INS_RL1000GW_REV– 15 Jul 2016 PAGE 12
INSTALLATION AND OPERATION MANUAL
RL1000GW
TECH SUPPORT: 1.888.678.9427
gives full control of the maintenance process to the operator by granting the capability to create
dynamic policies to specific tasks within an explicitly defined time window. Following this time
window, operators receive reporting on activities performed during the task. This audit trail comes
in the form of an overview log, and a full packet capture (PCAP) of the session.
Before a user is allowed access to the network, they must log in to ComNet’s internal authentication
process with their unique user name and password. Upon validation of the user profile, specific
access is granted to predefined devices and functions, and each operation is logged. Multi-factor
authentication is available when combined with the Cyber-Physical Integration feature.
X.509 Certificate Exchange for VPN Connections
VPN tunnels for secure inter-site connectivity with IPsec VPN, GRE Tunnels, and DMVPN
technologies are fully supported. In addition to IPsec encryption, X.509 key management
certificates are provided. This certificate support allows for a secure signed key exchange
between a Certificate Authority, and two secure nodes. Having a third-party authority as a signing
participant offers end-to-end security that may be managed and reissued from a trusted central
source within the user’s network.
Cyber-Physical Integration
Integrated within the enhanced-security RL1000GW, is a physical identity server system,
allowing the use of external authentication hardware, such as magnetic card readers, biometric
identification sensors, facial recognition cameras, etc., to create a two-factor authentication to
the APA feature. This provides an additional level of validation of the user and his/her credentials,
prior to granting the user network access. Once the authentication is validated and approved, a
set of defined policies allow the authenticated technician to perform their task.
Enhanced SCADA-Aware Firewall
A whitelist-based firewall is provided for every Ethernet and serial data port, so full firewall
protection is available at all remote sites within the network. Every SCADA protocol packet (IEC
61850, DNP3 RTU/TCP, ModBus RTU/TCP, and IEC 101/104) is scanned and validated by the
firewall engine for its source and destination, as well as its protocol and packet content.
The structure of the distributed firewall allows the creation of a unique firewall at each access point
to the network. This is critical for securing against insider cyber-attacks, compromised field devices,
man-in-the-middle attacks, and a myriad of alternate attack vectors, by providing a secure baseline.
Two firewall states are included: Monitoring, and enforcing. The monitoring state provides an
alarm at the control center for any network violation, without blocking the network traffic. The
enforcing state is extremely effective for blocking suspicious traffic, while also triggering a
violation alarm at the control center.
DPI (Deep Packet Inspection) SCADA Protocols Firewall
ComNet’s distributed DPI firewall ensures that the operator will have full control over the network,
even when faced with a sophisticated attempt at breaching the network. Monitoring SCADA
commands, this highly robust whitelist-based firewall analyses SCADA network traffic, and is
