EAGLE

EAGLE - Functionalities

• Modular Ports:

WAN Port Secured PortTwisted Pair Twiited PairFX Multi Mode FX Multi ModeFX Single ModeFX Long Haul

• 1 RS232 Serial Port•Serial Configuration•Secure modem access

• Support of Autoconfigurations Adapter ACA11

• Rest Button•Reset•Recovery•Switch Eagle from Router mode to transparent mode

• Redundant 24 V Power Supply (6-pin)

• Signaling Contact

• Din Rail mountable

• Operating temperature: 0°C - 60°C (temperature displayed in web interface)

• IP20 , fanless

redundantpower supply

24 VDC

indicator contact

+24 V

+24 V*

EAGLE - Functionalities

•Two Versions:

•EAGLE FW: Firewall

•EAGLE: Firewall w/VPN

Forwarding IP and ARP traffic only. Although it is possible to define multicasts statically, the nature of EthernetIP may render the Eagle unable to pass this traffic.

EAGLE Family

• Stateful Inspection Firewall

• Transparent Mode (multiclient & singleclient)

• Configurable Firewall Rules (95,000)

• Network Address Translation (IP Masquerading)

• 95,000 Rules can be created

Most often used rules shoule be defined first

• Plug-n-Play Operation

EAGLE – Firewall Functionalities

• Multipoint VPN

• VPN in transparent Mode

• IPsec DES Encryption

• IPsec 3DES Hardware Encryption with 168 bit

• AES Hardware Encryption with up to 256 bit

• Authentication with Pre-Shared Secret

• MD5, SHA-1

• PPTP Point to Point Tunneling Protocol

• "Host to Host" & "Net to Net" tunnels using "Pre-Shared Secret" authentication methodology for "Eagle to Eagle" VPN's

EAGLE – VPN Functionalities

• "Host to Host" & "Net to Net" tunnels with X.509v3 Authentication certificates.

• Germany will provide X.509 certificates on request as well as providing secure storage of those certificates.

• L2TP/IPsec

• MS Windows VPN Client to Eagle

• Requires "Transport (L2TP Microsoft)"

• MS Windows VPN Client with Windows Update "L2TP/IPSec NAT-T"

• Requires "Transport (L2TP SSH Sentinel)"

EAGLE – VPN Functionalities

Both of these methods also require the use of the X.509v3 Authentication certificates.

EAGLE – Management

• Basic Configuration via User Interface

• Web Interface

• Via HTTPS (Secure/encrypted Web page)

• SNMP v3 Encrypted Interaction

• Remote access is blocked by default and must be explicitly unlocked for access from the unsecured port.

• Save and load configuration both locally and remotely

• The relay state is a MIB variable. After a change of the relay state the Eagle send out a trap

• HiDiscovery Protocol

• DHCP

• Client or Server

• Time synchronization

Logins and passwords

Login Password SNMPv1 SNMPv3user public ro roadmin private rw rw

• IP configuration by• Local via terminal or ACA• HiDiscovery• DHCP

Note: configurations are effective immediately!

EAGLE – Basic Configuration

•RS-232 unlock as third port explicitely

•Configure firewall rules for modem port

•Access to inner network only

•Maximum data rate:57,6 kbd

EAGLE – Remote Access via Modem/RS-232

•Update Via HTTPS

•Reset Afterwards:•Press "R" Key for 1.5 seconds till status LED turns Yellow•Web-Reboot

•The configuration is kept but new features are available

EAGLE – Software Update

EAGLE – Limitations

• No Support for Rapid Spanning Tree

• No Support for VLAN's (Tagged packets Discarded)

• No Support for Prioritization

• No Support for X.509v3 Authentication Certificates

• Etherent IP multicasts not yet supported

• IGMP to be implemented

Type Ord.-No.Explanations

EAGLE with Firwall and VPN

EAGLE TX/TX 943 011-001Security Port: Twisted Pair, RJ45 Open Port: Twisted Pair, RJ45

EAGLE TX/MM SC 943 011-002Security Port: Twisted Pair, RJ45 Open Port: FX Multimode, SC

EAGLE TX/SM SC 943 011-003Security Port: Twisted Pair, RJ45 Open Port: FX Singlemode, SC

EAGLE TX/LH SC 943 011-004Security Port: Twisted Pair, RJ45 Open Port: FX Long Haul, SC

EAGLE MM SC/TX 943 011-005Security Port: FX Multimode, SC Open Port: Twisted Pair, RJ45

EAGLE MM SC/MM SC 943 011-006Security Port: FX Multimode, SC Open Port: FX Multimode, SC

EAGLE MM SC/SM SC 943 011-007Security Port: FX Multimode, SC Open Port: FX Singlemode, SC

EAGLE MM SC/LH SC 943 011-008Security Port: FX Multimode, SC Open Port: FX Long Haul, SC

EAGLE - Models

Type Ord.-No.Explanations

EAGLE with Firewall (without VPN)

EAGLE FW TX/TX 943 011-011Security Port: Twisted Pair, RJ45 Open Port: Twisted Pair, RJ45

EAGLE FW TX/MM SC 943 011-012Security Port: Twisted Pair, RJ45 Open Port: FX Multimode, SC

EAGLE FW TX/SM SC 943 011-013Security Port: Twisted Pair, RJ45 Open Port: FX Singlemode, SC

EAGLE FW TX/LH SC 943 011-014Security Port: Twisted Pair, RJ45 Open Port: FX Long Haul, SC

EAGLE FW MM SC/TX 943 011-015Security Port: FX Multimode, SC Open Port: Twisted Pair, RJ45

EAGLE FW MM SC/MM SC 943 011-016Security Port: FX Multimode, SC Open Port: FX Multimode, SC

EAGLE FW MM SC/SM SC 943 011-017Security Port: FX Multimode, SC Open Port: FX Singlemode, SC

EAGLE FW MM SC/LH SC 943 011-018Security Port: FX Multimode, SC Open Port: FX Long Haul, SC

EAGLE – FW Models

•All packets forwarded to processor•Only IP and ARP - depending on filters - forwarded

Secure(trusted)

net

Transparent Mode

•EAGLE needs IP address for management access from external (untrusted) network•Limitation: no VPN in Multi Transparent Mode

Secure(trusted)

net

Multi-Client Transparent Mode

Production cell as trusted netAccess via dial-in per phone network - firewall only as protection

network(remote access)

trustednet

Modem

Telecom

network(remote access)

DSL-Modems

Internet

Production cell as trusted networkAccess via Internet - with VPN and firewall for protection

trustednet

Remote Diagnostics

2nd EAGLE as "dongle", with pre-shared secrets offering a simple solutionn EAGLE's with identical secrets possible

"dongle"

Maintenance technician gets IP assigned via DHCP IP, IP per NAT mapped to trusted network

DHCP

IP

trustednet

trustednet

network(untrusted)

network(untrusted)

Local Diagnostics

Application: Maintenance in Network

• Maintenance within a production network

i.e. remote management of devices of the production cell

• EAGLE functions:• DHCP server• firewall

• Additional functions• virus scanner

should be installed on laptop

production network Service PC

service portfirewall functions

Application: Separation Production from Backbone

• Separate production against office network and backbone

office network

firewall functions

production network

Application: Secure Connection within Network 1

• Secure connection between two production cells within a network

• Used function: VPN

VPN – IPSec 3DES

production network

office network

Application: Secure Connection within Network 2

• Secure connection between two production cells within a network

• Used function:firewall to production backbone

firewall functions

production network

office network

Problem RSTP

•RSTP is not supported!

EAGLE

EAGLE

Automation Network

Internet

risksEspionage - bugging of dataManipulation of dataInterception of dataUnauthorized Access to Network

Remote UserPC with Access to the InternetIP: xxx.yyy.zzz.ccc

RobotIP: aaa.bbb.ccc.ddd

Unsecure Remote Maintenance

Automation Network

EAGLE

Internet

measures:VPN in Routermode

mechanism:PPPoEDES3DESAES

Remote User

Solution – Secure remote maintenance

Automation Network

EAGLE

Internet

Remote User

risks:EspionageManipulation of data

Unsecure access to automation network

Automation Network

EAGLE

Internet

measure:Firewall

mechanism:Access Rules

RobotIP: aaa.bbb.ccc.ddd

Remote UserPC with Access to InternetIP: xxx.yyy.zzz.ccc

Solution: Authorized access to end device

Factory 1

VPN TunnelInternet

Internet

Factory 2

Secure coupling of locations

Automation Network

Office Network

VPNFirewall Functions

Secure coupling of production cells

Office Network

Firewall Functions

Automation Network

Secure cell seperation

Automation Network

Service PC

Risk:Espionage - bugging of dataManipulation of dataUnauthorized access - misuse

External maintenance activity- Unsecure access to network

Automation Network

Service PCService Port with EAGLE

measure:Firewall - Transparent Mode

Mechanism:Access Rules

RobotIP: aaa.bbb.ccc.ddd

IP: sss.fff.bbb.ttt.

Solution: Secure service port