manualshive.com logo in svg

Moxa Technologies IEF-G9010 Series, User Manual

Share
Download
Moxa Technologies IEF-G9010 Series User Manual Download Page 65

 

 

IEF-G9010 Series User Manual 

65

 

Policy Enforcement 

Policy enforcement allows you to define custom protocol rules that match to an industrial protocol and will 
subsequently allow or deny traffic matching these protocol rules. 

Configuring Policy Enforcement 

Steps: 

1.

 

Go to [Security] > [Policy Enforcement]. 
The [Policy Enforcement General Setting] screen will appear. 

 

2.

 

Use the toggle to enable or disable the Policy Enforcement feature. 

3.

 

Select the operation mode if the feature is enabled: 
a.

 

Monitor Mode

: The IEF-G9010 detects and logs abnormal protocol access to OT assets but does 

not block network attacks. 

b.

 

Prevention Mode

: The IEF G-9010 detects, blocks, and logs abnormal access to OT assets. 

4.

 

Using the [Policy Enforcement Default Rule Action] radio buttons, select a default action for when no 
pattern is matched. 
 

The following table summarizes the settings: 

Mode 
(Policy Enforcement) 

Action Performed 

Monitor Mode 

 

Detect and monitor abnormal protocol access to OT assets, without blocking 

network attacks. 

 

Generate logs. 

Prevention Mode 

 

Block abnormal protocol access to OT assets. 

 

Generate logs. 

Adding Policy Enforcement Rules (For Gateway Mode Only) 

 

Note 

 

Before creating policy enforcement rules, make sure the required objects and profiles are created. 

 

IP object profiles

: For more information, see 

Configuring IP Object Profiles

. 

 

Service object profiles

: For more information, see 

Configuring Service Object Profiles

.  

 

Protocol filter profiles

: For more information, see 

Configuring Protocol Filter Profiles

.  

 

Steps: 

1.

 

Go to [Security] > [Policy Enforcement]. 
The [Policy Enforcement Rule List] screen will appear. 

Summary of Contents for IEF-G9010 Series

Page 1: ...IEF G9010 Series User Manual Version 1 2 February 2022 www moxa com product 2022 Moxa Inc All rights reserved...

Page 2: ...hout warranty of any kind either expressed or implied including but not limited to its particular purpose Moxa reserves the right to make improvements and or changes to this manual or to the products...

Page 3: ...s 27 NAT Rules 27 Configuring 1 to 1 NAT Rules 27 Configuring Multi 1 to 1 NAT Rules 28 Configuring Port Forwarding 29 Application layer Gateways ALG 30 Configuring ALG Settings 31 7 The Routing Scree...

Page 4: ...iguring the Device Name and Device Location Information 80 Configuring the Management Client Access Control List 80 Configuring Management Protocols and Ports 81 The Sync Setting Screen 81 Enabling SD...

Page 5: ...vent Format CIDR Classless Inter Domain Routing DPI Deep Packet Inspection EWS Engineering Workstation HMI Human Machine Interface ICS Industrial Control System IT Information Technology NAT Network A...

Page 6: ...and needs In addition industrial environments are equipped with tools and devices that are traditionally unable to interface with a corporate network thus making provisioning security updates or patch...

Page 7: ...al exploits at the network level Manufacturing personnel manage patching and updating providing pre emptive protection against critical production failures and additional protection for old or termina...

Page 8: ...interface For more information see The Network Screens 6 Configure the system time For more information see Configuring System Time 7 Optional Configure the Syslog settings For more information see Co...

Page 9: ...255 0 Before connecting a PC Laptop to the IEF G9010 Series the PC s IP address should be set to an IP address that is able to access the default IP address After that connect the PC and the IEF G901...

Page 10: ...web browser type the address of the IEF G9010 Series in the following format https 192 168 127 254 The login screen appears 2 Log in as the administrator 3 Click the admin account icon at the top rig...

Page 11: ...em resource usage on the system screen Device Information This widget shows the system boot time device name model firmware version and firmware build date and time Secured Service Status This widget...

Page 12: ...h time settings Memory Utilization Real time memory utilization Based on the refresh time settings WAN Interface Summary This widget shows summary information for the WAN interface LAN Interface Summa...

Page 13: ...es devices NOTE The term asset in this chapter refers to the devices or hosts that are protected by the IEF G9010 Series Enabling Active Query Active Query can detect inactive or dormant assets or pas...

Page 14: ...Description Vendor Name The vendor name of the asset Model Name The model name of the asset Asset Type The asset type of the asset Host Name The name of the asset Serial Number The serial number of t...

Page 15: ...s a list of network traffic statics of the asset Field Description No Ordinal number of the application traffic Application Name The application type of the traffic TX The amount of traffic transmitte...

Page 16: ...d configure the port link speed NOTE The term Port in the document refers to physical ports to which network cables are connected Configuring Port Settings Steps 1 Go to Network Port Settings 2 Click...

Page 17: ...ing The Port Mapping tab will appear This tab shows the mapping between the physical ports and the WAN and LAN interfaces Network Interface Use the Network Interface tab to configure the following set...

Page 18: ...it Network Interface window will appear 3 Use the toggle to enable or disable the interface 4 Optional Enter a descriptive name for the interface 5 In the Network Settings section configure the follow...

Page 19: ...he gateway IP address that will be assigned to DHCP clients iv Lease Time Specify the time in seconds that a client device can use the assigned IP address provided by the DHCP server v Optional DNS Se...

Page 20: ...appear 3 Use the toggle to enable or disable the interface 4 Optional Enter a descriptive name for the interface 5 In the Network Settings section configure the following settings for the interface a...

Page 21: ...ay Address Enter the gateway IP address that will be assigned to DHCP clients iv Lease Time Specify the time in seconds that a client device can use the assigned IP address provided by the DHCP server...

Page 22: ...section choose a Connection Type a Static IP Configure a static IP address for this interface Configure the following additional settings i IP Address Enter a valid IP address ii Subnet Mask Enter th...

Page 23: ...ii Optional VLAN ID If VLAN ID is enabled specify a VLAN ID 6 Click Ok Device Operation Modes The IEF G9010 Series can function in one of two operation modes Gateway Mode Bridge Mode Refer to the fol...

Page 24: ...ion Mode From the Operation Mode screen you can configure or view the following The current operation mode of the device The network settings for Bridge Mode When the device is in Gateway Mode IP Addr...

Page 25: ...gateway address d Optional DNS Enter a DNS address e Optional VLAN ID Use the toggle to enable or disable VLAN ID If enabled enter the VLAN ID f Optional STP Use the toggle to enable or disable STP Sp...

Page 26: ...Gateway Mode radio button 3 When finished click Save NOTE In Bridge Mode the LAN1 network settings and LAN1 DHCP Service for Gateway Mode are view only NOTE Policy enforcement rule configurations are...

Page 27: ...nslation for incoming traffic on the WAN interface The following table describes the basic tasks you can perform from the NAT Rule tab Task Description Add a NAT rule Click Add to create a new NAT rul...

Page 28: ...ess the Original IP will be mapped to This is usually a private IP address within your local network h Optional Enable NAT Loopback Use the toggle to enable or disable NAT loopback 4 Click Ok to close...

Page 29: ...g Interface if the destination IP of the packet matches the Original IP it will be changed to the Mapped IP These IP addresses are usually assigned by the ISP Internet Service Provider g Mapped IP Ent...

Page 30: ...IP address and port range the Original IP will be mapped to This is usually a private IP address within your local network i Optional Enable NAT Loopback Use the toggle to enable or disable NAT loopb...

Page 31: ...IEF G9010 Series User Manual 31 Configuring ALG Settings Steps 1 Go to NAT ALG The ALG Settings tab will appear 2 Use the toggles to enable or disable the FTP SIP and H 323 ALG 3 Click Save...

Page 32: ...ate new or edit existing static routes The following table describes the basic tasks you can perform from the Static Route tab Task Description Add a static route Click Add to create a new static rout...

Page 33: ...subnet enter the subnet mask to match the destination IP range for example 255 255 255 0 f Configure the Next Hop Type i Gateway IP Address If the next hop is a gateway enter the gateway s IP The gat...

Page 34: ...fined here IPS Profile Contains the settings of IPS Intrusion Prevention System pattern rules that you can apply to a policy rule The following table describes the tasks you can perform when you view...

Page 35: ...ustom protocol with a specified protocol number NOTE The term protocol number refers to the protocol number defined in the internet protocol suite Steps 1 Go to Object Profile Service Object Profile 2...

Page 36: ...phisticated and advanced protocol settings that you can apply to a policy rule The following can be configured in a protocol filter profile Details of ICS protocols including Modbus CIP S7COMM S7COMM_...

Page 37: ...r profile The Create Protocol Filter Profile screen will appear 3 Configure the following settings a Protocol Filter Profile Name Enter a name for the profile b Optional Description Enter a descriptio...

Page 38: ...download commands sent from EWS to PLC and administration configuration relevant commands from EWS to PLC Others Private commands un documented commands or particular protocols provided by an ICS vend...

Page 39: ...rmat of the specified ICS protocol If the packet format is incorrect the IEF G9010 will drop the packets of that ICS protocol NOTE In firmware 1 1 4 protocols support the Drop Malformed option Modbus...

Page 40: ...otocol and select one of the following i Any Specify all available commands or function access in this protocol ii Basic Select multiple commands from the following Read Only Read commands sent from H...

Page 41: ...tocol iii If you want to specify a function code by yourself select Custom and enter a function code in the Function Code field iv Enter a unit ID in the Unit ID field v Enter the address or address r...

Page 42: ...Settings for the CIP Protocol The device features more detailed configurations for the CIP ICS protocol Through the Advanced Settings pane you can further specify the Object Class ID and Service Code...

Page 43: ...ocol and select one of the following i Any Specify all available commands or function access in this protocol ii Basic Multiple selections of the following Read Only Read commands sent from HMI Human...

Page 44: ...n to be applied select Any Service Code iv If you want to specify one or more function codes move the service code s from the Available Service Code field to the Selected Service Code field v If you w...

Page 45: ...s for S7Comm The device features more detailed configurations for the S7Comm ICS protocol Through the Advanced Settings pane you can further specify the function code function group code and sub funct...

Page 46: ...Manual 46 Steps 1 Go to Object Profile Protocol Filter Profile 2 Do one of the following a Click Add to add a protocol filter profile b Click on the name of an existing profile to edit it 2 Configure...

Page 47: ...ent from HMI Human Machine Interface EWS Engineering Work Station SCADA Supervisory Control and Data Acquisition to PLC Programmable Logic Controller Read Write Read and write commands sent from HMI E...

Page 48: ...ion group code to be applied select Any Sub function Code v If you want to specify one or more sub function codes select Preset Sub function Code and move the sub function code s from the Available Su...

Page 49: ...Advanced Settings for S7Comm Plus The device features more detailed configurations for the S7Comm Plus ICS protocol Through the Advanced Settings pane you can further specify the function code against...

Page 50: ...tocol and select one of the following i Any Specify all available commands or function access in this protocol Basic Multiple selections of the following Read Only Read commands sent from HMI Human Ma...

Page 51: ...besides S7Comm Plus and select Advanced Matching Criteria ii From the Function List drop down menu select a function for this protocol iii Click Add Repeat the above steps to add more protocol defini...

Page 52: ...ual 52 Advanced Settings for SLMP The device features more detailed configurations for the SLMP ICS protocol Through the Advanced Settings pane you can further specify the command code against which t...

Page 53: ...and select one of the following i Any Specify all available commands or function access in this protocol ii Basic Select multiple commands from the following Read Only Read commands sent from HMI Hum...

Page 54: ...gs besides SLMP and select Advanced Matching Criteria ii From the Command Code List drop down menu select a function for this protocol iii Click Add Repeat the above steps to add more protocol definit...

Page 55: ...55 Advanced Settings for MELSOFT The device features more detailed configurations for the MELSOFT ICS protocol Through the Advanced Settings pane you can further specify the command code against whic...

Page 56: ...and select one of the following i Any Specify all available commands or function access in this protocol ii Basic Select multiple commands from the following Read Only Read commands sent from HMI Hum...

Page 57: ...esides MELSOFT and select Advanced Matching Criteria ii From the Command Code List drop down menu select a function for this protocol iii Click Add Repeat the above steps to add more protocol definiti...

Page 58: ...TOYOPUC The device features more detailed configurations for the TOYOPUC ICS protocol Through the Advanced Settings pane you can further specify the command code preset sub command code and custom sub...

Page 59: ...and select one of the following i Any Specify all available commands or function access in this protocol ii Basic Select multiple commands from the following Read Only Read commands sent from HMI Hum...

Page 60: ...function for this protocol iii If you want to specify one or more sub command codes select Preset Sub cmd Code and move the Command code s from the Available Sub cmd Code field to the Selected Sub cmd...

Page 61: ...l filter 6 Click OK Configuring IPS Profiles An IPS profile contains more sophisticated pattern rules for more granular control and can be applied to policy rules The following can items be configured...

Page 62: ...rusion Category The threat category of the intrusion Risk Level The suggested security level for the intrusion Impact The expected impact the intrusion will have on the target network device if the in...

Page 63: ...he IPS Rule Details screen will appear 5 Configure the following settings a Status Enable or disable the pattern rule b Actions Select the pattern rule s default action i Accept and Log When an intrus...

Page 64: ...ure 3 Select the default action if the feature is enabled a Monitoring and Log The IEF G9010 device will actively monitor and log DoS attacks but will not act b Prevention and Log The IEF G9010 device...

Page 65: ...ng the Policy Enforcement Default Rule Action radio buttons select a default action for when no pattern is matched The following table summarizes the settings Mode Policy Enforcement Action Performed...

Page 66: ...the drop down menu i Any ii WAN to LAN iii LAN to WAN iv WAN to DMZ v DMZ to WAN vi LAN to DMZ vii DMZ to LAN viii LAN to LAN NOTE The network interfaces listed in the drop down menu do not correspon...

Page 67: ...ol suite v Service Object NOTE If you select Service Object you will need to select the service object from a previously created service object profile 7 In the Action section configure the following...

Page 68: ...ttings a Status Click the toggle to enable or disable the rule b Rule Name Enter a name for the rule c Optional Description Enter a description for the rule 4 In the Source and Destination Selection s...

Page 69: ...NOTE If you select Service Object you will need to select the service object from a previously created service object profile 6 Click the VLAN ID toggle to enable or disable VLAN ID tagging If enable...

Page 70: ...nd click the Copy button To edit a policy enforcement rule Click the name of the rule and the Edit Policy Rule windows will appear To change the priority of a policy enforcement rule Click the check b...

Page 71: ...el Viewing Device Pattern Information Steps 1 Go to Pattern Pattern Update The Pattern Update screen will appear 2 The Device Pattern Information pane will show the Current Pattern Version and Pattern...

Page 72: ...ignature Direction The direction flow of the connection Interface The network interface which received the connection Attacker The IP address of the host device that initiated the cyberattack Source M...

Page 73: ...etwork interface which received the connection Source MAC Address The source MAC address of the connection Source IP Address The source IP address of the connection Source Port The source port of the...

Page 74: ...he destination IP address of the connection Destination Port The destination port of the connection if the selected protocol is TCP UDP The ICMP type if the selected protocol is ICMP VLAN ID The VLAN...

Page 75: ...cord details about system events occurring on the device Steps 1 Go to Logs System Logs The following table describes the log s fields Field Description Time The time the log entry was created Severit...

Page 76: ...Account Management screen Task Description Add account Click Add to create a new user account For more information see Adding a User Account Delete existing accounts Select one or more existing user a...

Page 77: ...on Account Management 2 Click Add The Add User Account screen will appear 3 Configure the following settings a ID Enter the user ID used to log in to the management console b Name Enter the name of th...

Page 78: ...IEF G9010 Series User Manual 78...

Page 79: ...er creates a new password the system will determine if the password meets the specified requirements While strict password policies improve security they may sometimes increase the cost to an organiza...

Page 80: ...ng the Device Name and Device Location Information Steps 1 Go to Administration System Management 2 In the System Setting pane enter the host name and location information for the device Configuring t...

Page 81: ...re used for connecting to the web management console The SSH and Telnet protocols are used for connecting to the command line interface CLI The Sync Setting Screen The IEF G9010 Series can be managed...

Page 82: ...a Check Send logs to a syslog server to enable the syslog server b Server address Enter the syslog server address c Port Enter the syslog server port d Protocol Select the communication protocol e Fa...

Page 83: ...ction to avoid errors 5 Notice Unusual events Immediate action is not required 6 Information Normal operational messages useful for reporting measuring throughput and other purposes No action is requi...

Page 84: ...2 In the Date and Time pane do one of the following a Synchronize the system time with an NTP server i Check the Synchronize system time with an NTP server box ii Specify the domain name or IP addres...

Page 85: ...iguration file Import or export configurations while the IEF G9010 Series is idle as this will affect the device s performance Backing Up a Configuration Steps 1 Go to Administration Back Up Restore T...

Page 86: ...g which indicates it is the currently active firmware The other partition will have the Standby status acting as the standby partition To make the standby firmware the running firmware refer to Reboot...

Page 87: ...ration Firmware Management 2 Click the Reboot and Apply Firmware button in the Actions column of the Standby partition NOTE This function is only available if both partitions have a separate firmware...

Page 88: ...les can be downloaded at https netsecuritylicense moxa com NOTE Given that this feature allows anyone with a supported USB device to update the pattern file carefully consider the physical security of...

Page 89: ...Blinking green Every second 5 From the default state press the reset button once to select Load Restore Pattern from USB Disk Device The IPS IDS LED will start blinking green 6 After ensuring the cor...

Page 90: ...ant system logs can be checked to verify whether an action was completed successfully or not If an action was successful the LEDs will be restored to their default state when the USB disk device was f...

Reviews:

No comments

Brands by name

Popular brands

Load more brands