There is really no need to protect a diode with a firewall however many companies required jump hosts along with MFA on the red side remote access to the diode. In this case you would have a firewall on the red or external side for the jump host.
On the blue or "trusted side of the diode there could be routers or firewalls as traffic directors for multiple control systems to be able to communicated with the blue side of the diode. The configurations are countless depending on each control system's external communication requirements.
Mark Prince
Sign in to Participate