Free UPS Ground on All Orders!
+1 (919) 205-4392

How Stratix 5900 Supports network segmentation in manufacturing plants

How Stratix 5900 Supports network segmentation in manufacturing plants
Not an Authorized Distributor: DO Supply is not an authorized distributor for listed manufacturers or tradenames and therefore the manufacturer's warranty does not apply. All of our products come with DO Supply's 2-year warranty.
Learn more

Maintaining a secure and efficient network in modern manufacturing plants is critical for operational continuity and cybersecurity. As industrial systems become more connected, the need for robust network segmentation grows—allowing manufacturers to isolate critical assets, control data flow, and minimize the risk of cyberattacks. The Stratix 5900 services router plays a pivotal role in this process, offering advanced features that support precise segmentation and secure communication across industrial environments. From VLANs and firewalls to VPN and access control, this router is purpose-built for industrial automation. In this article, we explore how Stratix 5900 enables effective network segmentation in manufacturing facilities.

Understanding Network Segmentation in Industrial Automation

Network segmentation involves dividing a computer or industrial network into multiple smaller, isolated zones. In manufacturing plants, this helps isolate critical systems such as PLCs, HMIs, and SCADA from general business traffic. The Stratix 5900 supports this by allowing clear boundaries between production and non-production zones, minimizing lateral movement in case of cyber intrusions. Segmentation enables fault isolation, simplifies troubleshooting, and ensures better compliance with industry regulations. It also helps prioritize traffic by ensuring latency-sensitive control data isn’t interrupted by high-volume IT traffic. The Stratix 5900 plays a foundational role in this strategy, combining hardware resilience with security-aware software features to ensure optimal network performance and protection.

Zone-Based Firewall for Segregated Traffic Control

The Stratix 5900’s Zone-Based Firewall (ZBF) is a cornerstone feature for implementing segmentation. It allows administrators to group network interfaces into zones based on function or trust level (e.g., Production, Engineering, Business). Access policies are then applied between zones to control traffic flow. For example, SCADA systems can be isolated from general IT networks while still enabling selective data transfer. This prevents unauthorized access to control systems and limits the spread of threats. ZBF enforces fine-grained security policies and helps manufacturers design layered defenses, making it harder for attackers to move laterally across the plant network.

VLAN Segmentation for Logical Network Design

Virtual Local Area Networks (VLANs) are another effective method of segmentation, and Stratix 5900 supports VLAN tagging (IEEE 802.1Q) to logically divide a manufacturing plant network. Devices within the same VLAN can communicate freely, but traffic between VLANs is controlled and inspected, often via routing and firewall rules. This helps isolate departments like Quality Assurance, Engineering, and Production into separate virtual environments. VLANs help reduce broadcast traffic, simplify management, and enhance security by ensuring that only essential data traverses between segments. The Stratix 5900 acts as both a router and firewall between VLANs, enforcing access policies and traffic monitoring for compliance.

Network Address Translation (NAT) for Secure Device Mapping

Stratix 5900 offers robust NAT capabilities that help segment and mask internal IP addresses from external networks. This means manufacturing plants can reuse private IP addresses across segmented zones without conflict, simplifying integration and expansion. NAT also hides the internal structure from attackers, reducing the attack surface. In segmented networks, NAT supports secure communication between isolated segments and external services by translating IP addresses at the router level. This allows engineers to remotely access systems through a single external IP without exposing internal device identities, maintaining security while enabling seamless connectivity.

Supporting Industrial Demilitarized Zones (IDMZ)

An Industrial DMZ (IDMZ) is a specialized network segment that sits between a manufacturing zone and enterprise IT systems. Stratix 5900 is designed to enforce IDMZ boundaries by filtering, inspecting, and regulating traffic between production networks and external services (cloud, IT). This limits the risk of cyber threats infiltrating critical control systems. IDMZs are essential when sharing data from the plant floor to business systems, like MES or ERP, without compromising control network integrity. The Stratix 5900 supports dual-VPN tunneling, deep packet inspection, and port-based access control, making it ideal for managing secure inter-zone communication.

Access Control Lists (ACLs) for Enforcing Segment Boundaries

Access Control Lists (ACLs) are rule sets that define who can access what resources across the network. Stratix 5900 lets administrators create ACLs for each segment to tightly control traffic between zones. For instance, the Quality Control VLAN might only have access to specific data from the Production VLAN. These rules can be based on IP addresses, protocols, or ports. ACLs minimize exposure to unauthorized devices and help enforce policies across network segments. They are crucial for maintaining security, particularly when integrating third-party systems or vendor equipment that should only access predefined areas.

VPN Support for Isolated Remote Access

Stratix 5900 offers secure IPsec and SSL VPN functionalities, which are critical in a segmented network setup. Engineers and technicians can access specific segments remotely without exposing the entire network. VPN configurations can be tied to roles or locations, ensuring access is limited to the necessary segment. This is particularly useful in manufacturing facilities with remote operations or multi-site systems, where different teams need access to specific plant zones. VPN tunneling through Stratix 5900 keeps data encrypted while maintaining segmentation rules, allowing secure management, updates, and diagnostics without network compromise.

Deep Packet Inspection for Segment-Specific Threat Monitoring

The Deep Packet Inspection (DPI) feature in Stratix 5900 examines traffic at a granular level. It analyzes packet payloads, not just headers, to detect malicious or unauthorized activities. DPI is particularly effective in segmented networks because it ensures that even authorized inter-zone communication doesn’t carry hidden threats. For example, DPI can detect protocol misuse between an HMI and PLC even if both are in permitted VLANs. This adds a layer of proactive threat detection within each segment, supporting zero-trust strategies. DPI thus complements segmentation by ensuring trust boundaries aren’t exploited from within.

Role-Based Access Control for Segment-Level Privileges

Role-Based Access Control (RBAC) ensures that only authorized users have access to specific network segments or devices based on their job roles. With Stratix 5900, administrators can assign role-specific access to resources within a segmented network. For instance, maintenance engineers might access the device management VLAN, while operators are limited to the HMI VLAN. RBAC strengthens the segmentation model by restricting not just traffic, but also user behavior within each zone. This minimizes internal risk and aligns with best practices for cybersecurity in smart manufacturing environments.

Enhanced Monitoring and Logging per Segment

Network segmentation is only effective if it’s also observable. Stratix 5900 supports detailed logging, traffic statistics, and alerting on a per-zone or per-interface basis. This gives plant managers visibility into each segment’s activity, such as unusual traffic spikes or failed access attempts. Logs can be integrated into centralized monitoring tools like FactoryTalk Network Manager or SIEM platforms. By monitoring activity per segment, manufacturers can rapidly isolate threats, troubleshoot performance issues, and ensure compliance with cybersecurity frameworks like ISA/IEC 62443. This visibility is a critical benefit of deploying segmentation through the Stratix 5900.

Resilient Industrial Hardware for Segmented Network Uptime

Effective segmentation must also be reliable. The Stratix 5900 is built for harsh industrial environments, supporting extreme temperatures, shock, vibration, and power redundancy. Segmentation often involves multiple routers and firewalls; any point of failure can disrupt inter-zone communication. With its ruggedized build, DIN-rail mounting, and dual power inputs, the Stratix 5900 ensures continuous operation of segmented networks. Even during component failure or environmental disturbances, the Stratix keeps segmented zones online, minimizing plant downtime. Its reliability makes it the backbone of segmented architectures in critical manufacturing systems.

Compliance Support Through Network Segmentation

Many manufacturers must comply with regulations like ISA/IEC 62443, NERC CIP, and NIST 800-82. Network segmentation is a fundamental requirement in these frameworks. Stratix 5900 simplifies compliance by providing the tools to implement segmentation—ZBF, VLANs, ACLs, NAT, RBAC, and audit logs—all from a single platform. By maintaining proper segmentation, organizations can demonstrate risk reduction, asset protection, and access control, all while aligning with regulatory best practices. Stratix 5900 thus becomes not just a security appliance, but a compliance enabler for industrial environments, helping manufacturers pass audits and avoid penalties.

Final Thoughts

In conclusion, the Stratix 5900 enables effective network segmentation in manufacturing plants through a series of integrated, security-focused features. First, it establishes isolated zones using VLANs and Zone-Based Firewalls to control traffic flow. Second, it enhances security with tools like Access Control Lists, Deep Packet Inspection, and Role-Based Access Control. Third, it supports secure remote access via advanced VPN functions while maintaining visibility through detailed logging. Fourth, its rugged hardware ensures continuous operation in harsh industrial environments. Finally, it simplifies regulatory compliance through built-in segmentation tools. Together, these capabilities create a secure, scalable, and resilient industrial network infrastructure. We have also compiled a list of competing routers to put head-to-head against the Stratix 5900 here.

Come visit our site to see our selection of industrial routers, drives, motors, and PLCs! Ranging from Allen-Bradley to Eaton, we have what you need! We also offer repair services for your used equipment and back our work with a two-year warranty. Call us today and see what equipment can take your factory even further!

DO Supply
Author

DO Supply Inc. makes no representations as to the completeness, validity, correctness, suitability, or accuracy of any information on this website and will not be liable for any delays, omissions, or errors in this information or any losses, injuries, or damages arising from its display or use. All the information on this website is provided on an "as-is" basis. It is the reader's responsibility to verify their own facts.