Part of the PROTECT Playbook ← Return to Hub

VLAN & ACL Configuration: Implementing the 3-Zone Model

Requirement: This module details the technical execution of VLAN tagging and Access Control List (ACL) enforcement to satisfy IEC 62443-3-3 and IACS UR E26 segmentation mandates.

The 3-Zone Network Segmentation Model is the engineering standard for protecting a vessel’s Essential Services. By establishing firewalled boundaries between Operational Technology (OT), Corporate IT, and Untrusted guest networks, we ensure that a compromise in one zone cannot propagate to critical ship functions.

Step 1: Logical Isolation via VLAN Tagging

The first step is to logically segment the physical switch fabric into three distinct broadcast domains. This prevents “flat network” risks where a single infected device can see the entire vessel’s traffic.

Zone / Functional Group VLAN ID IP Subnet Policy Posture
1. OT Zone (Essential Services) 10 192.168.10.0/24 Strict Isolation. No Direct Internet.
2. IT Zone (Administrative) 20 192.168.20.0/24 Monitored. Proxy access only.
3. Untrusted (Crew/Guest) 30 192.168.30.0/24 Sandboxed. Direct to WAN only.

Step 2: The Firewall as the “Conduit” Enforcer

In accordance with IEC 62443, traffic between zones must pass through a secure “Conduit.” In this model, the Firewall acts as that conduit. All Inter-VLAN routing must be disabled on the switches and offloaded to the firewall (Router-on-a-Stick or Multi-interface) to ensure 100% packet inspection.

Tactical Member Access Required
Missing from this Module:
  • Technical Firewall ACL Ruleset (NTP - RDP - WSUS)
  • Surveyor Hardening Guide for Class Audits (DNV/ABS/LR).

Technical Implementation Locked

Unlock IACS UR E26 compliance checklists and bridge-specific diagnostic procedures.

Upgrade to Unlock

Next Section

Wireless & Bluetooth Hardening

Wireless & Bluetooth Hardening Requirement: This module addresses IACS UR E26 (Section 4.1) regarding wireless commu...

Scroll to Top