EAGLE EAGLE - Functionalities Modular Ports : WAN PortSecured Port Twisted PairTwiited PairFX Multi...
-
Upload
joel-charles -
Category
Documents
-
view
228 -
download
3
Transcript of EAGLE EAGLE - Functionalities Modular Ports : WAN PortSecured Port Twisted PairTwiited PairFX Multi...
EAGLE - Functionalities
• Modular Ports:
WAN Port Secured PortTwisted Pair Twiited PairFX Multi Mode FX Multi ModeFX Single ModeFX Long Haul
• 1 RS232 Serial Port•Serial Configuration•Secure modem access
• Support of Autoconfigurations Adapter ACA11
• Rest Button•Reset•Recovery•Switch Eagle from Router mode to transparent mode
• Redundant 24 V Power Supply (6-pin)
• Signaling Contact
• Din Rail mountable
• Operating temperature: 0°C - 60°C (temperature displayed in web interface)
• IP20 , fanless
redundantpower supply
24 VDC
indicator contact
+24 V
+24 V*
EAGLE - Functionalities
•Two Versions:
•EAGLE FW: Firewall
•EAGLE: Firewall w/VPN
Forwarding IP and ARP traffic only. Although it is possible to define multicasts statically, the nature of EthernetIP may render the Eagle unable to pass this traffic.
EAGLE Family
• Stateful Inspection Firewall
• Transparent Mode (multiclient & singleclient)
• Configurable Firewall Rules (95,000)
• Network Address Translation (IP Masquerading)
• 95,000 Rules can be created
Most often used rules shoule be defined first
• Plug-n-Play Operation
EAGLE – Firewall Functionalities
• Multipoint VPN
• VPN in transparent Mode
• IPsec DES Encryption
• IPsec 3DES Hardware Encryption with 168 bit
• AES Hardware Encryption with up to 256 bit
• Authentication with Pre-Shared Secret
• MD5, SHA-1
• PPTP Point to Point Tunneling Protocol
• "Host to Host" & "Net to Net" tunnels using "Pre-Shared Secret" authentication methodology for "Eagle to Eagle" VPN's
EAGLE – VPN Functionalities
• "Host to Host" & "Net to Net" tunnels with X.509v3 Authentication certificates.
• Germany will provide X.509 certificates on request as well as providing secure storage of those certificates.
• L2TP/IPsec
• MS Windows VPN Client to Eagle
• Requires "Transport (L2TP Microsoft)"
• MS Windows VPN Client with Windows Update "L2TP/IPSec NAT-T"
• Requires "Transport (L2TP SSH Sentinel)"
EAGLE – VPN Functionalities
Both of these methods also require the use of the X.509v3 Authentication certificates.
EAGLE – Management
• Basic Configuration via User Interface
• Web Interface
• Via HTTPS (Secure/encrypted Web page)
• SNMP v3 Encrypted Interaction
• Remote access is blocked by default and must be explicitly unlocked for access from the unsecured port.
• Save and load configuration both locally and remotely
• The relay state is a MIB variable. After a change of the relay state the Eagle send out a trap
• HiDiscovery Protocol
• DHCP
• Client or Server
• Time synchronization
Logins and passwords
Login Password SNMPv1 SNMPv3user public ro roadmin private rw rw
• IP configuration by• Local via terminal or ACA• HiDiscovery• DHCP
Note: configurations are effective immediately!
EAGLE – Basic Configuration
•RS-232 unlock as third port explicitely
•Configure firewall rules for modem port
•Access to inner network only
•Maximum data rate:57,6 kbd
EAGLE – Remote Access via Modem/RS-232
•Update Via HTTPS
•Reset Afterwards:•Press "R" Key for 1.5 seconds till status LED turns Yellow•Web-Reboot
•The configuration is kept but new features are available
EAGLE – Software Update
EAGLE – Limitations
• No Support for Rapid Spanning Tree
• No Support for VLAN's (Tagged packets Discarded)
• No Support for Prioritization
• No Support for X.509v3 Authentication Certificates
• Etherent IP multicasts not yet supported
• IGMP to be implemented
Type Ord.-No.Explanations
EAGLE with Firwall and VPN
EAGLE TX/TX 943 011-001Security Port: Twisted Pair, RJ45 Open Port: Twisted Pair, RJ45
EAGLE TX/MM SC 943 011-002Security Port: Twisted Pair, RJ45 Open Port: FX Multimode, SC
EAGLE TX/SM SC 943 011-003Security Port: Twisted Pair, RJ45 Open Port: FX Singlemode, SC
EAGLE TX/LH SC 943 011-004Security Port: Twisted Pair, RJ45 Open Port: FX Long Haul, SC
EAGLE MM SC/TX 943 011-005Security Port: FX Multimode, SC Open Port: Twisted Pair, RJ45
EAGLE MM SC/MM SC 943 011-006Security Port: FX Multimode, SC Open Port: FX Multimode, SC
EAGLE MM SC/SM SC 943 011-007Security Port: FX Multimode, SC Open Port: FX Singlemode, SC
EAGLE MM SC/LH SC 943 011-008Security Port: FX Multimode, SC Open Port: FX Long Haul, SC
EAGLE - Models
Type Ord.-No.Explanations
EAGLE with Firewall (without VPN)
EAGLE FW TX/TX 943 011-011Security Port: Twisted Pair, RJ45 Open Port: Twisted Pair, RJ45
EAGLE FW TX/MM SC 943 011-012Security Port: Twisted Pair, RJ45 Open Port: FX Multimode, SC
EAGLE FW TX/SM SC 943 011-013Security Port: Twisted Pair, RJ45 Open Port: FX Singlemode, SC
EAGLE FW TX/LH SC 943 011-014Security Port: Twisted Pair, RJ45 Open Port: FX Long Haul, SC
EAGLE FW MM SC/TX 943 011-015Security Port: FX Multimode, SC Open Port: Twisted Pair, RJ45
EAGLE FW MM SC/MM SC 943 011-016Security Port: FX Multimode, SC Open Port: FX Multimode, SC
EAGLE FW MM SC/SM SC 943 011-017Security Port: FX Multimode, SC Open Port: FX Singlemode, SC
EAGLE FW MM SC/LH SC 943 011-018Security Port: FX Multimode, SC Open Port: FX Long Haul, SC
EAGLE – FW Models
•All packets forwarded to processor•Only IP and ARP - depending on filters - forwarded
Secure(trusted)
net
Transparent Mode
•EAGLE needs IP address for management access from external (untrusted) network•Limitation: no VPN in Multi Transparent Mode
Secure(trusted)
net
Multi-Client Transparent Mode
Production cell as trusted netAccess via dial-in per phone network - firewall only as protection
network(remote access)
trustednet
Modem
Telecom
network(remote access)
DSL-Modems
Internet
Production cell as trusted networkAccess via Internet - with VPN and firewall for protection
trustednet
Remote Diagnostics
2nd EAGLE as "dongle", with pre-shared secrets offering a simple solutionn EAGLE's with identical secrets possible
"dongle"
Maintenance technician gets IP assigned via DHCP IP, IP per NAT mapped to trusted network
DHCP
IP
trustednet
trustednet
network(untrusted)
network(untrusted)
Local Diagnostics
Application: Maintenance in Network
• Maintenance within a production network
i.e. remote management of devices of the production cell
• EAGLE functions:• DHCP server• firewall
• Additional functions• virus scanner
should be installed on laptop
production network Service PC
service portfirewall functions
Application: Separation Production from Backbone
• Separate production against office network and backbone
office network
firewall functions
production network
Application: Secure Connection within Network 1
• Secure connection between two production cells within a network
• Used function: VPN
VPN – IPSec 3DES
production network
office network
Application: Secure Connection within Network 2
• Secure connection between two production cells within a network
• Used function:firewall to production backbone
firewall functions
production network
office network
Automation Network
Internet
risksEspionage - bugging of dataManipulation of dataInterception of dataUnauthorized Access to Network
Remote UserPC with Access to the InternetIP: xxx.yyy.zzz.ccc
RobotIP: aaa.bbb.ccc.ddd
Unsecure Remote Maintenance
Automation Network
EAGLE
Internet
measures:VPN in Routermode
mechanism:PPPoEDES3DESAES
Remote User
Solution – Secure remote maintenance
Automation Network
EAGLE
Internet
Remote User
risks:EspionageManipulation of data
Unsecure access to automation network
Automation Network
EAGLE
Internet
measure:Firewall
mechanism:Access Rules
RobotIP: aaa.bbb.ccc.ddd
Remote UserPC with Access to InternetIP: xxx.yyy.zzz.ccc
Solution: Authorized access to end device
Automation Network
Service PC
Risk:Espionage - bugging of dataManipulation of dataUnauthorized access - misuse
External maintenance activity- Unsecure access to network