Does OPNsense Support Detection or Filtering of OT Protocols Like Modbus, DNP3,

Started by vivekmauli14, May 19, 2025, 08:32:28 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 19, 2025, 08:32:28 AM
Hi all,

I'm working on securing an environment where both IT and OT networks are present, and I'm evaluating OPNsense as the firewall platform. I'm particularly interested in knowing whether OPNsense (natively or via plugins like Suricata or Zenarmor) supports the detection, filtering, or deep packet inspection (DPI) of common OT/ICS protocols such as:

Modbus

DNP3

OPC UA

BACnet

PROFINET

EtherNet/IP

I understand that OPNsense primarily focuses on traditional IP networking and Layer 3/4 firewalling, but any insights on visibility into these industrial protocols—whether through IDS/IPS rulesets, DPI capabilities, or plugin support—would be very helpful.

Has anyone deployed OPNsense in an IT/OT convergence setup and can share their experience or best practices?

Thanks in advance!
May 20, 2025, 12:36:21 AM #1
No practical experience here but I did research OPC UA in a previous life. IIRC, it's SOAP based over HTTP+WSS or HTTPS.
In either case, traffic will be encrypted, rendering IDS/IPS ineffective (unless proxying is possible).

I assume physical isolation is not an option. How about VLANs?
May 20, 2025, 07:04:04 AM #2
Hi Eric,

Thinks for reverting! I believe Support of Protocols is Important, VLAN can be Makeshift however if we can understand the Support on these Protocols.

Best,
VivekS
May 20, 2025, 06:32:39 PM #3
I recognized 'OPC UA' from prior experience. I'm not going to research the other ones now...

The possibility of any kind of transparent inspection of HTTPS traffic would defeat the existence of HTTPS in the first place.
The only way to do meaningful inspection of such traffic is to setup proxies, essentially breaking the end-to-end encryption (with associated drawbacks).
For example, it's possible to install anti-virus software like ClamAV on OPN but it's a combination of proxy + ICAP + ClamAV (decrypt, transfer, inspect, encrypt). You need a CA too.
Doing the same with HTTP+WSS is probably uglier.

In any case, not having some form of isolation between IT & OT leaves OT vulnerable to a compromised IT host.
You may not want to disclose how much infrastructure they share but I know it's sometimes not pretty.
VLANs are reasonably easy to deploy. Other overlay network technologies may apply.
Print
Go Up Pages1
User actions