Network Considerations

The OT Security appliance (both physical and virtual) requires a few network connections, referred to as Interface Roles.

Management and Active Query Interface

This is an interface configured with an IP address that allows network reachability to manage and configure the appliance. This interface allows the appliance to reach assets on the network for active querying (recommended, but optional).

Management and Active Query Roles Separation (Split-Port)

You can split the Management and Active Query roles between two separate interfaces. This enables, for instance, a connection to an IT network for management purposes and a separate connection to an OT network to access the OT assets using Active Query.

For this purpose, prepare and connect two separate interfaces each dedicated to one of the roles.

Basic management connectivity to the ICP through the Active Query interface is allowed and operational as long as the ICP system allows network connectivity.

To finalize the OT Security setup, you require management connectivity. You can configure Split-Port and Active Query connectivity later.

On Tenable-provided hardware appliances, OT Security is automatically installed, with the default interface roles (combined management and Active Query roles).

Note: When configuring the IP address for both interfaces, Tenable recommends to only configure a Default-Gateway for the interface dedicated to the Management role. You can specify a dedicated gateway for Active Query when configuring Split Port.

Monitoring Interfaces

One or more network interfaces can be used for passive network monitoring. Passive monitoring (SPAN) interfaces:

Monitor and collect traffic for analysis
Must be connected to a Mirroring, Switch Port Analyzer (SPAN), or Remote Switch Port Analyzer (RSPAN) destination interface of a switch.

Note: Traffic that cannot be directly monitored by the appliance interfaces can be collected using OT Sensors or Encapsulated Remote SPAN (ERSPAN) configuration.