Moxa IEC-G102-BP Series User manual

IEC-G102-BP Series
Moxa
Brand
Moxa
Model
IEC-G102-BP Series
Type
User manual
IEC-G102-BP Series Users Manual
Version 1.0, March 2020
www.moxa.com/product
© 2020 Moxa Inc. All rights reserved.
IEC-G102-BP Series Users Manual
The software described in this manual is furnished under a license agreement and may be used only in accordance
with the terms of that agreement.
Copyright Notice
© 2020 Moxa Inc. All rights reserved.
Trademarks
The MOXA logo is a registered trademark of Moxa Inc.
All other trademarks or registered marks in this manual belong to their respective manufacturers.
Disclaimer
Information in this document is subject to change without notice and does not represent a commitment on the part of
Moxa.
Moxa provides this document as is, without warranty of any kind, either expressed or implied, including, but not
limited to, its particular purpose. Moxa reserves the right to make improvements and/or changes to this manual, or to
the products and/or the programs described in this manual, at any time.
Information provided in this manual is intended to be accurate and reliable. However, Moxa assumes no responsibility
for its use, or for any infringements on the rights of third parties that may result from its use.
This product might include unintentional technical or typographical errors. Changes are periodically made to the
information herein to correct such errors, and these changes are incorporated into new editions of the publication.
Technical Support Contact Information
www.moxa.com/support
Moxa Americas
Toll
-free: 1-888-669-2872
Tel:
+1-714-528-6777
Fax:
+1-714-528-6778
Moxa China (Shanghai office)
Toll
-free: 800-820-5036
Tel:
+86-21-5258-9955
Fax:
+86-21-5258-5505
Moxa Europe
Tel:
+49-89-3 70 03 99-0
Fax:
+49-89-3 70 03 99-99
Moxa Asia
-Pacific
Tel:
+886-2-8919-1230
Fax:
+886-2-8919-1231
Moxa India
Tel:
+91-80-4172-9088
Fax:
+91-80-4132-1045
Table of Contents
1. About IEC-G102-BP Series ................................................................................................................ 1-1
Introduction ....................................................................................................................................... 1-2
Main Functions ................................................................................................................................... 1-3
2. Getting Started ................................................................................................................................. 2-1
Getting Started Task List ..................................................................................................................... 2-2
Opening the Management Console ........................................................................................................ 2-3
Changing the Administrator’s Password ................................................................................................. 2-4
3. The System Screen ............................................................................................................................ 3-1
System Information ............................................................................................................................ 3-2
System Status .................................................................................................................................... 3-2
Resource Monitor ................................................................................................................................ 3-2
4. The Visibility Screen .......................................................................................................................... 4-1
Viewing Asset Information ................................................................................................................... 4-2
Viewing Real-time Network Application Traffic ........................................................................................ 4-3
5. The Device Screen ............................................................................................................................. 5-1
Configuring Network Settings ............................................................................................................... 5-2
Configuring Interface Link Mode for Ports .............................................................................................. 5-2
6. The Object Profiles Screens............................................................................................................... 6-1
Configuring IP Object Profile ................................................................................................................ 6-2
Configuring Service Object Profile ......................................................................................................... 6-3
Configuring Protocol Filter Profile .......................................................................................................... 6-4
Specifying Commands Allowed in an ICS Protocol ............................................................................ 6-4
Advanced Settings for Modbus Protocol .......................................................................................... 6-5
7. The Security Screens ......................................................................................................................... 7-1
Security General Settings .................................................................................................................... 7-2
Configuring Security Operation Mode .................................................................................................... 7-3
Cybersecurity ..................................................................................................................................... 7-3
Configuring Cybersecurity - Intrusion Prevention Setting .................................................................. 7-3
Configuring Cybersecurity Denial of Service Prevention ................................................................. 7-4
Policy Enforcement ............................................................................................................................. 7-5
Configuring Policy Enforcement ..................................................................................................... 7-5
Adding Policy Enforcement Rules ................................................................................................... 7-6
Managing Policy Enforcement Rules ............................................................................................... 7-7
8. The Pattern Screens .......................................................................................................................... 8-1
Viewing Device Pattern Information ...................................................................................................... 8-2
Manually Updating the Pattern .............................................................................................................. 8-2
9. The Log Screens ................................................................................................................................ 9-1
Viewing Cybersecurity Logs .................................................................................................................. 9-2
Viewing Policy Enforcement Logs .......................................................................................................... 9-3
Viewing Protocol Filter Logs.................................................................................................................. 9-3
Viewing Asset Detection Logs ............................................................................................................... 9-4
Viewing System Logs .......................................................................................................................... 9-4
Viewing Audit Logs.............................................................................................................................. 9-4
10. The Administration Screens ............................................................................................................ 10-1
Account Management ........................................................................................................................ 10-2
Built-in User Accounts ................................................................................................................ 10-3
Adding a User Account ............................................................................................................... 10-3
Changing Your Password ............................................................................................................ 10-3
Configuring Password Policy Settings .................................................................................................. 10-4
System Management ......................................................................................................................... 10-4
Configuring Device Name and Device Location Information ............................................................. 10-5
Configuring Control List Access from Management Clients .............................................................. 10-5
Configuring Management Protocols and Ports ................................................................................ 10-6
The Sync Setting Screen (Pro Version) ................................................................................................ 10-6
Enabling Management by SDC .................................................................................................... 10-6
The Syslog Screen ............................................................................................................................ 10-7
Configuring Syslog Settings ........................................................................................................ 10-7
Syslog Severity Levels ............................................................................................................... 10-8
Syslog Severity Level Mapping Table ........................................................................................... 10-8
The System Time Screen ................................................................................................................... 10-9
Configuring System Time ........................................................................................................... 10-9
The Back Up/Restore Screen ............................................................................................................ 10-10
Backing Up a Configuration ....................................................................................................... 10-10
Restoring a Configuration ......................................................................................................... 10-10
The Firmware Management Screen ................................................................................................... 10-11
Viewing Device Firmware Information ........................................................................................ 10-11
Updating Firmware .................................................................................................................. 10-11
Rebooting and Applying Firmware ............................................................................................. 10-12
The Reboot System Screen .............................................................................................................. 10-12
Rebooting the System .............................................................................................................. 10-12
11. Supported USB Devices ................................................................................................................... 11-1
Pattern Loading Function ................................................................................................................... 11-1
Procedure ................................................................................................................................. 11-1
Terms and Acronyms
The following table lists the terms and acronyms used in this document.
Term/Acronym Definition
CEF Common Event Format
DPI Deep Packet Inspection
EWS Engineering Workstation
HMI Human-Machine Interface
ICS Industrial Control System
SDC Security Dashboard Console
PLC Programmable Logic Controller
SCADA Supervisory Control And Data Acquisition
1
1. About IEC-G102-BP Series
The following topics are covered in this chapter:
Introduction
Main Functions
IEC-G102-BP Series About IEC-G102-BP Series
1-2
Introduction
The IEC-G102-BP Series is an industrial next-generation IPS device that delivers deliver a palm-sized
platform that is fitted with dual Ethernet LAN ports. Users can access its web-based management console
that provides a graphical user interface for policy management. The whole management process is designed
to comply with the manufacturing SOP of the industry. The IEC-G102-BP Series protects your individual
assets with OT visibility, cybersecurity, and OT protocol whitelisting.
Traditionally, IT and OT operate separately, each with its own network, transportation team, goals, and
needs. In addition, each industrial environment is equipped with tools and devices that were not designed to
connect to a corporate network, thus making provisioning security updates or patches in a timely manner
difficult. Therefore, the requirements for security products that provide proper security protection and
visibility are on the rise.
Moxa Industrial Network Defense Solutions provide a wide range of security products that cover both the IT
and OT layers. These easy-to-build solutions provide active and immediate protection to the Industrial
Control System (ICS) environments with the following features:
Certified industrial-grade hardware that comply with size, power consumption, durability for OT
environments and have the ability to tolerate a wide range of temperature variations
Threat detection and interception against the spread of worms
Intrusion Prevention System and Denial-of-Service (DoS) that target legacy vulnerable devices
Virtual patch protection against OT device exploits
IEC-G102-BP Series About IEC-G102-BP Series
1-3
Main Functions
The IEC-G102-BP Series is a transparent network security device. Below are the main functions of the
product:
Extensive Support for Industrial Protocols
The IEC-G102-BP Series supports the identification of a wide range of industrial control protocols, including
Modbus and other protocols used by industry leaders such as Siemens, Mitsubishi, Schneider Electric, ABB,
Rockwell, Omron, and Emerson. In addition to allowing OT and IT security system administrators to work
together, this feature also allows the flexibility to deploy defense measures in appropriate network
segments and seamlessly connects them to existing factory networks.
Policy Enforcement for Mission-critical Machines
The IEC-G102-BP Series core technology allows administrators to maintain a policy enforcement database.
By analyzing Layer 3 to Layer 7 network traffic between mission-critical production machines, policy
enforcement executes filtering of control commands within the protocols and blocks traffic that is not
defined in the policy rules. This feature can help prevent unexpected operations, block unknown network
attacks, and block other traffic that matches the policy for sending data to these mission-critical machines.
Improve Shadow OT Visibility by Integrating IT and OT Networks
The IEC-G102-BP Series comes equipped to make your IT and OT networks as integrated and coordinated
with each other as possible, and to grant visibility of your shadow OT environment.
Intrusion Prevention and Intrusion Detection
IPS/IDS provides a powerful, up-to-date, first line of defense against known threats. Vulnerability filtering
rules provide effective protection against all potential exploits at the network level. Manufacturing personnel
manage patching and updating, providing pre-emptive protection against critical production failures, and
additional protection for old or terminated software.
Switch Between Two Flexible Modes, ‘Monitor’ & ‘Prevention’
The IEC-G102-BP Series flexibly switches between ‘Monitor’ and ‘Prevention’ modes. The ‘Monitor’ mode will
log traffic without interfering, while ‘Prevention’ mode will filter traffic based on policies you create. These
modes work together to preserve your productivity while maximizing security.
Top Threat Intelligence and Analytics
The IEC-G102-BP Series provides advanced protection against unknown threats with its up-to-date threat
information.
Centralized Management
Security Dashboard Console (SDC) provides a graphical user interface for policy management in compliance
with a manufacturing SOP. It centrally monitors operations information, edits network protection policies,
and sets patterns for attack behaviors.
The following protections are deployed throughout the entire information technology (IT) and operational
technology (OT) infrastructure. These include:
A centralized policy deployment and reporting system
Full visibility into assets, operations, and security threats
IPS and policy enforcement configurations can be assigned per device group, allowing all devices in the
same device group to share the same policy configuration
Management permissions for device groups can be assigned per user account
2
2. Getting Started
This chapter describes the IEC-G102-BP Series and how to get started with configuring the initial settings.
The following topics are covered in this chapter:
Getting Started Task List
Opening the Management Console
Changing the Administrator’s Password
IEC-G102-BP Series Getting Started
2-2
Getting Started Task List
This task list provides a high-level overview of all procedures required to get the IEC-G102-BP Series up and
running as quickly as possible. Each step links to more detailed instructions later in the document.
Steps Overview:
1. Open the management console.
For more information, see Opening the Management Console.
2. Change the administrator password.
For more information, see Changing the Administrator’s Password.
3. Configure the system time.
For more information, see Configuring System Time.
4. (Optional) Configure the Syslog settings.
For more information, see Configuring Syslog Settings.
5. Configure Object Profiles.
For more information, see The Object Profiles Screens.
6. Configure security policies.
For more information, see The Security Screens.
7. Configure the device name and device location information.
For more information, see Configuring Device Name and Device Location Information.
8. (Optional) Configure access control list from management clients.
For more information, see Configuring Control List Access from Management Clients.
9. Configure management protocols and ports.
For more information, see Configuring Management Protocols and Ports.
10. (Optional) Update the DPI (Deep Packet Inspection) pattern for the device.
For more information, see Manually Updating the Pattern.
11. (Optional) Enabling Management by SDC.
For more information, see Enabling Management by SDC.
12. Configure the network settings and network interface link modes for the device.
For more information, see The Device Screen
IEC-G102-BP Series Getting Started
2-3
Opening the Management Console
The IEC-G102-BP Series provides a built-in management web console that you can use to configure and
manage the product. View the management console using a web browser.
Note: View the management console using Google Chrome version 63 or later; Firefox version 53 or later;
Safari version 10.1 or later; or Edge version 15 or later.
Steps:
1. In a web browser, type the address of the IEC-G102-BP Series in the following format:
https://192.168.127.254, and the logon screen appears.
NOTE
The default IP address of
the IEC-G102-BP Series is 192.168.127.254 with subnet 255.255.255.0. Before
connecting a PC/Laptop to
the IEC-G102-BP Series, the PC's IP address should be set to an IP address that
is able to access the default IP address. After that, connect the PC and
the IEC-G102-BP Series using an
Ethernet cable.
NOTE
The
IEC-G102-BP Series uses an automatically generated self-signed SSL certificate to encrypt
communications to and from the client accessing the device. Given that the certificate is self
-signed, most
browsers will not trust the certificate and will give a warning that the certific
ate being used is not signed by
a known authority.
2. Input the logon credentials (user ID and password). Use the default administrator logon credentials
when logging on for the first time:
User ID: admin
Password: moxa
3. Click Log On
4. When you log on for the first time, the IEC-G102-BP Series will request you to create a new admin
account and change the default password for security reasons.
5. The logon screen will pop out again. Please use the new admin account and password to log on.
IEC-G102-BP Series Getting Started
2-4
Changing the Administrator’s Password
To change the password of the IEC-G102-BP Series, you have to log in to a web browser with proper
credentials first.
Steps:
1. In a web browser, type the address of the IEC-G102-BP Series in the following format:
https://192.168.127.254, and the logon screen will appear.
2. Log in as the administrator.
3. Click the admin account icon at the top-right corner and select [Change Password].
4. Proceed to change the password.
NOTE
If you accidentally
forget the administrator account and password, the only way to retrieve your
administration access is to reset IEC
-G102-BP to factory default. To reset the IEC-G102-BP to factory
default, p
ress and hold the reset button for more than 10 seconds. The MANAGED LED will begin to blink
every half
-second, which means the system is resetting itself to factory default. DO NOT power off the
device when loading default settings.
3
3. The System Screen
Monitor your system information, system status, and system resource usage on the system screen.
The following topics are covered in this chapter:
System Information
System Status
Resource Monitor
IEC-G102-BP Series The System Screen
3-2
System Information
This widget shows the time when the system started, name of the device, model name of the device,
version of the firmware on the device, firmware build date/time, and the IP address settings of the device.
System Status
The widget shows whether cybersecurity is enabled, whether the policy enforcement is enabled, signature
version on the device, whether the device is managed by SDC (Pro Version), current network throughput on
the device, and current network connection usage on the device.
Resource Monitor
This widget shows resource usage on the device.
Item Description
CPU Utilization Real-time CPU utilization %
(according to the refresh time settings)
Memory Utilization Real-time memory utilization %
(according to the refresh time settings)
4
4. The Visibility Screen
The Visibility screen gives you an overview of asset visibility of your managed assets. The screens provide
you with timely and accurate information on the assets that are managed by the IEC-G102-BP Series.
The assets, listed on the screen, are automatically detected by the IEC-G102-BP Series devices.
NOTE
The term
asset in this chapter refers to the devices or hosts that are protected by the IEC-G102-BP Series.
The following topics are covered in this chapter:
Viewing Asset Information
Viewing Real-time Network Application Traffic
IEC-G102-BP Series The Visibility Screen
4-2
Viewing Asset Information
Steps:
1. Go to [Visibility] [Assets View].
2. Click an asset icon and view its detailed information.
3. The [Assets Information] pane shows the following information for the asset:
Field Description
Vendor Name The vendor name of the asset.
Model Name The model name of the asset.
Asset Type The asset type of the asset.
Host Name The name of the asset.
Serial Number The serial number of the asset.
OS The operating system of the asset.
MAC Address The MAC address of the asset.
IP Address The IP address of the asset.
First Seen The date and time the asset was first seen.
Last Seen The date and time the asset was last seen.
IEC-G102-BP Series The Visibility Screen
4-3
Viewing Real-time Network Application Traffic
Steps:
1. Go to [Visibility] [Assets View].
2. Click an asset icon and view its detailed information.
3. The [Real Time Network Application Traffic] pane shows a list of network traffic statics of the asset
Field Description
No. Ordinal number of the application traffic.
Application Name The application type of the traffic.
TX The amount of traffic transmitted for this traffic.
RX The amount of traffic received for this traffic.
NOTE
Click the [Manual
Asset Info Refresh] to refresh the information displayed.
NOTE
Specify the refresh time under the [Refresh Time] dropdown menu.
5
5. The Device Screen
This chapter describes how to set up the network settings and port configurations for the device.
The following topics are covered in this chapter:
Configuring Network Settings
Configuring Interface Link Mode for Ports
IEC-G102-BP Series The Device Screen
5-2
Configuring Network Settings
Steps:
1. Go to [Device] [Device Setting]
2. In the [Network Setting] pane, configure the network settings for the device:
Task Action
Device IP Address IP Address of the device
Netmask Netmask of the device
Gateway Gateway of the device
DNS DNS address of the device
Enable VLAN-ID Enable/Disable VLAN ID
VLAN-ID Network VLAN-ID of the device
Configuring Interface Link Mode for Ports
Steps:
1. Go to [Device] [Device Setting]
2. In the [Port Configuration] pane, configure the link modes for the ports of the device:
Task Action
Port 1 and Port 2
Choose [Auto Negotiation] to specify that the interface should
automatically negotiate the highest speed that both sides can
work with or specify the configured speed value of the
interface.
6
6. The Object Profiles Screens
Object profiles simplify policy management by storing configurations that can be used by the IEC-G102-BP
Series.
You can configure the following types of object profiles for this device:
IP Object Profile: Contains the IP addresses that you can apply to a policy rule.
Service Object Profile: Contains the service definitions that you can apply to a policy rule. TCP port
range, UDP port range, ICMP, and custom protocol number are defined here.
Protocol Filter Profile: Contains more sophisticated and advanced protocol settings that you can apply
to a policy rule. Details of ICS (Industrial Control System) protocols are defined here.
The following table describes the tasks you can perform when you view a list of the profiles:
Task Description
Add a profile Click [Add] to create a new profile.
Edit a profile Click a profile name to edit the settings.
Delete a profile Select one or more profiles and click [Delete].
Copy a profile Select on profile and click [Copy].
The following topics are covered in this chapter:
Configuring IP Object Profile
Configuring Service Object Profile
Configuring Protocol Filter Profile
Specifying Commands Allowed in an ICS Protocol
Advanced Settings for Modbus Protocol
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
Page is loading ...
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54

Moxa IEC-G102-BP Series User manual

IEC-G102-BP Series
Moxa
Brand
Moxa
Model
IEC-G102-BP Series
Type
User manual
Download PDF
report

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI

Related papers

Other documents