Moxa IEC-G102-BP Series User manual

IEC-G102-BP Series User’s Manual

Version 1.0, March 2020

www.moxa.com/product

IEC-G102-BP Series User’s Manual

The software described in this manual is furnished under a license agreement and may be used only in accordance

with the terms of that agreement.

Copyright Notice

Trademarks

The MOXA logo is a registered trademark of Moxa Inc.

All other trademarks or registered marks in this manual belong to their respective manufacturers.

Disclaimer

Information in this document is subject to change without notice and does not represent a commitment on the part of

Moxa.

Moxa provides this document as is, without warranty of any kind, either expressed or implied, including, but not

limited to, its particular purpose. Moxa reserves the right to make improvements and/or changes to this manual, or to

the products and/or the programs described in this manual, at any time.

Information provided in this manual is intended to be accurate and reliable. However, Moxa assumes no responsibility

for its use, or for any infringements on the rights of third parties that may result from its use.

This product might include unintentional technical or typographical errors. Changes are periodically made to the

information herein to correct such errors, and these changes are incorporated into new editions of the publication.

Technical Support Contact Information

www.moxa.com/support

Moxa Americas

Toll

-free: 1-888-669-2872

Tel:

+1-714-528-6777

Fax:

+1-714-528-6778

Moxa China (Shanghai office)

Toll

-free: 800-820-5036

Tel:

+86-21-5258-9955

Fax:

+86-21-5258-5505

Moxa Europe

Tel:

+49-89-3 70 03 99-0

Fax:

+49-89-3 70 03 99-99

Moxa Asia

-Pacific

Tel:

+886-2-8919-1230

Fax:

+886-2-8919-1231

Moxa India

Tel:

+91-80-4172-9088

Fax:

+91-80-4132-1045

Table of Contents

1. About IEC-G102-BP Series ................................................................................................................ 1-1

Introduction ....................................................................................................................................... 1-2

Main Functions ................................................................................................................................... 1-3

2. Getting Started ................................................................................................................................. 2-1

Getting Started Task List ..................................................................................................................... 2-2

Opening the Management Console ........................................................................................................ 2-3

Changing the Administrator’s Password ................................................................................................. 2-4

3. The System Screen ............................................................................................................................ 3-1

System Information ............................................................................................................................ 3-2

System Status .................................................................................................................................... 3-2

Resource Monitor ................................................................................................................................ 3-2

4. The Visibility Screen .......................................................................................................................... 4-1

Viewing Asset Information ................................................................................................................... 4-2

Viewing Real-time Network Application Traffic ........................................................................................ 4-3

5. The Device Screen ............................................................................................................................. 5-1

Configuring Network Settings ............................................................................................................... 5-2

Configuring Interface Link Mode for Ports .............................................................................................. 5-2

6. The Object Profiles Screens............................................................................................................... 6-1

Configuring IP Object Profile ................................................................................................................ 6-2

Configuring Service Object Profile ......................................................................................................... 6-3

Configuring Protocol Filter Profile .......................................................................................................... 6-4

Specifying Commands Allowed in an ICS Protocol ............................................................................ 6-4

Advanced Settings for Modbus Protocol .......................................................................................... 6-5

7. The Security Screens ......................................................................................................................... 7-1

Security General Settings .................................................................................................................... 7-2

Configuring Security Operation Mode .................................................................................................... 7-3

Cybersecurity ..................................................................................................................................... 7-3

Configuring Cybersecurity - Intrusion Prevention Setting .................................................................. 7-3

Configuring Cybersecurity – Denial of Service Prevention ................................................................. 7-4

Policy Enforcement ............................................................................................................................. 7-5

Configuring Policy Enforcement ..................................................................................................... 7-5

Adding Policy Enforcement Rules ................................................................................................... 7-6

Managing Policy Enforcement Rules ............................................................................................... 7-7

8. The Pattern Screens .......................................................................................................................... 8-1

Viewing Device Pattern Information ...................................................................................................... 8-2

Manually Updating the Pattern .............................................................................................................. 8-2

9. The Log Screens ................................................................................................................................ 9-1

Viewing Cybersecurity Logs .................................................................................................................. 9-2

Viewing Policy Enforcement Logs .......................................................................................................... 9-3

Viewing Protocol Filter Logs.................................................................................................................. 9-3

Viewing Asset Detection Logs ............................................................................................................... 9-4

Viewing System Logs .......................................................................................................................... 9-4

Viewing Audit Logs.............................................................................................................................. 9-4

10. The Administration Screens ............................................................................................................ 10-1

Account Management ........................................................................................................................ 10-2

Built-in User Accounts ................................................................................................................ 10-3

Adding a User Account ............................................................................................................... 10-3

Changing Your Password ............................................................................................................ 10-3

Configuring Password Policy Settings .................................................................................................. 10-4

System Management ......................................................................................................................... 10-4

Configuring Device Name and Device Location Information ............................................................. 10-5

Configuring Control List Access from Management Clients .............................................................. 10-5

Configuring Management Protocols and Ports ................................................................................ 10-6

The Sync Setting Screen (Pro Version) ................................................................................................ 10-6

Enabling Management by SDC .................................................................................................... 10-6

The Syslog Screen ............................................................................................................................ 10-7

Configuring Syslog Settings ........................................................................................................ 10-7

Syslog Severity Levels ............................................................................................................... 10-8

Syslog Severity Level Mapping Table ........................................................................................... 10-8

The System Time Screen ................................................................................................................... 10-9

Configuring System Time ........................................................................................................... 10-9

The Back Up/Restore Screen ............................................................................................................ 10-10

Backing Up a Configuration ....................................................................................................... 10-10

Restoring a Configuration ......................................................................................................... 10-10

The Firmware Management Screen ................................................................................................... 10-11

Viewing Device Firmware Information ........................................................................................ 10-11

Updating Firmware .................................................................................................................. 10-11

Rebooting and Applying Firmware ............................................................................................. 10-12

The Reboot System Screen .............................................................................................................. 10-12

Rebooting the System .............................................................................................................. 10-12

11. Supported USB Devices ................................................................................................................... 11-1

Pattern Loading Function ................................................................................................................... 11-1

Procedure ................................................................................................................................. 11-1

Terms and Acronyms

The following table lists the terms and acronyms used in this document.

Term/Acronym Definition

CEF Common Event Format

DPI Deep Packet Inspection

EWS Engineering Workstation

HMI Human-Machine Interface

ICS Industrial Control System

SDC Security Dashboard Console

PLC Programmable Logic Controller

SCADA Supervisory Control And Data Acquisition

1

1. About IEC-G102-BP Series

The following topics are covered in this chapter:



Introduction



Main Functions

IEC-G102-BP Series About IEC-G102-BP Series

1-2

Introduction

The IEC-G102-BP Series is an industrial next-generation IPS device that delivers deliver a palm-sized

platform that is fitted with dual Ethernet LAN ports. Users can access its web-based management console

that provides a graphical user interface for policy management. The whole management process is designed

to comply with the manufacturing SOP of the industry. The IEC-G102-BP Series protects your individual

assets with OT visibility, cybersecurity, and OT protocol whitelisting.

Traditionally, IT and OT operate separately, each with its own network, transportation team, goals, and

needs. In addition, each industrial environment is equipped with tools and devices that were not designed to

connect to a corporate network, thus making provisioning security updates or patches in a timely manner

difficult. Therefore, the requirements for security products that provide proper security protection and

visibility are on the rise.

Moxa Industrial Network Defense Solutions provide a wide range of security products that cover both the IT

and OT layers. These easy-to-build solutions provide active and immediate protection to the Industrial

Control System (ICS) environments with the following features:

• Certified industrial-grade hardware that comply with size, power consumption, durability for OT

environments and have the ability to tolerate a wide range of temperature variations

• Threat detection and interception against the spread of worms

• Intrusion Prevention System and Denial-of-Service (DoS) that target legacy vulnerable devices

• Virtual patch protection against OT device exploits

IEC-G102-BP Series About IEC-G102-BP Series

1-3

Main Functions

The IEC-G102-BP Series is a transparent network security device. Below are the main functions of the

product:

Extensive Support for Industrial Protocols

The IEC-G102-BP Series supports the identification of a wide range of industrial control protocols, including

Modbus and other protocols used by industry leaders such as Siemens, Mitsubishi, Schneider Electric, ABB,

Rockwell, Omron, and Emerson. In addition to allowing OT and IT security system administrators to work

together, this feature also allows the flexibility to deploy defense measures in appropriate network

segments and seamlessly connects them to existing factory networks.

Policy Enforcement for Mission-critical Machines

The IEC-G102-BP Series core technology allows administrators to maintain a policy enforcement database.

By analyzing Layer 3 to Layer 7 network traffic between mission-critical production machines, policy

enforcement executes filtering of control commands within the protocols and blocks traffic that is not

defined in the policy rules. This feature can help prevent unexpected operations, block unknown network

attacks, and block other traffic that matches the policy for sending data to these mission-critical machines.

Improve Shadow OT Visibility by Integrating IT and OT Networks

The IEC-G102-BP Series comes equipped to make your IT and OT networks as integrated and coordinated

with each other as possible, and to grant visibility of your shadow OT environment.

Intrusion Prevention and Intrusion Detection

IPS/IDS provides a powerful, up-to-date, first line of defense against known threats. Vulnerability filtering

rules provide effective protection against all potential exploits at the network level. Manufacturing personnel

manage patching and updating, providing pre-emptive protection against critical production failures, and

additional protection for old or terminated software.

Switch Between Two Flexible Modes, ‘Monitor’ & ‘Prevention’

The IEC-G102-BP Series flexibly switches between ‘Monitor’ and ‘Prevention’ modes. The ‘Monitor’ mode will

log traffic without interfering, while ‘Prevention’ mode will filter traffic based on policies you create. These

modes work together to preserve your productivity while maximizing security.

Top Threat Intelligence and Analytics

The IEC-G102-BP Series provides advanced protection against unknown threats with its up-to-date threat

information.

Centralized Management

Security Dashboard Console (SDC) provides a graphical user interface for policy management in compliance

with a manufacturing SOP. It centrally monitors operations information, edits network protection policies,

and sets patterns for attack behaviors.

The following protections are deployed throughout the entire information technology (IT) and operational

technology (OT) infrastructure. These include:

• A centralized policy deployment and reporting system

• Full visibility into assets, operations, and security threats

• IPS and policy enforcement configurations can be assigned per device group, allowing all devices in the

same device group to share the same policy configuration

• Management permissions for device groups can be assigned per user account

2

2. Getting Started

This chapter describes the IEC-G102-BP Series and how to get started with configuring the initial settings.

The following topics are covered in this chapter:



Getting Started Task List



Opening the Management Console



Changing the Administrator’s Password

IEC-G102-BP Series Getting Started

2-2

Getting Started Task List

This task list provides a high-level overview of all procedures required to get the IEC-G102-BP Series up and

running as quickly as possible. Each step links to more detailed instructions later in the document.

Steps Overview:

1. Open the management console.

For more information, see Opening the Management Console.

2. Change the administrator password.

For more information, see Changing the Administrator’s Password.

3. Configure the system time.

For more information, see Configuring System Time.

4. (Optional) Configure the Syslog settings.

For more information, see Configuring Syslog Settings.

5. Configure Object Profiles.

For more information, see The Object Profiles Screens.

6. Configure security policies.

For more information, see The Security Screens.

7. Configure the device name and device location information.

For more information, see Configuring Device Name and Device Location Information.

8. (Optional) Configure access control list from management clients.

For more information, see Configuring Control List Access from Management Clients.

9. Configure management protocols and ports.

For more information, see Configuring Management Protocols and Ports.

10. (Optional) Update the DPI (Deep Packet Inspection) pattern for the device.

For more information, see Manually Updating the Pattern.

11. (Optional) Enabling Management by SDC.

For more information, see Enabling Management by SDC.

12. Configure the network settings and network interface link modes for the device.

For more information, see The Device Screen

IEC-G102-BP Series Getting Started

2-3

Opening the Management Console

The IEC-G102-BP Series provides a built-in management web console that you can use to configure and

manage the product. View the management console using a web browser.

Note: View the management console using Google Chrome version 63 or later; Firefox version 53 or later;

Safari version 10.1 or later; or Edge version 15 or later.

Steps:

1. In a web browser, type the address of the IEC-G102-BP Series in the following format:

https://192.168.127.254, and the logon screen appears.

NOTE

The default IP address of

the IEC-G102-BP Series is 192.168.127.254 with subnet 255.255.255.0. Before

connecting a PC/Laptop to

the IEC-G102-BP Series, the PC's IP address should be set to an IP address that

is able to access the default IP address. After that, connect the PC and

the IEC-G102-BP Series using an

Ethernet cable.

NOTE

The

IEC-G102-BP Series uses an automatically generated self-signed SSL certificate to encrypt

communications to and from the client accessing the device. Given that the certificate is self

-signed, most

browsers will not trust the certificate and will give a warning that the certific

ate being used is not signed by

a known authority.

2. Input the logon credentials (user ID and password). Use the default administrator logon credentials

when logging on for the first time:

• User ID: admin

• Password: moxa

3. Click Log On

4. When you log on for the first time, the IEC-G102-BP Series will request you to create a new admin

account and change the default password for security reasons.

5. The logon screen will pop out again. Please use the new admin account and password to log on.

IEC-G102-BP Series Getting Started

2-4

Changing the Administrator’s Password

To change the password of the IEC-G102-BP Series, you have to log in to a web browser with proper

credentials first.

Steps:

1. In a web browser, type the address of the IEC-G102-BP Series in the following format:

https://192.168.127.254, and the logon screen will appear.

2. Log in as the administrator.

3. Click the admin account icon at the top-right corner and select [Change Password].

4. Proceed to change the password.

NOTE

If you accidentally

forget the administrator account and password, the only way to retrieve your

administration access is to reset IEC

-G102-BP to factory default. To reset the IEC-G102-BP to factory

default, p

ress and hold the reset button for more than 10 seconds. The MANAGED LED will begin to blink

every half

-second, which means the system is resetting itself to factory default. DO NOT power off the

device when loading default settings.

3

3. The System Screen

Monitor your system information, system status, and system resource usage on the system screen.

The following topics are covered in this chapter:



System Information



System Status



Resource Monitor

IEC-G102-BP Series The System Screen

3-2

System Information

This widget shows the time when the system started, name of the device, model name of the device,

version of the firmware on the device, firmware build date/time, and the IP address settings of the device.

System Status

The widget shows whether cybersecurity is enabled, whether the policy enforcement is enabled, signature

version on the device, whether the device is managed by SDC (Pro Version), current network throughput on

the device, and current network connection usage on the device.

Resource Monitor

This widget shows resource usage on the device.

Item Description

CPU Utilization Real-time CPU utilization %

(according to the refresh time settings)

Memory Utilization Real-time memory utilization %

(according to the refresh time settings)

4

4. The Visibility Screen

The Visibility screen gives you an overview of asset visibility of your managed assets. The screens provide

you with timely and accurate information on the assets that are managed by the IEC-G102-BP Series.

The assets, listed on the screen, are automatically detected by the IEC-G102-BP Series devices.

NOTE

The term

asset in this chapter refers to the devices or hosts that are protected by the IEC-G102-BP Series.

The following topics are covered in this chapter:



Viewing Asset Information



Viewing Real-time Network Application Traffic

IEC-G102-BP Series The Visibility Screen

4-2

Viewing Asset Information

Steps:

1. Go to [Visibility]  [Assets View].

2. Click an asset icon and view its detailed information.

3. The [Assets Information] pane shows the following information for the asset:

Field Description

Vendor Name The vendor name of the asset.

Model Name The model name of the asset.

Asset Type The asset type of the asset.

Host Name The name of the asset.

Serial Number The serial number of the asset.

OS The operating system of the asset.

MAC Address The MAC address of the asset.

IP Address The IP address of the asset.

First Seen The date and time the asset was first seen.

Last Seen The date and time the asset was last seen.

IEC-G102-BP Series The Visibility Screen

4-3

Viewing Real-time Network Application Traffic

Steps:

1. Go to [Visibility]  [Assets View].

2. Click an asset icon and view its detailed information.

3. The [Real Time Network Application Traffic] pane shows a list of network traffic statics of the asset

Field Description

No. Ordinal number of the application traffic.

Application Name The application type of the traffic.

TX The amount of traffic transmitted for this traffic.

RX The amount of traffic received for this traffic.

NOTE

Click the [Manual

Asset Info Refresh] to refresh the information displayed.

NOTE

Specify the refresh time under the [Refresh Time] dropdown menu.

5

5. The Device Screen

This chapter describes how to set up the network settings and port configurations for the device.

The following topics are covered in this chapter:



Configuring Network Settings



Configuring Interface Link Mode for Ports

IEC-G102-BP Series The Device Screen

5-2

Configuring Network Settings

Steps:

1. Go to [Device]  [Device Setting]

2. In the [Network Setting] pane, configure the network settings for the device:

Task Action

Device IP Address IP Address of the device

Netmask Netmask of the device

Gateway Gateway of the device

DNS DNS address of the device

Enable VLAN-ID Enable/Disable VLAN ID

VLAN-ID Network VLAN-ID of the device

Configuring Interface Link Mode for Ports

Steps:

1. Go to [Device]  [Device Setting]

2. In the [Port Configuration] pane, configure the link modes for the ports of the device:

Task Action

Port 1 and Port 2

Choose [Auto Negotiation] to specify that the interface should

automatically negotiate the highest speed that both sides can

work with or specify the configured speed value of the

interface.

6

6. The Object Profiles Screens

Object profiles simplify policy management by storing configurations that can be used by the IEC-G102-BP

Series.

You can configure the following types of object profiles for this device:

• IP Object Profile: Contains the IP addresses that you can apply to a policy rule.

• Service Object Profile: Contains the service definitions that you can apply to a policy rule. TCP port

range, UDP port range, ICMP, and custom protocol number are defined here.

• Protocol Filter Profile: Contains more sophisticated and advanced protocol settings that you can apply

to a policy rule. Details of ICS (Industrial Control System) protocols are defined here.

The following table describes the tasks you can perform when you view a list of the profiles:

Task Description

Add a profile Click [Add] to create a new profile.

Edit a profile Click a profile name to edit the settings.

Delete a profile Select one or more profiles and click [Delete].

Copy a profile Select on profile and click [Copy].

The following topics are covered in this chapter:



Configuring IP Object Profile



Configuring Service Object Profile



Configuring Protocol Filter Profile

 Specifying Commands Allowed in an ICS Protocol

 Advanced Settings for Modbus Protocol

Page is loading ...

Moxa IEC-G102-BP Series User manual

Moxa IEC-G102-BP Series User manual

Related papers

Other documents