manualshive.com logo in svg

iS5 iSG4F, User Manual, Page: 177 / 184

Share
Download
iS5 iSG4F User Manual Download Page 177

iSG4F 

User’s  Manual 

 

iS5 Communications Inc. 

177 

Application Aware Firewall 

The integrated SCADA protocol firewall provides a network-based distributed security. 

The firewall implemented is "application-aware", meaning that it inspects the contents of the 

data packets of selected SCADA protocols according to the rules set by the user. 

 

Using the firewall, the router becomes distributed Intrusion Prevention System (IPS) realizing 

detailed service-aware inspection.   

• Supported protocols: Modbus TCP, IEC 104, DNP3 

 

The service-aware firewall checks each packet in details including: 

 

Protocol validity – Check that the packet structure and all its control fields comply 

with the standard and that the session flow follows the expected logic (i.e. session 

initiated by master, response matches request, session setup sequence, etc.). 

 

Application logic – Per each pair of source and destination devices verify that only 

the allowed communication is performed by checking the function code and the 

command parameters according to the operator defined values. 

 

27.1

 

Firewall Service Flow 

In order for a protocol flow to be inspected by the firewall the following is achieved by the iS5 

iNMS tool. 

 

A designated service VLAN is created and the ports are tagged. 

 

ACLs are placed on the relevant access port and network ports to redirect the traffic 

flow to service VLAN and to the application firewall. The ACLs will allow traffic 

between service members only. ACLs will permit traffic only of the TCP/UDP type 

correlating to the service protocol determined by the user. Other ports are blocked 

by default. 

 

The ACLs also validate the packet direction and block messages in violation of proper 

session. 

 

A file holding a list of allowed messages is created upon user configuration and is 

downloaded to the router. The file holds specific addressing properties of the target 

device under the relevant SCADA protocol (for example Common Address of ASDU in 

IEC104) and so the packet inspection is done not only at the IP header but as well in 

the payload itself. 

 

Service packets will be inspected towards this file. 

 

A packet originated and designated to a service member will be directed to the 

application processor for in depth inspection of the payload before allowed to pass 

to the network. 

 

Summary of Contents for iSG4F

Page 1: ...IEC 61850 3 and IEEE 1613 compliant iSG4F User s Manual Version 1 1 September 2014 iS5 Communications Inc 3 7490 Pacific Circle Mississauga Ontario L5T 2A3 Tel 905 670 0004 Fax 289 401 5201 Website www iS5Com com E mail support iS5Com com ...

Page 2: ...tive within this warranty period including shipping costs This warranty does not cover product modifications or repairs done by persons other than iS5 approved personnel and this warranty does not apply to products that are misused abused improperly installed or damaged by accident Please refer to the Technical Specifications section for the actual warranty period s of the product s associated wit...

Page 3: ...ear 12 2 3 Bottom 12 2 4 Side view 12 2 5 Logical System Diagram 13 Hardware Installation 13 3 1 DIN Rail Mounting 13 3 2 Panel Mounting Option 14 3 3 Chassis Ground Connection 14 3 4 Power Connections 15 3 5 Console Connection 16 Configuration 16 5 1 Command Line Interface 16 5 2 Supported Functionalities 17 5 3 System Default State 18 5 4 Main Commands 18 System Version and Data Base 19 6 1 Conf...

Page 4: ...Interfaces 33 9 1 1 Interface Assignment Rules 34 9 1 2 IP interface id 35 9 1 3 IP interface VLAN id 35 9 1 4 IP Interface Commands Hierarchy 35 9 1 5 IP Interface Commands Description 36 9 1 6 IP Interface Example 36 9 1 7 DHCP Example 39 Diagnostic 40 10 1 System logs export 40 10 1 1 Commands Hierarchy 40 10 1 2 Commands Description 40 10 2 Capture Ethernet service traffic 40 10 2 1 Commands H...

Page 5: ...e 49 ACLs 49 13 1 ACL Commands Hierarchy 50 13 2 ACL Commands Descriptions 50 13 3 Configuration Example 53 QOS 53 14 1 QOS Commands Hierarchy 53 14 2 QOS Commands Descriptions 53 NAT 54 15 1 NAT Networking 54 15 2 NAT Commands Hierarchy 55 15 3 NAT Commands Description 56 15 4 NAT Example 56 OSPF 59 16 1 OSPF Application Commands Hierarchy 59 16 2 OSPF Application Commands Descriptions 59 16 3 OS...

Page 6: ... 1 Port Mode 80 19 3 2 Service Buffer Mode 80 19 3 3 Service Connection Mode 81 19 4 Addressing Aware Modes 81 19 5 Reference drawing 82 19 6 Serial Traffic Direction 83 19 6 1 Serial ports counters 83 19 7 Allowed Latency 84 19 8 Tx Delay 84 19 9 Bus Idle Time 84 19 9 1 Byte mode 84 19 9 2 Frame mode 84 19 10 Example Serial Tunneling 85 Protocol Gateway IEC 101 to IEC 104 86 20 1 Modes of Operati...

Page 7: ... 24 2 Modes supported 120 24 3 Layer 2 VPN 120 24 4 Layer 3 DM VPN 121 24 5 L2 VPN Commands Hierarchy 121 24 6 L2 VPN Commands 122 24 7 L3 DM VPN Commands Hierarchy 122 24 8 L3 IPSec VPN Commands Hierarchy 123 24 9 IPSec 124 24 10 Applications 124 24 11 Authentication Header AH 124 24 12 Encapsulating Security Payload ESP 124 24 13 Security Associations 124 24 14 ISAKMP 125 24 15 IKE 125 24 15 1 I...

Page 8: ... 2 L3 IPSec VPN over Layer 3 cloud 157 26 2 1 Network drawing 158 26 2 2 Configuration 158 26 3 DM VPN Setup 163 26 3 1 Network drawing 163 26 3 2 Configuration 164 26 4 DM VPN over Cellular Setup 167 26 4 1 Network drawing 168 26 4 2 Configuration 169 26 4 3 Testing the setup 172 26 4 4 Adding a terminal server service 175 26 4 5 Adding a transparent serial tunneling service 176 Application Aware...

Page 9: ...er system and is classified as a CLASS 1 LASER PRODUCT Use of controls or adjustments or performance of procedures other than those specified herein may result in hazardous radiation exposure Caution Service This product contains no user serviceable parts Attempted service by unauthorized personnel shall render all warranties null and void Changes or modifications not expressly approved by iS5 Com...

Page 10: ...s utility called the iManage Software Suite The product is made from galvanized steel and has a wide operating temperature from 40 C to 85 C suitable for the harshest of environments without the use of fans 1 2 Software Features Layer 2 and Layer 3 VPN with IPSec SCADA firewall for validating all traffic to the device Supports Layer 3 protection Supports Gateway Translation for IES 101 IEC 104 Mod...

Page 11: ...2 mm H 5 in x 6 44 in x 6 07 in Hardware Overview 2 1 Front Panel Product description Port Description Console RJ45 EIA232 VT 100 compatible port E1 Ethernet Port 1 1 X 10 100 1000 Base T X RJ45 port E2 Ethernet Port 2 1 x 100 1000Base X on SFP port SFP located on bottom side S1 S2 Serial port 1 and Serial port 2 RS232 Serial RJ45 Ports Optional 1 X RS232 Serial RJ45 Port and 1 X RS485 Serial RJ45...

Page 12: ...the mounting holes for the Panel bracket mounting option 2 3 Bottom The image below shows the 10 position terminal block and ground lug of the iSG4F 2 4 Side view The image below shows the side of the iSG4F with the product label displaying router information Circled in red are the side mounting holes for the Panel bracket mounting option ...

Page 13: ... has a DIN Rail bracket on the rear panel that allows the router to be mounted on a DIN Rail To mount the iSG4F on a DIN Rail follow the steps below 1 Slant the top of the router back and hook the top of the DIN bracket onto the top of the DIN rail 2 Push the bottom of the router towards the DIN Rail until in clicks in to place ...

Page 14: ...llowing steps show how to mount the router on a panel or wall 1 Install the Panel mounting hardware onto the router The user can choose rear mounting or side mounting Note To avoid damage to the unit please use the 4 screws provided to attach the panel mount brackets onto the router 2 Use the holes in the brackets to secure the router to a wall or panel 3 3 Chassis Ground Connection The iSG4F chas...

Page 15: ...commended to ensure secure and reliable connections under severe shock or vibration The terminal block comes with a safety cover which must be removed before connecting any wires This cover must be re attached after wiring to ensure personnel safety The table below lists the connections for the terminal block Terminal Number Description Connection 1 PWR1 L Line or Positive PWR1 Positive Connected ...

Page 16: ...rface is used to configure the iSG4F from a console attached to the serial port of the router or from a remote terminal using SSH The following table lists the CLI environments and modes 100 240VAC rated equipment A 250VAC appropriately rated circuit breaker must be installed Equipment must be installed according to the applicable country wiring codes When equipped with a HI voltage power supply a...

Page 17: ...ation Configuration Environment ACE The ACE is an alternative configuration environment for supported features ACE To exit back to the GCE mode use the exit command ACE Config Use the command configure to access the ACE Configuration mode ACE config To exit back to the ACE mode use the exit command Application Hierarchy Configuration Access the target feature For example interface vlan 1 ACE confi...

Page 18: ...aces Disabled Cellular modem Disabled Layer 3 interface No default IP DHCP Client disabled SSH Disabled Telnet Enabled Syslog Disabled ACLs Disabled Firewall Disabled VPN Disabled 5 4 Main Commands The Application Configuration Environment list of main CLI commands is shown below root Router interface route static ospf ip rip cellular connection continuous echo disable enable modem network refresh...

Page 19: ...figuration is saved in a file called iSG4F conf Configuration saved in this file will be available at system startup If this file is deleted the system will boot with the iSG4Fnvram txt file holding factory configuration User Configuration is taking effect immediately upon entering No specific COMMIT command is required The user can as well save his running configuration in a file with a chosen na...

Page 20: ...d such 6 2 OS VERSION Updating of system version is available by TFTP SFTP server or safe mode Available OS files on the router can be seen with command showed below Running OS file is marked with active iSG4F os image show list Versions list IS5_iSG4F_4 0 02 08 tar active NOTE The iSG4F can hold at its disk maximum two OS image files Before downloading a new OS file to the router make sure the iS...

Page 21: ...following flow will show how to upgrade the OS image file and export the data base 1 Connect your PC via serial console cable to the iSG4F console port 2 Create an IP interface over eth1 iSG4F router interface create address prefix 172 18 212 231 24 physical interface eth1 purpose application host 3 Check connectivity to the TFTP server from which the software will be downloaded PING 172 18 212 24...

Page 22: ...er Command syntax iSG4F os image download download tftp aa bb cc dd file_name Example os image download download sw tftp 172 18 212 240 IS5_iSG4F_4 0 02 09 tar 7 Following download progress iSG4F os image download status In progress 3 MB iSG4F os image download status In progress 10 MB iSG4F os image download status In progress 16 MB iSG4F os image download status Finished Download 8 Activating de...

Page 23: ... The first Safe mode is for use by approved technicians only and should not be used unless specified by iS5 Communications This safe mode state is available at the prompt For first safe mode Press s The second safe mode is accessible at the following prompt For safe mode Press s The screenshot in Safe Mode View details the 2 safe mode menus and their options for 1 system reset 2 Loading the factor...

Page 24: ... up process help H Display help about this utility c Extracting software s OK 01 01 70 00 01 09 Running applications For safe mode Press s safe mode menu reset 1 Reset the device defcfg 2 Load the factory default configuration for the device eeprom 3 Write to EEPROM recover 4 Recover the device s images from a package file db 5 Export Import DB continue c Continue in start up process help H Displa...

Page 25: ...format 2 Format flash activate 3 Activate sw version on flash install 4 Install first sw version from TFTP continue c Continue with start up process help H Display help about this utility This choice will delete data from flash Continue y n y 3 Assign IP address and subnet to the iSG4F Connect an ethernet cable to the ETH port and Enter the following parameters xxx xxx xxx xxx DEVICE IP ADDRESS 10...

Page 26: ... 1 1 ETH1 10 100 MB 2 ETH2 1 5 Set the IP address of the TFTP server holding the OS Image file TFTP SERVER IP ADDRESS 10 10 10 10 10 10 10 6 6 Connect the iSG4F at port ETH1 RJ45 to your tftp server Verify ping availability between the two 7 Enter the OS image file name Enter version number on TFTP Server For main menu press X IS5_iSG4F_4 0 02 08 tar ...

Page 27: ... 02 03 tar appl tar gz OK vmlinux UBoot OK SW version was verified successfully vmlinux tar vmlinux UBoot OK Updating bank1 with vmlinux UBoot file please wait OK Version was installed and activated successfully Reboot in 0 Ethernet Port Interfaces The iSG4F hardware includes the following Ethernet interfaces Gigabit Ethernet copper RJ45 Copper 10 100 1000 Base T X supported Referred to in CLI as ...

Page 28: ... type port eth1 eth2 rmon etherstat table port eth1 eth2 status sf port ddm detailed extended 7 2 Port Commands Example iSG4F port show interface table port eth1 Interface ETH1 Counter Name Value Counter Name Value In non unicast packets 2670 Out non unicast packets 5 In unicast packets 233 Out unicast packets 4 In errors packets 0 Out errors packets 0 In octets 311651 Out octets 690 Unknown packe...

Page 29: ...0M full 2 1 eth2 enabled on 100M full iSG4F port show rmon etherstat table port eth1 Interface ETH1 Counter Name Value Counter Name Value total packets 2789 undersize 0 total octets 300591 oversize 0 broadcast 1832 Size 64 1055 multicast 725 Size 65 127 1239 align error 0 Size 128 255 435 dropped event 0 Size 256 511 35 fragmented 0 Size 512 1023 4 ...

Page 30: ...y default NOTE A console cable is supplied in the box 8 1 1 Connecting to the Console Port The console port is an EIA232 VT 100 compatible port to enable the definition of the device s basic operational parameters Connecting the device to a PC using the Console Port Connect the RJ 45 connector of the console cable to the device s Console Port CON Connect the other side of the cable to the PC Confi...

Page 31: ...ia following methods IP based Serial console port 8 2 1 Default state Feature Default state Layer 3 interface No default IP SSH No available Telnet Enabled Console Enabled User User name su Password 1234 Privilege all DHCP Client disabled 8 2 2 Commands Hierarchy root reload schedule date and time YYYY MM DD HH MM SS schedule every 180 604800 seconds schedule time HH MM SS schedule in 0 604800 sec...

Page 32: ... Set specific date and time for router reload Time format YYYY MM DD HH MM SS Note configuration which was not committed will not be available after reload reload schedule every Set time interval for cyclic automatic system reload Permissible range in seconds is 180 604800 Note Configuration which was not committed will not be available after reload reload schedule time Set specific time for route...

Page 33: ...lable after reload reload cancel Cancels all scheduled automatic reloads reload show Shows user scheduled reloads IP Interfaces The iSG4F supports multiple layer 3 interfaces to be set for the purposes of Routing Management Serial services 9 1 IP Interfaces The following services require assignment of an IP interface DHCP client Management Ping Trace route OSPF RIPv2 Tftp client Serial tunneling T...

Page 34: ... unique subnet Each interface must be associated to a physical interface Either eth1 or eth2 An interface cannot be associated with both Physical interfaces eth1 eth2 may be associated with more than one IP interface Tagged packets accessing the port will be routable to a relevant VLAN IP interface Untagged packets accessing the port will be routable with an IP interface set to be in the same subn...

Page 35: ...ace when the network does not support vlan tagging and ingress packets to the physical interface are untagged 9 1 3 IP interface VLAN id When an IP interface is assigned with a VLAN id it supports VLAN tagging A Packet coming inward to the physical interface eth1 or eth2 as assigned will be received by the IP interface only if holding the required VLAN tag Packets originated from the IP interface ...

Page 36: ...on mode interface create remove Add or Remove an IP interface for the application engine The configuration should include Address prefix IP address in the format aa bb cc dd xx VLAN vlan ID that the application engine will use for this IP interface Static route create remove Define or remove the default gateway for an application IP network network prefix target network address in the format aa bb...

Page 37: ... 1500 application host enable router static router static enable router static configure terminal router static config ip route 0 0 0 0 0 172 17 212 100 router static config write router static config exit router static exit commit router route show Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 172 17 212 0 0 0 0 0 255 255 255 0 U 0 0 0 eth1 100 0 0 0 0 172 17 212 ...

Page 38: ...r interface create address prefix 172 17 203 100 24 physical interface eth2 purpose application host commit commit ok iSG4F router interface show Id VLAN Name IP Subnet Mtu Purpose Admin status Description 1 N A eth2 1 172 17 203 100 24 1500 application host enable ...

Page 39: ...ace eth1 to retrieve an IP from a DHCP server iSG4F router dhcp enable physical interface eth1 router interface show VLAN Name Id IP Subnet Purpose Description N A eth1 N A N A N A DHCP router interface show VLAN Name Id IP Subnet Purpose Description N A eth1 N A 172 18 212 242 28 N A DHCP ...

Page 40: ...und a usb drive insert it to the router usb port and reboot the router add task name copy logs Add a scheduled task to copy system logs to the usb drive Day 1 31 Month 1 12 year 2013 3000 hour 1 24 minute 1 60 remove task name copy logs Remove a scheduled task to copy system logs to the usb drive Show Display tasks 10 2 Capture Ethernet service traffic The system supports sniffing and capturing of...

Page 41: ...on Application connect Entering the Application Configuration Environment Capture Start initiate Ethernet traffic capture on a selected ACE IP interface i mandatory prefix to be followed with the IP interface name eth1 vlan id where vlan id is the VLAN of the IP interface Stop stop Ethernet traffic capture Delete delete capture files Export remote address export file to a tftp server Show captured...

Page 42: ...ture is running 3 Stop the capture and display the output Capture stop capture show captured packets c 10 16 55 07 370814 IP 172 18 212 240 netbios ns 172 18 212 232 netbios ns NBT UDP PACKET 137 QUERY POSITIVE RESPONSE UNICAST 16 55 07 616319 IP 172 18 212 240 17500 255 255 255 255 17500 UDP length 112 16 55 07 616628 IP 172 18 212 240 17500 172 18 212 255 17500 UDP length 112 16 55 07 926503 arp...

Page 43: ...s is its simplicity The transmission of syslog messages may be started on a device without a receiver being configured or even actually physically present This simplicity has greatly aided the acceptance and deployment of syslog User enables syslog server and configures the syslog related parameters The logging process controls the distribution of logging messages to the various destinations such ...

Page 44: ...slog Commands Hierarchy root syslog show 10 3 3 Syslog Output example A typical output of syslog at the console interface May 18 19 27 48 SmartSwitch user warn kernel Speed 100 Duplex 1 pause 0 May 18 19 27 48 SmartSwitch user warn kernel adjust_link Addr 1 link 0 speed 100 o 100 dup 1 o 1 May 18 19 27 48 SmartSwitch user info kernel PHY mdio ff724000 01 Link is Down May 18 19 27 50 SmartSwitch us...

Page 45: ...ations Inc 45 Alarm Relay The router has a capability to manifest system and features alarms as a relay output 11 1 Alarm Relay Wiring example Below is a connection diagram illustrating the wiring of the alarm relay to warning devices ...

Page 46: ...3 2 L2 VPN state The state of a layer 2 VPN is monitored by the IPSec SA A VPN failure is supported as alarm trigger relay state change at the a chosen relay interface 11 3 3 System up down Alarm set while system is in BOOT phase This specific alarm type can be associated only to the physical interface alarm and not to d out1 or d out2 Once this alarm is activated no other alram types can be assig...

Page 47: ...Command Description config application connect Entering the ACE mode alarm relay Entering the alarm relay mode add update condition set the trigger condition for the alarm l2vpn failure at the l2 VPN will trigger a relay change ETH2 status down for this port will trigger a relay change system power Alarm set while in BOOT and when the S W performs reset interface set the target relay interface for...

Page 48: ...ndition Alarm the ALARM relay interface State the static state to set the relay interface state to Set force to change the relay contacts from its default mechanical state Clear force the relay contacts to its default mechanical state show Show the current state admin status alarming_conditions conditions settings Clock and Time Local time set and update is available 12 1 Local Clock Commands Hier...

Page 49: ... determine whether to forward or drop the packet based on the criteria specified within the access lists Access list criteria can be the source address of the traffic the destination address of the traffic the upper layer protocol or other information There are many reasons to configure access lists access lists can be used to restrict contents of routing updates or to provide traffic flow control...

Page 50: ... c d e dst ip any a b c d a b c d e src port 1 65535 dst port 1 65535 src port range 1 65535 1 65535 dst port range 1 65535 1 65535 deny udp acl num 1001 65535 rule name priority 1 128 src ip any a b c d a b c d e dst ip any a b c d a b c d e src port 1 65535 dst port 1 65535 src port range 1 65535 1 65535 dst port range 1 65535 1 65535 permit icmp acl num 1001 65535 rule name priority 1 128 src i...

Page 51: ...P address of the host that the packet is from and the network mask to use with the source IP address dst ip any host dst ip dest ip mask Destination IP address can be any or the dotted decimal address or the IP address of the host that the packet is destined for and the network mask to use with the destination IP address Src port source port number dst port destination port number Src port range s...

Page 52: ...f the host that the packet is destined for and the network mask to use with the destination IP address Priority this field will determine the rules execution order Higher value of filter priority implies it will be executed first This value ranges between 1 and 128 ip access group Apply remove acl num 1001 65535 the acl main identifier direction supported direction is in interface choose the targe...

Page 53: ...nly using serial legacy hardware For such applications the iSG4F supports protocol gateway serial tunneling and terminal server services These low bandwidth applications may be of high importance to the utility process and require high network availability The QOS allows setting priority for serial services 14 1 QOS Commands Hierarchy qos mark rule create src ip A B C D E dest ip A B C D E protoco...

Page 54: ...he new source IP of the session request hiding the original private IP of the initiating LAN device The NAT router can use a single WAN IP interface to traverse multiple private IP addresses of its LAN thus limiting the required public IP addresses to a single one Static NAT settings direct incoming WAN traffic to a particular target LAN client As the WAN stations usually will not have a route to ...

Page 55: ...erver and replies of the Server will be received at the PC Sessions initiated by the Server towards the PC will not be received by the PC Dynamic and Static NAT together Both the Server and the PC can initiate sessions and receive replies 15 2 NAT Commands Hierarchy router nat Dynamic Create interface name eth1 vlan id eth2 vlan id eth1 id eth2 id ppp0 description text remove interface name eth1 v...

Page 56: ...w static NAT entries Original ip the original destination IP in the incoming packet IP header Modified ip the IP to which the NAT should traverse the original IP to Original port the original protocol destination port at the incoming packet IP header Modified port the protocol port to which the NAT should traverse the original port to Protocol define the protocol which the incoming packet uses for...

Page 57: ...ynamic NAT settings using the WAN ACE interface router nat dynamic create interface name eth2 2 description wan 4 Set Static NAT settings directing WAN traffic targeted to 192 168 10 11 with port Telnet 23 towards 10 10 10 10 This will allow the PC to achieve management to the iSG4F router nat static create original ip 192 168 10 11 modified ip 10 10 10 10 original port 23 modified port 23 protoco...

Page 58: ... eth1 1 10 10 10 10 24 1500 general enable LAN 2 N A eth2 2 192 168 10 11 24 1500 general enable WAN router nat dynamic show Rule Id If Name Description 1 eth2 2 wan iSG4F router nat static show Rule Id Original Dst IP Original Dst Port Protocol Modified Dst IP Modified Dst Port 1 192 168 10 11 23 tcp 10 10 10 10 23 2 192 168 10 11 20000 tcp 10 10 10 100 20000 ...

Page 59: ... own links and it also sends the complete routing structure topography The advantage of shortest path first algorithms is that they result in smaller more frequent update everywhere They converge quickly thus preventing such problems as routing loops and Count to Infinity when routers continuously increment the hop count to a particular network This makes for a stable network 16 1 OSPF Application...

Page 60: ...s given in A B C D format or as a metric id 0 4294967295 router id router id for the OSPF process given in A B C D format network Enable routing on an IP network Network can be given as A B C D M or as a name of a preconfigured interface eth1 vlan id passive interface Suppress routing updates on an interface Given as a name of a preconfigured interface eth1 vlan id redistribute Redistribute inform...

Page 61: ...ports from default VLAN 1 config vlan 1 no ports fa 0 1 2 untagged fa 0 1 2 exit 2 Assign VLANS and corresponding IP interfaces vlan 101 ports fastethernet 0 1 exit vlan 102 ports fastethernet 0 2 exit interface vlan 101 shutdown ip address 172 18 101 201 255 255 255 0 no shutdown ...

Page 62: ...it interface vlan 102 shutdown ip address 172 18 102 201 255 255 255 0 no shutdown exit 3 Configure OSPF router ospf router id 10 10 10 101 network 172 18 101 201 255 255 255 0 area 0 0 0 0 network 172 18 102 201 255 255 255 0 area 0 0 0 0 end commit ...

Page 63: ...faces vlan 102 ports fastethernet 0 2 exit vlan 103 ports fastethernet 0 3 exit interface vlan 102 shutdown ip address 172 18 102 202 255 255 255 0 no shutdown exit interface vlan 103 shutdown ip address 172 18 103 202 255 255 255 0 no shutdown exit 3 Configure OSPF router ospf router id 10 10 10 102 network 172 18 102 202 255 255 255 0 area 0 0 0 0 network 172 18 103 202 255 255 255 0 area 0 0 0 ...

Page 64: ... interfaces vlan 103 ports fastethernet 0 3 exit vlan 104 ports fastethernet 0 4 exit interface vlan 103 shutdown ip address 172 18 103 203 255 255 255 0 no shutdown exit interface vlan 104 shutdown ip address 172 18 104 203 255 255 255 0 no shutdown exit 3 Configure OSPF router ospf router id 10 10 10 103 network 172 18 104 203 255 255 255 0 area 0 0 0 0 network 172 18 103 203 255 255 255 0 area ...

Page 65: ...d fa 0 1 0 4 exit 2 Assign VLANs and corresponding IP interfaces vlan 101 ports fastethernet 0 1 exit vlan 104 ports fastethernet 0 4 exit interface vlan 101 shutdown ip address 172 18 101 204 255 255 255 0 no shutdown exit interface vlan 104 shutdown ip address 172 18 104 204 255 255 255 0 no shutdown exit 3 Configure OSPF router ospf router id 10 10 10 104 ...

Page 66: ...outing metric 17 1 RIP Commands Hierarchy root router rip enable exit show ip rip configure terminal no router rip no network A B C D M interface name eth1 id no passive interface interface name eth1 id no redistribute connected static no neighbor A B C D version 1 2 write exit show running config no interface IFNAME no ip rip authentication key chain key mode md5 text string string send version 1...

Page 67: ...terface Suppress routing updates on an interface Given as a name of a preconfigured interface eth1 vlan id redistribute Redistribute information from another routing protocol neighbor Specify a neighbor router given as A B C D M version 1 2 The default is to send RIPv2 while accepting both RIPv1 and RIPv2 and replying with packets of the appropriate version for REQUESTS triggered updates The versi...

Page 68: ... sets authentication string The string must be shorter than 16 characters ip rip send receive This interface command overrides the global rip version setting and selects which version of RIP to send receive packets with for this interface specifically Choice of RIP Version 1 RIP Version 2 or both versions In the latter case where 1 2 is specified packets will be both broadcast and multicast Defaul...

Page 69: ...point X X X Serial Remote end point Required if service is remote iec101 gw X termserver X The table below details the state required for main configuration parameters depending on the used application Hirarchy level Configurable Parameter Transparent Tunneling Terminal Server 101 104 Gateway Serial Port Mode of operation Transparent Transparent Transparent Serial Local end point application Seria...

Page 70: ...mode of operation Serial tunnel serial tunnel terminal server iec101 gw modbus gw admin status up down allowed latency 20msec 2 255 tx delay msec 0 255 remove slot 1 port 1 2 update slot 1 port 1 2 baudrate parity no no odd even stopbits bus idle time bits 30 1000 mode of operation Serial tunnel serial tunnel terminal server iec101 gw modbus gw admin status up down allowed latency 20msec 2 255 tx ...

Page 71: ...ial configuration hierarchy Configuration for ports local end point and remote end point are available here Service show Provides configuration state of a serial service local end point filter show Provides detailed configuration state of an iec101 serial tunneling service card Auto recover allows automatic recovery when identifying continuous loss of serial infrastructure keep alive between the s...

Page 72: ...f total serial bits received over the local serial link to be considered as a single message allowed latency given in msec this value describe the network allowed latency This value affects the time to be allowed to delay before transmitting UDP TCP packets The higher the value is the more serial frames can accumulate into a single UDP TCP packets Default value is 10msec which corresponds to max 3...

Page 73: ...en application iec101 gw and protocol iec101 0 65535 iec101 link address len set the IEC 101 link address length Applicable when application iec101 gw and protocol iec101 1 2 bytes Default is 2 iec101 originator address set if the originator i field is included in the IEC 101 message This will reflect on the Cause Of Transmission being 1 byte or 2 byte size If present COT 2 If none COT 1 unit id s...

Page 74: ...erminal server iec101 gw modbus gw show Remote end poin t Defines the remote end points in a transparent serial tunneling service Create remote address IPv4 address A B C D Service id numeric value of serial service 1 100 Position Master Slave connection mode udp default tcp Buffer mode byte default frame Remove address IPv4 address A B C D Service id numeric value of serial service show 18 5 Decl...

Page 75: ...rial Port Default State The default state of the serial ports is non configured 18 7 RS 232 Port Pin Assignment Below is the pin assignment of the serial ports iSG4F Serial RJ45 Female Port Line Pin DCD 2 Tx 6 Rx 5 DSR 1 GND 4 DTR 3 CTS 7 RTS 8 NOTE The serial control lines are not supported at current version ...

Page 76: ...male connector for end device Pinout for crossed cable CBL RJ45 DB9 NULL DB9 RJ45 Female DB 9 DCE Male RJ 45 Female RJ 45 2 6 6 Tx 3 5 5 Tx 5 4 4 GND CAUTION Take notice not to use the console cable for the user serial ports The console cable is uniquely colored white CBL TJ45 DB9 S RPT 18 9 Led States Each serial port has a led to indicate its state Port created Port admin state Traffic passing L...

Page 77: ...evice at the router serial port is encapsulated as UDP or TCP Ethernet packets by the router An ACE IP interface is configured to route the packets over the Ethernet network The Ethernet cloud may be layer 2 based or layer 3 routing based and may involve any type of networking including cellular connectivity and VPN between the routers The serial devices must all be connected to iS5 routers The ro...

Page 78: ...es Point to point service at which the master and slave are connected locally at the same router The picture below illustrates Point to point service at which the master and slave are behind different routers 19 2 2 Point to multipoint point The picture below illustrates Point to multipoint service in which the master and slaves are connected locally at the same router The picture below illustrate...

Page 79: ...iSG4F User s Manual iS5 Communications Inc 79 19 2 3 Multi Point to multipoint point The picture below illustrates a typical multipoint to multipoint service 19 3 Modes of Operation ...

Page 80: ...d The default state is byte mode If the user keeps this field with its default state but configures the service connection mode to tcp the buffer mode will be changed to frame automatically If the user explicitly set the buffer mode to either byte or frame the configuration will take effect for any connection mode setting tcp udp Byte mode A byte is structured as start bit data bits parity bit sto...

Page 81: ...al tunneling aims to keep the end to end serial service simple and with no tempering of higher layer protocols Non aware mode Serial data will be set to be received in either byte or frame mode with no awareness of the data content or protocol addressing At this mode the following behavior is achieved within a service group Traffic sent from a master device will received by all slaves Traffic sent...

Page 82: ...ation iec101 gw and protocol iec101 19 5 Reference drawing For ease of explanation of following terms and serial properties at this chapter the diagram below will be used as a reference to follow on the serial traffic flow The diagram demonstrates two iSG4F routers connected over an Ethernet network and sharing a transparent serial tunneling service ...

Page 83: ...s the traffic received at the serial processor from the CE over the serial port 19 6 1 Serial ports counters The Tx and Rx counters of the serial ports are controlled by the serial processor Rx counters Switch1 counters will increase when CE1 transmits Data is received at the serial processor via S1 and updates the counters Switch2 counters are not updated Tx counters Switch1 counters are not upda...

Page 84: ...port Depending on the baud rate chosen and the number of bits a time is calculated for Tx delay Switch1 as the serial processor only receives serial data the tx delay is of no affect Switch2 the Ethernet encapsulated data is received at router 2 and to its serial processor It is then transmitted to CE2 via S1 following a time elapse of the tx delay The serial processor will delay transmitting the ...

Page 85: ...dress prefix 172 18 212 231 24 vlan 100 purpose application host physical interface eth2 serial port create slot 1 port 1 baudrate 9600 parity even mode of operation transparent serial local end point create slot 1 port 1 service id 1 application serial tunnel position slave serial remote end point create remote address 172 18 212 230 service id 1 position master commit exit commit Configuration r...

Page 86: ... tunnel position master serial remote end point create remote address 172 18 212 231 service id 1 position slave commit exit commit Protocol Gateway IEC 101 to IEC 104 The iSG4F router using its application module implements the gateway for IEC101 serial devices to the IEC104 IP protocol The IEC101 and IEC104 protocols are fully integrated in the application module thus allowing the IEC101 slave d...

Page 87: ...unction includes the full implementation of the state machine of the IEC101 master initialization and arbitration of the IEC101 bus and issuing commands to the appropriate IEC101 slave to provide the response to the requests which arrive from the message router The IEC101 devices will be configured with their serial link properties device address and ASDU address to be uniquely identified behind t...

Page 88: ...party line planned Physical layer o Transmission speed in monitor control direction 300 38400bps Link layer o Link transmission procedure Balanced transmission Unbalanced transmission o Address field of the link Not present balanced transmission only One octet Two octets Structured values translation Unstructured Application layer o Common address of ASDU One octet Two octets o Information object ...

Page 89: ...th an IP address and should be associated with a VLAN for the uplink traffic This application IP interface acts as the IEC104 server in the Ethernet network and represents all the IEC101 devices connected locally to the router towards the IEC104 clients Optional remote IP addresses When configuring the IEC104 service group you should also provide the IP addresses of the IEC104 clients so the prope...

Page 90: ...IEC 104 Client d Verify by following methods i Successful ping between the IEC 104 Client SCADA and the iSG4F designated IP interface ii IEC 104 connection established Use the command iec101 gw show all to verify connection at the switch 2 Serial connection towards the locally connected IEC101 server RTU a Configure a serial port i Serial properties as baud rate parity and such must be consistent ...

Page 91: ...RS232 RJ45 port of the switch is given in this manual Control lines are not supported for the gateway application Usage of Tx Rx and GND lines are allowed e Verify by following methods i Use the command iec101 gw show all to verify the operational status OP ST is UP ii Follow serial port and gateway counters to check if serial traffic is received and transmitted at the serial port Show commands se...

Page 92: ...9600 50 368400 parity no no odd even stopbits 1 2 databits 8 5 8 admin status up down show local end point create create slot 1 port 1 2 application iec101 gw service id 1 100 position slave remove slot 1 port 1 2 service id 1 100 show iec101 gw operation start stop cnt show show all iec101 log state slot 1 port 1 2 config gw update mode balanced balanced unbalanced ip_addr A B C D iec101 create u...

Page 93: ... 255 t2 10sec 1 255 t3 20sec 1 255 20 6 Gateway 101 104 Commands Command Description iec101 gw Configuration mode of 101 104 gateway Operation Start activate the gateway Stop stop the gateway takes effect on all IEC 101 nodes connected to the switch Config gw update mode Unbalanced for 101 servers unbalanced topology Balanced default for 101 servers balanced topology ip_addr IP address of a chosen...

Page 94: ...e values are one or two bytes Should be identical to the configuration at the IEC 101 server translated_cmn_addr used when a translation service required for the common address of asdu The value should be identical to the actual common address of the IEC101 Server A decimal value of 1 255 or 1 65534 is allowed depending if common_address_field_length is set to one byte or two link_addr Should be c...

Page 95: ...guration at the 101 slave relevant in Balanced mode only single_char y n are Permissible values Should be configured identical to the 101 slave configuration Relevant in Balanced mode only ioa_len IO object length Permissible values are 1 2 3 bytes Should be identical to the configuration at the 101 slave add_ioa_tran s remove_ioa_tr ans Slot Port physical interface where the 101 slave is connecte...

Page 96: ...r each byte is 1 255 example for 3 bytes size IOA 5 212 151 iec104 update remove ip_addr IP address of the SCADA orig_addr originator address of the SCADA to Time out of connection establishment t1 Time out of send or test APDUs t2 Time out for acknowledges in case of no data messages t2 t1 t3 Time out for sending test frames in case of a long idle state 20 7 Example Gateway 101 104 The network be...

Page 97: ... mode of operation transparent baudrate 9600 parity even 3 Create the local serial service for the port the field application must be set to iec101 gw serial local end point create port 1 service id 1 application iec101 gw 4 Configure the gateway mode of operation and choose the ACE interface to be used The IP interface must be available in advance iec101 gw config gw update mode balanced ip_addr ...

Page 98: ...nagement station via local connection at its ports or Via IP network In both cases the connection is TCP based A router acting as the terminal server can be connected to the serial end device managed station via local connection at its RS 232 ports or Over UDP connection to a remote iS5 router to which the serial device is connected directly to In this case there will be a transparent serial tunne...

Page 99: ...support P2MP in 2 modes Over the same service using the same TCP port number Over different services using multiple TCP sessions each with a different TCP port The user will configure services to determine which RTU is to be addressed via which telnet session In bellow example Serial transparent tunneling UDP TCP traffic will take place between the iS5 routers thus establishing the paths from the ...

Page 100: ... 8 parity no no odd even stopbits 1 1 2 bus idle time bits 30 1000 mode of operation transparent admin status up down remove slot 1 port 1 2 show slot 1 port 1 2 local end point create slot 1 port 1 2 service id 1 100 position slave application terminal server remove slot 1 port 1 2 service id 1 100 show terminal server admin status enable disable show services show service id ...

Page 101: ...out 0 1440 buffer mode frame byte show telnet service create remote address A B C D service id 1 100 telnet port range null cr mode off off on max tcp clients 1 8 remove service id 1 100 show serial tunnel create remote address A B C D service id 1 100 remove service id 1 100 show 21 3 Terminal Server Commands Command Description Serial port Create update the serial port Clear counters Clear count...

Page 102: ...ity no odd even Stopbits 1 2 Mode of operation transparent Remove Slot 1 constant Port port number 1 4 Show Local end point Create Slot 1 constant Port port number 1 4 Service id numeric value of serial service Application Terminal server Remove Slot 1 constant Port port number 1 4 Service id numeric value of serial service show terminal server Enter terminal server configuration Admin status Enab...

Page 103: ...l iS5 Communications Inc 103 Command Description Connections disconnect show Manage the TCP connections to the terminal server service id serial service id number assigned to the terminal server counters Display counters ...

Page 104: ...arameter will release the open TCP socket after the configurable time so a new connection could be established Setting the value 0 will disable the timeout and keep the session open until administratively release or ended by the client Update buffer mode default frame frame the terminal server will hold from egress the TCP packet until receiving validation from the serial local end that a message ...

Page 105: ...router at which the terminal server is established If the terminal server is configured on a local router which as well accommodates the serial port then this configuration of serial tunnel should not be used Remote address the IP address of the terminal server This would be the address of the application interface at the remote router acting as the terminal server Service id the local serial serv...

Page 106: ...ly at the nodes which are set to act as the terminal server Meaning the router to which the telnet client user will open a TCP session to Remote address the IP address of the remote serial tunnel node this would be the address of the application interface at the remote router which holds the target serial device Service id the remote serial service id to which the target serial device is mapped to...

Page 107: ...P port number in the range of 2000 2100 Service id serial service id number which the designated serial port is configured as a member in local end point Slot 1 constant Port port number 1 4 show Show port mapping 21 4 Example local Service The example below demonstrates a setup of a local service at which both the telnet client and the serial slave are connected locally to the router The router i...

Page 108: ...reate port 1 baudrate 9600 parity no databits 8 mode of operation transparent serial local end point create port 1 service id 1 application terminal server 3 Configure the terminal server to listen on port 20000 terminal server admin status enable terminal server settings update low border telnet port 20000 buffer mode byte terminal server telnet service create service id 1 remote address 172 18 2...

Page 109: ...ion N A eth1 1 1 172 18 212 230 24 application host iSG4F serial port show idx slot port bus mode baud data parity rate bits 1 1 1 RS232 Transparent 9600 8 None iSG4F serial local end point show index service slot port application position firewall firewall id mode protocol 1 1 1 1 terminal server Slave disable any iSG4F terminal server telnet service show index service id telnet port dest ip ...

Page 110: ...date IP connectivity 6 Open a telnet session from the PC to the router telnet 172 18 212 230 20000 7 The connection will be indicated in the following show output terminal server connections show index service telnet client client service client client id port source IP dest IP id dest slot dest port 1 1 20000 172 18 212 240 172 18 212 230 1 1 1 ...

Page 111: ...will be reachable to telnet client PC The serial connection can be validated by following the port counters iSG4F serial port show briefly slot 1 port 1 idx slot port svc mode baud data parity stop id rate bits bits 1 1 1 1 Transparent 9600 8 None 1 OctetsIn 20 OctetsOut 25 TxError 0 RxError 0 OctetsTotal 45 21 5 Example Networking Left Router ...

Page 112: ... server serial tunnel create service id 1 remote address 172 18 212 230 commit Right Router 3 Assign IP interfaces router interface create address prefix 172 18 212 200 24 vlan 100 purpose application host physical interface eth2 router interface create address prefix 172 17 203 200 24 physical interface eth1 purpose general 4 Configure the terminal server terminal server admin status enable termi...

Page 113: ...terface and the Modbus RTU station ID as its target The gateway will listen to incoming packets and forward the message in a serial uniform to relevant Modbus RTU using the station id as identifier Up to 5 instances of a gateway can co exist Each must use a different ACE IP interface and have a unique gateway id A serial port connecting a Modbus RTU device can be associated with a single gateway i...

Page 114: ...w by port slot 1 port 1 4 debug map units on bus show slot 1 port 1 4 map units on bus start slot 1 port 1 4 show serial points slot 1 port 1 4 show server points slot 1 port 1 4 show tcp points history clear gw id 1 5 show gw id 1 5 mapping add gw address prefix a b c d e admin status enable diable gw id 1 5 timeout period 500 100 000 add id slot 1 port 1 4 gw id 1 5 unit id 1 255 remove gw gw id...

Page 115: ... behind the serial port History Show Show latest reply from each unit and the time in seconds from that connection Per gateway instance Clear Clear history table Per gateway instance Mapping Map a new gateway instance address prefix an IP address of an available ACE interface A B C D E admin status enable disable gw id unique gateway instance identifier 1 5 timeout period set the maximum time allo...

Page 116: ...face for the gateway router interface create address prefix 192 168 40 10 24 physical interface eth1 description client admin status enable purpose application host 2 Assign a serial port to be used for connecting the Modbus rtu slave serial port create slot 1 port 1 serial local end point create slot 1 port 1 service id 1 protocol modbus_rtu application modbus gw 3 Assign the gateway settings mod...

Page 117: ...ted OK modbus gw debug map units on bus start port 1 slot 1 Port mapping started Operation in process modbus gw counters show by port Slot Port Rx valid Rx error Tx valid Tx error 1 1 477 0 582 0 modbus gw counters show by id gw id 4 gwid 4 unit id 65535 Gw Unit Id Rx valid Rx error Tx valid Tx error 4 3 477 0 599 0 Slot Port Rx valid Rx error Tx valid Tx error 1 1 477 0 616 0 ...

Page 118: ...us gw mapping show ids GW index GW IP Subnet Unit Id slot port bus 4 192 168 40 10 24 3 1 1 RS232 modbus gw debug show serial points Serial points slot 1 port 1 pointer 0x1007c408 modbus gw debug show server points Server points IP addr 192 168 40 10 GwId 4 Subnet mask 255 255 255 0 pointer 0x10081580 modbus gw debug map units on bus show List of units for slot 1 port 1 Port mapping ended ...

Page 119: ...owing setup demonstrates DNP3 gateway configuration 1 Assign IP interface for the gateway router interface create address prefix 192 168 40 10 24 physical interface eth1 purpose application host 2 Assign a serial port to be used for connecting the DNP3 RTU slave serial port create port 1 mode of operation transparent serial local end point create port 1 service id 1 protocol application terminal s...

Page 120: ...ith the iS5 routers both L2 and L3 VPNs are supported Both modes are based on GRE tunnelling Operational Modes 1 L2 GRE VPN 2 L3 mGRE DM VPN route based 24 3 Layer 2 VPN The usage of GRE tunneling which supports encapsulation of Ethernet traffic enables the transparent connectivity between the sites as a single Ethernet network without setting up IP routing logic between them For example such tran...

Page 121: ...net 24 4 Layer 3 DM VPN The layer 3 mGRE supports more complex networking and protection Topologies supported are 1 Multiple Hubs vs Multiple Spokes 2 Multiple Clouds 3 Multiple tunnels allowed at the hub 4 Multiple tunnels allowed at each spoke towards different Hubs or towards the same hub via different clouds 5 L3 DM VPN is supported over fixed uplink and as well over cellular 6 Supports static...

Page 122: ...nly Hub show For cellular application only show show IP of currently connected cellular spokes Spoke update show For cellular application only Update remote ip configure remote IP of Hub in format of A B C D Update private ip configure local identifier in the form IP A B C D Tunnel Clears tunnel counters Create remove Name name of the tunnel Local end point local IP of the application interface Re...

Page 123: ... source remove name show name nhrp map craete update multipoint gre name nbma address protocol address prefix A B C D M initial register no yes is cisco no yes protection group position master slave remove multipoint gre name show show status cache flush cache purge cache show enable disable log show route show show protection group create udate remove name default route yes no yes wait to restore...

Page 124: ... integrity and data origin authentication for IP datagrams Supported mode per IKE phase 2 transport tunnel No specific configuration is available for AH Authentication and encryption are implemented for ESP 24 12 Encapsulating Security Payload ESP ESP provides origin authenticity integrity and confidentiality protection of IP packets Supported exchange mode per IKE phase 1 main aggressive Supporte...

Page 125: ...e middle This is important because these are the types of attacks that are targeted against protocols As mentioned a security association SA is a set of policy and key s used to protect information The ISAKMP SA is the shared policy and key used by the negotiating peers in this protocol to protect their communication ISAKMP uses the Internet Key Exchange IKEv1 for the authentication and encryption...

Page 126: ...ated with RSA signatures or pre shared keys The exchange modes are Main Mode and Aggressive Mode and are accomplished at the phase 1 Authentication Pre shared Key PSK A PSK is an option for the IKE phase 1 authentication The encryption hash and authentication algorithm for use with a pre shared key are a part of the state information distributed with the key itself Each VPN end point Hubs Spokes m...

Page 127: ...psec isakmp update authentication method pre_shared_key ipsec isakmp update my id SA iS5com com ipsec preshared create id SA iS5com com key secretkey ipsec preshared create id SB iS5com com key secretkey ipsec policy create protocol gre ipsec enable commit ...

Page 128: ...iSG4F User s Manual iS5 Communications Inc 128 The above configuration example will result in following show output ...

Page 129: ...icate files 1 Import the key file iSG4F rsA signature import tftp 172 17 203 31 ipsec key RSA signature file ipsec key imported successfully 2 Import the certificate file iSG4F rsA signature import tftp 172 17 203 31 ipsec crt RSA signature file ipsec crt imported successfully 3 Validate successful import iSG4F show rsA signature list ipsec crt ipsec key 4 Activate the certificate ipsec rsa signat...

Page 130: ...o the responder describing what encryption and authentication protocols are supported the life time of the keys and if phase 2 perfect forward secrecy should be implemented The proposal may contain several offerings The responder chooses from the offerings and replies to the initiator The next exchange passes Diffie Hellman public keys and other data All further negotiation is encrypted within the...

Page 131: ...tected The first two messages negotiate policy exchange Diffie Hellman public values and ancillary data necessary for the exchange and identities In addition the second message authenticates the responder The third message authenticates the initiator and provides a proof of participation in the exchange The initiator sends a request with all required SA information The responder replies with authe...

Page 132: ...15 2 ISAKMP Phase 2 At this phase the negotiation of SA to secure the VPN GRE data using IPSec is made Modes The common mode to use between end stations supporting IPSec the VPN parties is called Transport mode This is the mode supported by iS5 Perfect forward secrecy PFS The PFS is a part of the key agreement session and has a purpose to ensure that a session key derived from a set of long term p...

Page 133: ...ES comprises of three DES keys K1 K2 and K3 each of 56 bits Life time o Soft hard coded At this threshold value the IKE starts a new phase 2 exchange o Hard SA which has exceeded this threshold value will be discarded 24 16 IPSec Command Association Below are the detailed configuration fields of the IPSec in their respective association to the ISAKMP structure Highlighted in blue are the CLI names...

Page 134: ...up Encryption Algorithm phase2 encryption algo Authentication Algorithm phase2 auth algo Life Time phase2 lifetime IPSec Policy Name notes Source address src address prefix Destination address dst address prefix Source protocol port src port Destination protocol port src port Protocol protocol Preshared Keys Key key Own PSK id id Partner PSK id id Partner PSK id id Certificates X 509 Import crt fi...

Page 135: ...modp1024 modp1536 modp2048 modp3072 modp4096 modp6144 modp8192 dpd delay 5 0 120 dpd maxfail 5 2 20 dpd retry 5 1 20 log level error warning notify info debug debug2 my id soft lifetime 1 99 id type none fqdn ike phase1 mode aggressive main phase1 encryption algo 3des aes 128 aes 256 phase1 hash algo md5 sha1 sha256 sha512 phase2 auth algo hmac_md5 hmac_sha1 hmac_sha256 hmac_sha512 phase2 encrypti...

Page 136: ...re not required if IPSec is used with preshared keys show rsA signature list Show the files available IPsec Enter the IPsec configuration mode Enable disable Default is disable rsa signature activate Activation of the available certificate and key files Crt file name of the certificate file Key file name of the key file rsa sig name user configurable name for the signature isakmp update authentica...

Page 137: ...nd 5 modp2048 DH group 14 modp3072 DH group 15 modp4096 DH group 16 modp6144 DH group 17 modp8192 DH group 18 pfs group Perfect Forward Secrecy type Relates to phase 2 Determines the strength of the key used in the key exchange process The higher the group number the stronger the key and security increases Options none modp768 modp1024 default modp1536 modp2048 modp3072 modp4096 modp6144 modp8192 ...

Page 138: ... after a failure at dpd maxfail Permissible range 1 20 default is 5 log level Syslog warnings levels to be logged error warning notify info default debug debug2 my id Own preshared id Dependent on id type set my id can be in either domain name format or ipv4 format If id type is set to none No need to set value in my id as it will automatically use a valid IP address If id type is set to fqdn my i...

Page 139: ... default none ike phase1 mode Internet Key Exchange mode type use for Phase 1 Aggressive default main phase1 encryption algo Encryption Algorithm used for phase 1 3des aes 128 default aes 256 phase1 hash algo Hash Algorithm used for phase 1 md5 sha1 default sha256 sha512 phase1 lifetime The lifetime of the key generated between the stations 180 946080000 sec Default is 86400 phase2 auth algo Authe...

Page 140: ...ich is derived from the hard lifetime informs the IPSec key management system that the SA is about to expire This allows the key management system to negotiate a new SA before the hard lifetime expires Permissible values are 1 99 and represents percentage soft lifetime 1 99 hard lifetime 100 rsa sig name The name set by the user for the signature Policy create Configure the policy to determine the...

Page 141: ... remove Configuration of pre shared identifiers for local node and all remote IPsec nodes ID unique identifier for the IPSec participant node can be in either domain name format or ipv4 format Key preshared key which should be common for all nodes participating Text numerical or combination string notes name of the policy Show Show IPsec ...

Page 142: ...Interface 25 1 Overview An important benefit of the iS5 portfolio is its support of variety of medium interfaces A GPRS UMTS modem provides a key solution for connectivity to remote sites The modem support dual SIM card for redundancy and backup between Internet Service Providers ...

Page 143: ... Point multiple spokes to a single Hub NAT support using the IPsec encryption enables the spoke the important availability also when retrieving private IP from the ISP 25 2 Method of operation At the iSG4F spoke side a simple configuration of the cellular modem is enough to have the spoke approach the ISP to retrieve an IP address using known link protocol PPP Authentication versus the ISP will be...

Page 144: ...ot At a given moment a connection can be available via a single SIM Redundancy can be achieved using RSSI measurements and echo tests to determine which SIM is preferred to be used The user can select a certain SIM as preferred for default connection Each SIM can be individually configured and enabled disabled Dependent on configuration and availability the status of a SIM may be one of the follow...

Page 145: ...cted with the alternative SIM due to a recognized failure in connecting to the preferred SIM SIM state example Below is an example of SIMs admin state SIM in slot 1 had been enabled while SIM in slot 2 is disabled The show command used is cellular wan show 1 SIM 1 is connected following the modem enable and the SIM properties configured SIM 2 is configured an in READY state cellular enable cellula...

Page 146: ...o a physical link then resilient network protocols can determine the primary and backup paths Modem conditional reload In case the modem is continuously unsuccessful in establishing a connection and retrieving an IP from the ISP a reload can be triggered to the router A configuration parameter retry threshold reload is available to be set between 0 disabled and 30 whereas values 1 30 represents th...

Page 147: ... GPRS UMTS Commands Hierarchy root Cellular continuous echo create update name dest ip address ip address loss threshold 50 10 99 num of requests 3 1 100 rtt threshold 5000msec 1 000 20 000 interval 60sec 1 1440 request size 100bytes 64 1500 remove dest ip address ip address name show config show status modem power_down power up send command at cgsn settings update quality check 0 time interval ba...

Page 148: ...scription Cellular Enter the configuration mode for the Cellular application Enable enable application Disable disable application continuous echo Configure icmp traffic test to validate network connectivity to a remote host The test sets optionally 2 triggers to be used by the application watchdog round trip delay and percentage of lost icmp messages sent A test is determined by a configurable nu...

Page 149: ...10 99 interval time interval in seconds between icmp messages sent 1 1440 num of requests number of icmp messages to send before calculating results of losses and rrd 1 100 request size icmp message packet size remove name name of the test text Show config Show configuration Show status Show result of loss and calculated round trip delay Modem Power up power the modem Power down shut the modem Sen...

Page 150: ...urs sec 10 600 wait to restore maximum time allowed to stay on non preferred SIM default route setting the cellular interface to be the default gateway for the application IP interfaces yes no lcp echo interval lcp protocol test of connectivity towards the connected ISP 1 to 600 seconds interval between tests 0 disable lcp failure number of failed lcp echo tests 1 64 update retry threshold reload ...

Page 151: ... radio access technology preferred network to connect to Auto if 3G available it will be chosen over 2G 3G only 3G will be optional to connect to 2G only 2G will be optional to connect to 2Gthen3G 2G is preferred over 3G 3Gthen2G 3G is preferred over 2G Wan Show Show configuration and status of SIM cards Network show Show connection time and RSSI per SIM card Connection show Show cellular connecti...

Page 152: ...ving the IMEI identifier of the modem iSG4F cellular disable cellular modem power up Completed OK cellular modem send command at cgsn send at cgsn reply cgsn 357524040483438 Modem admin state SIM admin state SIM Operation state Led disable N A N A OFF enable disable N A OFF enable Ready ON enable not present Blink 1 Hz enable Failed Blink 1 Hz enable PIN lock Blink 1 Hz enable PUK lock Blink 1 Hz ...

Page 153: ...heir permissible state status cellular wan update admin status enable apn name internetg sim slot 1 operator name cellcom user name guest password guest cellular wan update admin status enable apn name internet pelephone net il sim slot 2 operator name pelephone user name pcl 3g password pcl cellular enable commit cellular refresh ...

Page 154: ...2 PCs on the map are holding IP addresses of the same subnet Following configuration will allow traffic between them to pass over the GRE tunnel as if they were connected at the same LAN 26 1 1 Network drawing 26 1 2 Configuration ROUTER C ROUTER 1 Create IP Interfaces iSG4F router interface create address prefix 172 17 203 100 24 vlan 17 purpose application host physical interface eth1 iSG4F rout...

Page 155: ... fastethernet 0 2 switchport pvid 10 exit 3 Disable RSTP shutdown spanning tree no spanning tree 4 Enable MAC learning on gigabitethernet port 0 4 interface gigabitethernet 0 4 switchport unicast mac learning enable end commit 5 Configure the tunnel IP interface and route iSG4F router interface create address prefix 172 17 203 220 24 vlan 17 purpose application host router static enable configure ...

Page 156: ...it ROUTER B iSG4F 1 Create IP Interfaces iSG4F router interface create address prefix 172 18 212 220 24 vlan 18 purpose application host physical interface eth1 iSG4F router interface create address prefix 192 168 0 102 24 physical interface eth2 purpose general Commit 2 Configure the route over the router router static enable configure terminal ip route 172 17 203 0 24 172 18 212 100 write exit e...

Page 157: ... key secretkey ipsec policy create protocol gre ipsec isakmp update id type fqdn ipsec enable commit ROUTER B 1 Configure IPSec iSG4F ipsec isakmp update my id SB iS5com com ipsec preshared create id SA iS5com com key secretkey ipsec preshared create id SB iS5com com key secretkey ipsec policy create protocol gre ipsec isakmp update id type fqdn ipsec enable commit 26 2 L3 IPSec VPN over Layer 3 c...

Page 158: ... Network drawing 26 2 2 Configuration ROUTER iSG4F router 1 Create IP Interfaces iSG4F router interface create address prefix 172 18 30 100 24 vlan 30 purpose application host physical interface eth2 commit iSG4F router interface create address prefix 172 18 20 100 24 vlan 20 purpose general physical interface eth1 commit HUB 1 Set router host name not mandatory set host name hub 2 Disable spannin...

Page 159: ...thernet 0 4 gigabitethernet 0 3 untagged fastethernet 0 4 exit interface fastethernet 0 1 routerport pvid 10 exit interface fastethernet 0 4 routerport pvid 20 exit 4 Assign router management IP interface not mandatory interface vlan 10 shut ip address 192 168 10 10 255 255 255 0 no shut exit 5 Assign static route so router management will be routable over the VPN ip route 192 168 0 0 255 255 0 0 ...

Page 160: ...72 router static Enable configure terminal ip route 192 168 40 0 24 10 10 10 20 remote user subnet via remote tunnel IF ip route 172 18 30 0 24 172 18 20 100 remote public IF via router connected IF write exit exit 10 Configure IPSec ipsec isakmp update dh group modp1536 ipsec isakmp update pfs group modp1536 ipsec isakmp update phase1 hash algo md5 ipsec isakmp update phase1 encryption algo 3des ...

Page 161: ...iSG4F User s Manual iS5 Communications Inc 161 exit commit ...

Page 162: ...30 name test 3 Assign routes for the remote user network 192 and for the public network 172 router static Enable configure terminal ip route 192 168 10 0 24 10 10 10 10 remote user subnet via remote tunnel IF ip route 172 18 20 0 24 172 18 30 100 remote public IF via router connected IF write exit exit 4 Configure IPSec ipsec isakmp update dh group modp1536 ipsec isakmp update pfs group modp1536 i...

Page 163: ... The network below demonstrates a Spoke Hub networking over a fixed connection topology Implementation concepts 1 The spoke and Hub will establish connection over the shared link Example below uses VLAN 20 subnet 172 18 20 x 2 Both will be set with a common mGRE tunnel each holding an mGRE interface See 10 10 10 x interfaces 3 The Spoke will set with NHRP configuration pointing towards the Hub 4 I...

Page 164: ... 0 8 gigabitethernet 0 3 untagged fastethernet 0 1 0 8 exit 3 Assign the user and network vlans and set PVID for the untagged ports vlan 10 ports fastethernet 0 1 gigabitethernet 0 3 untagged fastethernet 0 1 exit vlan 20 ports fastethernet 0 8 gigabitethernet 0 3 untagged fastethernet 0 8 exit interface fastethernet 0 1 alias UNI switchport pvid 10 exit interface fastethernet 0 8 alias NNI switch...

Page 165: ...erface for networking towards the WAN router router interface create address prefix 172 18 20 10 24 vlan 20 purpose application host 8 Assign the GRE tunnel vpn gre tunnel create address prefix 10 10 10 10 24 lower layer dev eth1 20 name mgre1 key 10 0 0 0 vpn gre nhrp disable vpn gre nhrp enable 9 Assign routes for the remote user network router static Enable configure terminal ip route 192 168 4...

Page 166: ...ace create address prefix 172 18 20 20 24 vlan 20 physical interface eth2 description NNI purpose application host admin status enable 3 Assign the local GRE tunnel and the NHRP addressing towards the Hub vpn gre tunnel create address prefix 10 10 10 20 24 lower layer dev eth2 20 name mgre1 key 10 0 0 0 admin status enable vpn gre nhrp map create multipoint gre name mgre1 protocol address prefix 1...

Page 167: ... demonstrates a Spoke Hub topology Implementation concepts 1 The spoke will retrieve via PPP an IP from the cellular ISP In the example below the valid IP 46 210 228 96 was issued to the Spoke from the ISP Cellcom 2 At the Hub side a static public address should be assigned to the router application interface In the example below the hub is located behind a NAT router The NAT holding a public addr...

Page 168: ... point will be created See interfaces of 10 10 10 x in the example below 8 IPSec must be configured to ensure secure traffic and proper NAT traversal 9 IP connectivity is established between the user stations SCADA PC 192 168 10 11 and 192 168 40 11 10 In the second part of the example a terminal server service is configured between 192 168 10 11 and the serial device connected at RS 232 port 1 of...

Page 169: ...netg user name guest password guest cellular refresh commit 4 Create an mgre private interface for tunnel end This interface will use the PPP of the cellular as its lower layer vpn gre tunnel create address prefix 10 10 10 20 24 lower layer dev ppp0 name mgre1 key 10 0 0 0 admin status enable 5 Describe the tunnel remote end private interface behind the hub public address vpn gre nhrp map create m...

Page 170: ... VLAN UNI 10 to direct traffic from the PC to the application Port gigabitethernet 0 3 must be a tagged member at this VLAN Interface 192 168 10 1 will allow management to the router over this VLAN via the tunnel VLAN 20 will be towards the router vlan 10 ports fastethernet 0 1 gigabitethernet 0 3 untagged fastethernet 0 1 exit vlan 20 ports fastethernet 0 8 gigabitethernet 0 3 untagged fastethern...

Page 171: ...e user subnet 192 168 10 x 24 router interface create address prefix 192 168 10 10 24 vlan 10 purpose general commit 4 Create an mgre private interface for tunnel end This interface will use the interface ETH 20 of towards the router as its lower layer dm vpn multipoint gre create address prefix 10 10 10 10 24 lower layer dev eth1 20 name mgre1 key 10 0 0 0 holding time 120 commit 5 Enable nhrp dm...

Page 172: ...id RTU1 iS5com com key secretkey ipsec isakmp update id type fqdn ipsec policy create protocol gre ipsec enable commit exit 26 4 3 Testing the setup 1 Use show commands to check configuration a Spoke iSG4F spoke Show vlan router interface show cellular show cellular wan show cellular Connection show ipsec show b Hub 3700 hub Show vlan router interface show 2 Make sure the IP of both the hub and th...

Page 173: ...40 10 24 1500 application host enable UNI iSG4F router route show Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0 0 0 0 0 0 0 0 0 0 0 0 U 0 0 0 ppp0 10 10 10 0 0 0 0 0 255 255 255 0 U 0 0 0 mgre1 192 168 10 0 10 10 10 10 255 255 255 0 UG 0 0 0 mgre1 192 168 40 0 0 0 0 0 255 255 255 0 U 0 0 0 eth1 Completed OK iSG4F cellular connection show interface local ip tx tx ...

Page 174: ...014 diff 1179 s hard 86400 s soft 69120 s last May 18 13 09 41 2014 hard 0 s soft 0 s current 5992 bytes hard 0 bytes soft 0 bytes allocated 102 hard 0 soft 0 sadb_seq 1 pid 5265 refcnt 0 80 74 102 38 4500 46 210 228 96 4500 esp udp mode transport spi 27166054 0x019e8566 reqid 0 0x00000000 E 3des cbc 7b9bb5bb e8e16e18 d48af2f6 cd22aab5 d357dc07 cdf0c300 A hmac md5 16bc188c 6f7b7f9f 54025146 8963f9...

Page 175: ... 210 228 96 4500 esp udp mode transport spi 198284673 0x0bd19581 reqid 0 0x00000000 E 3des cbc ac3c6e35 d9491440 3927ca04 3f7b0a57 85c67056 7b32139f A hmac md5 73e6d7f3 7876038a 0a3cad0a 08549e61 seq 0x00000000 replay 4 flags 0x00000000 state mature created May 18 13 09 36 2014 current May 18 13 29 15 2014 diff 1179 s hard 86400 s soft 69120 s last hard 0 s soft 0 s current 0 bytes hard 0 bytes so...

Page 176: ...ect serial port create port 1 mode of operation transparent serial local end point create port 1 service id 2 application serial tunnel position master serial remote end point create remote address 192 168 40 10 service id 2 position slave commit Spoke 1 Create the serial port and transparent serial tunneling service application connect serial port create port 2 mode of operation transparent seria...

Page 177: ... values 27 1 Firewall Service Flow In order for a protocol flow to be inspected by the firewall the following is achieved by the iS5 iNMS tool A designated service VLAN is created and the ports are tagged ACLs are placed on the relevant access port and network ports to redirect the traffic flow to service VLAN and to the application firewall The ACLs will allow traffic between service members only...

Page 178: ...rdware All iSG4F variants support the firewall as an option 27 4 Configuration Firewall end to end service and provisioning is supported using iNMS only Configuration made by iNMS should not be tampered with by the user NOTE Firewall end to end service and provisioning is supported using iNMS only ...

Page 179: ... 32 ip access group apply acl num 1101 interface eth1 direction in priority 10 2 Set ACL at ETH2 to direct traffic to the firewall ip access list extended create acl num 1102 acl name fw2 redirect fw permit tcp acl num 1101 rule name fw1 priority 12 src ip 172 18 212 241 32 dst ip 172 18 212 240 32 ip access group apply acl num 1102 interface eth2 direction in priority 10 3 Create the firewall rul...

Page 180: ...ines to show 1000 clear tcp show activate mode disabled enabled simulate 27 7 Firewall Commands Command Description firewall Enter the configuration mode for the Cellular application Enable enable application Disable disable application Profile show Display the content of the firewall rules file Log show show Display the firewall log clear clears the log Tcp Show status of the firewall is displaye...

Page 181: ...olations Violations are logged Create update name name of the test text dest ip address IP address of a reachable routable host Format aa bb cc dd rtt threshold round trip threshold in msec 1 000 20 000 loss threshold calculated percentage of icmp requests which were not responded 10 99 interval time interval in seconds between icmp messages sent 1 1440 num of requests number of icmp messages to s...

Page 182: ... 3 mGRE DM VPN Layer 3 IPSec VPN Layer 2 VPN GRE QOS Prioritization Shaping Scheduling Limit Queues Discrete IO Control Discrete IO Tunneling IEEE 802 1x for Authentication IEEE 802 1AB for LLDP Link Layer Discovery Protocol Routing Static Routing OSPF V2 V3 IPv4 Switching Auto Crossing Auto Negotiating IEEE 802 3ab VLAN Tagging Time Local Time Settings NTP Diagnostic Counters and Statistics per P...

Page 183: ... connector with console cable 115200bps 8 N 1 Power Redundant Input power Dual DC inputs 10 to 48VDC Dual DC Inputs 36 72VDC or Dual input universal supply 88 370VDC or 85 264VAC Power consumption Typ TBD Overload current protection Present Reverse Polarity Protection Present Environmental Storage Temperature 40 o C to 85 o C Operating Temperature 40 o C to 85 o C Operating Humidity 5 to 95 non co...

Page 184: ...er s Manual iS5 Communications Inc 184 EN61000 4 5 Surge EN61000 4 6 CS EN61000 4 8 EN61000 4 11 Shock IEC 60068 2 27 Free Fall IEC 60068 2 32 Vibration IEC 60068 2 6 Safety EN60950 1 Warranty Warranty 5 years ...

Reviews:

No comments