Skip to main content

Core category 13: Network & Firewall

One-liner
Design, segment, and protect PCP networks and firewalls to reduce attack surface, keep operations reliable, and stay audit-ready.

Description

This category covers distinct networking run by the business and the corporate network governed by Group IS. It includes firewall configuration, VLAN standards, secure remote access (VPN/jump), and monitoring. The goal is to minimise lateral movement, protect integrity and confidentiality, and make behaviour traceable.

Aligned with the Distinct Compute Reference Design (DRD) and ISO/IEC 27001, this guide sets a global PCP baseline with room for local needs.


Scope & objectives

  • Network architecture & segmentation
    Build robust, logically segmented topologies (e.g., IT/OT separation, management zones) to enforce least-privilege traffic.

  • Firewall configuration & rule management
    Maintain consistent zone-to-zone rulesets; review and clean up regularly to reduce risk and misconfiguration.

  • Remote access & connectivity
    Use secure access paths (VPN, jump hosts/RDG), strong authentication, session monitoring, and logging for sensitive environments.

  • Traffic monitoring & intrusion detection
    Deploy IDS/IPS/NetFlow and central logging to detect anomalies and intrusions proactively.

  • VLAN standards & access control
    Apply standard VLAN schemes and ACLs to segment users, servers, and devices with granular enforcement.

  • Policy & compliance alignment
    Ensure configs match internal policies and external frameworks (ISO/IEC 27001, ABB Network Security Policies). Keep evidence for audits.


Value & benefits

  • Reduced attack surface – Segmentation and strict controls limit lateral movement and isolate critical systems.
  • Operational continuity – Solid designs deliver high availability and less downtime.
  • Regulatory compliance – Alignment with ISO 27001 and ABB policies improves audit readiness and lowers compliance risk.
  • Improved visibility & control – Central logging and structured rulesets speed detection and response.
  • Scalability & standardisation – Templates for firewalls and VLANs simplify expansion and maintenance across regions and sites.
  • Security assurance – Secure remote access, strong auth, and detection mechanisms protect confidentiality and integrity.

Controls — overview (24)

Control no.CategoryFocusOutcome
3.01NetworkRecord all network devices in ServiceNowComplete asset inventory
3.02NetworkEnsure dedicated management interface on all devicesSecure administrative access
3.03NetworkPlace management interfaces in the management networkControlled and restricted access
3.04NetworkDisable insecure protocols (HTTP, Telnet, FTP, etc.)Encrypted & secure admin traffic
3.05NetworkInstall only valid ABB PKI certificatesTrusted device & secure communication
3.06NetworkEnable log forwarding on all devicesAudit-ready & central monitoring
3.07NetworkConfigure authentication via AD / Entra IDCentralised identity; no shared accounts
3.08NetworkApply ABB local account policy (complexity, expiration)Strong credential hygiene; reduced risk
3.09NetworkConfigure devices for redundancy/high availabilityIncreased service reliability
3.10NetworkMonitor devices (health, performance, errors & history)Proactive operations & early detection
3.11NetworkRecord all routable subnets correctly in SNOWAccurate routing & IP management
3.12NetworkTerminate subnets of same segregation on the firewallEnforced network segmentation
3.13FirewallRecord all firewalls in ServiceNowComplete & accurate firewall inventory
3.14FirewallEnsure dedicated management interfaceSecure admin access
3.15FirewallPlace management interface in the management networkRestricted & controlled admin path
3.16FirewallDisable insecure protocols (HTTP, Telnet, etc.)Encrypted firewall administration
3.17FirewallInstall valid ABB PKI certificatesTrusted & secure firewall communication
3.18FirewallEnable log forwarding to central SIEMFull auditability & security monitoring
3.19FirewallConfigure authentication via AD / Entra IDCentralised authentication; no shared accounts
3.20FirewallApply ABB local account policy (complexity, expiration)Strong authentication & credential hygiene
3.21FirewallDeploy in redundant setupsHigh availability & failover readiness
3.22FirewallConfigure per ABB hardening policyReduced attack surface & policy compliance
3.23FirewallMonitor performance/health & store historyStability, early detection & forensic data
3.24FirewallEnsure all firewalls are Next-GenAdvanced security capabilities enabled

Control requirements — detailed

Control no.CategoryControl requirementDescription
3.01NetworkAll network devices are recorded in ServiceNowRegister routers, switches, Wi-Fi controllers, and appliances in ServiceNow CMDB with correct CI type, owner, location, IPs, and tags.
3.02NetworkDedicated management interface on all devicesUse a separate management port/VLAN for administration; admin access only via the management VLAN.
3.03NetworkManagement interfaces are in the management networkPlace all mgmt interfaces (switch mgmt VLAN, OOB ports, console servers) in the dedicated management network; restrict access via Jump/VPN.
3.04NetworkInsecure protocols disabledDisable HTTP, Telnet, FTP, SNMPv1/v2 and other cleartext services. Enforce HTTPS, SSH, SNMPv3 and block cleartext ports via ACLs/firewall.
3.05NetworkOnly valid ABB certificates installedUse ABB PKI for HTTPS/SSL admin interfaces. Remove default/self-signed certificates and track renewals.
3.06NetworkLog forwarding enabledForward syslog/NetFlow to Splunk/SIEM; configure NTP for accurate timestamps.
3.07NetworkAuthentication via AD / Entra IDIntegrate with TACACS+ / RADIUS; enforce RBAC, no shared admin accounts, MFA where supported.
3.08NetworkLocal accounts follow ABB policyEnforce password complexity & expiration; allow local accounts only for break-glass. Prefer domain auth.
3.09NetworkRedundant/high-availability setupUse dual PSUs/uplinks, VRRP/HSRP, LACP, redundant core/distribution. Provide topology evidence.
3.10NetworkDevices are monitoredMonitor device & port status, CPU/RAM/network/disk, performance indicators, errors/alerts; keep ≥ 6 months history.
3.11NetworkRoutable subnets recorded in SNOWDocument subnets, masks, VLAN IDs, routing and purpose in ServiceNow. Keep updated through lifecycle changes.
3.12NetworkSame-segregation subnets terminate on firewallAll VLANs of a security zone (OT, Office, DMZ, etc.) must terminate on the firewall. No L3 bypass.
3.13FirewallAll firewalls recorded in ServiceNowRegister firewall clusters/virtual firewalls with CI type, owner, location, IPs, cluster members, and tags.
3.14FirewallDedicated management interfaceUse separate MGT interfaces isolated via mgmt VLAN or OOB network. Access from Jump/VPN only.
3.15FirewallMgmt interface in the management networkPlace mgmt ports in the designated mgmt network; restrict via ACLs and AD auth.
3.16FirewallInsecure protocols disabledAllow only HTTPS/SSH; disable cleartext/legacy mgmt protocols and insecure SNMP versions; block ports accordingly.
3.17FirewallValid ABB certificates installedUse ABB certificates on HTTPS admin pages, VPN portals, and inspection services. Remove self-signed certs.
3.18FirewallLog forwarding enabledSend traffic/threat/system/config logs to Splunk/SIEM; NTP configured.
3.19FirewallAuthentication via AD / Entra IDUse TACACS+/RADIUS/SSO; enforce RBAC; MFA mandatory for admin access where supported.
3.20FirewallLocal accounts follow ABB policyApply ABB password complexity & expiration; local accounts break-glass only.
3.21FirewallRedundant deploymentDeploy HA pairs (active/active or active/passive), redundant power/uplinks/paths; provide HA configuration evidence.
3.22FirewallAligned to ABB hardening policyApply ABB baseline: disable unused services, harden admin interface, secure logging, restricted API, secure boot, updated firmware.
3.23FirewallMonitoring requirements metMonitor device health, CPU/memory/disk, interface/throughput/latency, error/threat events; notify via mail/ticket; keep ≥ 6 months history.
3.24FirewallNext-Gen capabilityFirewalls support NGFW features: App-ID, User-ID, IPS/IDS, SSL inspection (where allowed), anti-malware, URL filtering. Not legacy L3-only.

Typical artefacts & documentation

  • Network HLD/LLD
  • Zoning & segmentation blueprints (IT/OT, DMZ, management)
  • Firewall rule docs and rule review logs
  • ACL and VLAN documentation
  • Remote access design, user access logs, VPN & Jump Host/RDG configs
  • IDS/IPS deployment diagrams
  • Network monitoring dashboards & alerting configuration
  • Logging and traffic audit reports
  • Policy alignment checklists (ISO 27001, ABB standards)
  • Change/exception approvals for firewall/network rules
  • Incident response & containment procedures for network components
  • Remote-access usage statistics and session logs

Example topology — OPC or large country hub (illustrative)

  • Shared Platform, Engineering, and Software Build use global IP ranges; servers join the global AD domain.
  • Engineering (brownfield), ABB University, and Demo are segregated from Corporate due to external exposure or EoL systems.
  • R&D is segregated because it may host systems not compliant with Cyber/IS policies and standards.

DSR guideline (labs)

  • Labs are fully segregated from ABB Corporate and local networks via a firewall.
  • One physical firewall, or a shared physical firewall, serves the South region; the North and South firewalls may be identical with logical separation.
  • VPN connectivity is established for each lab environment.
  • Remote Desktop Gateway (RDG) and jump servers are permitted.
  • Internet access is allowed through a proxy governed by PAPCP policies.