Multi-Vendor Firewall Strategy: IT, OT, and Edge Networks

Abstract

The perennial belief that one firewall product is enough to safeguard all sections of a modern enterprise is not merely a fallacy that is based on budget constraint. It is an architectural disaster that has quantifiable effects. This paper has brought forward a domain specific model to comprehend why information technology (IT) networks, operational technology (OT) space, as well as internet-facing web edge infrastructure all need purpose-built, and often vendor-differentiated, firewall solutions. The article utilizes the Purdue Enterprise Reference Architecture, the principles of Zero Trust, the OWASP security standards, and the IEC 62443 compliance requirements and focuses on the specific threat landscapes, traffic characteristics, protocol constraints and availability requirements unique to each domain. It compares the categories of firewalls, such as next-generation firewalls (NGFWs), industrial security gateways, web application firewalls (WAFs), and Firewall-as-a-Service (FWaaS) against domain-specific selection criteria. The architectural arguments are based on real-world examples such as the Colonial Pipeline attack and Triton/TRISIS malware campaign and reported OWASP Top 10 exploitation patterns to base the architectural arguments on operational reality. Guidance on deployment sequencing, policy design, change management and continuous validation is given throughout. The article concludes that the choice of product is not the only factor that can lead to the creation of true security resilience or false confidence at high cost by enterprise firewall investments but rather architecture and disciplined management practice.