ DMZ ↔ OT). Allow only the minimum northbound egress (typically TCP 443 to named cloud endpoints, plus DNS/NTP) and the minimum southbound ports to equipment. Combine with host firewalls and NAC on switch ports.

  • Gateways: Introduce a dedicated gateway edge in the DMZ to terminate all cloud management traffic, while one or more nested edges on the factory floor communicate only with the gateway over mutually authenticated, encrypted channels (MQTT/TLS). The solution keeps internet-reachable components out of OT zones.

  • Private Networking: Remove public internet exposure for management traffic by using site-to-site VPN, MPLS, or ExpressRoute to reach cloud services on private IPs with private DNS/endpoints. This reduces reliance on open internet paths and simplifies egress policy, at the expense of higher network complexity.

hashtag
Edge on the factory floor

The device resides on an OT VLAN and connects directly outbound to cloud management endpoints over TLS.

hashtag
Edge in a DMZ

The device is placed in a screened network segment. It connects outbound to cloud and only the necessary southbound ports are opened into OT.

hashtag
Gateway in the DMZ with nested edge

A hardened gateway in the DMZ handles all cloud traffic; one or more nested devices on the floor communicate only with the gateway over a controlled, TLS-protected channel.

hashtag
Private network

Cloud management endpoints are reached over a private path (VPN/ExpressRoute/MPLS) with private DNS/endpoints. No public internet is required for management traffic.

Last updated

Was this helpful?