Waterfall Architecture and Data Flow

1. Waterfall Unidirectional Security Gateway is implemented on customer’s site.

2. The TX Agent is connected to the Industrial network, while the RX Agent is connected to the lower-trust network, either a corporate network or the Internet (both connections are with a standard RJ45 Ethernet copper cable).

3. The channel installed on both Waterfall Agents is depending on customer’s needs and architecture:
   • If the source of the data is a specific protocol or industrial system, a corresponding channel is installed, and the TX agent will be connected directly to the system or data source.
   • If multiple or unspecific sources are required, then the Waterfall Channel for Tenable is installed, and the TX Agent will be connected to the span port of the switch, in which the traffic flows.

   Caution: The Waterfall Channel for Tenable forwards all traffic going through the span port. To prevent overflow of unnecessary information, the data needs to be filtered, either before or at the Waterfall TX Agent.

4. The collected data is forwarded through the unidirectional channel, from the TX side to the RX side.

5. The RX Agent forwards the data to the Tenable NNM server, whether locally installed or on the Cloud.

6. Users and operators will access the data at NNM, without any traffic getting back into the industrial network.