Security Glossary

For protecting the device configuration settings against accidental change, sabotage and spying by participants from the LAN and/or WAN.

INSYS Security Inside

• Disabled for LAN participants
• Disabled for WAN participants (remote)
• Disabled for LAN and WAN participants (can only be cancelled by resetting to default settings)

INSYS Security Inside

• Secure authentication with certificates  VPN 
• INSYS Connectivity Service

Users, IP or MAC addresses that are to be blocked from accessing services or locations are entered into negative lists (black lists). Principle: Everything is allowed which is not forbidden! Opposite principle of whitelisting.

INSYS Security Inside

• Certificate Revocation List (CRL) for obsolete or compromised VPN participants  CRL

Also Security Callback. In case of dial-up connections for two-stage authentication of the users of security-relevant applications via callback. 

INSYS Security Inside

• It can be configured for each user, whether
  a) the Dial-In is to be maintained or
  b) a callback is to be performed after an authentication with this user name.

Certificate-based authentication uses private and public keys (X.509 certificates); it is considered as the most secure authentication method.
The OpenVPN server and the OpenVPN clients use two own certificate files each: public certificate and private key; see also  Key  VPN

INSYS Security Inside

OpenVPN service with certificate-based authentication

• INSYS Connectivity Service

A certificate revocation list contains certificates that have are blocked, invalid, wrong or revoked before their expiration date. The entry into the list may be of temporary nature; it is stored in the VPN server.

INSYS Security Inside

• A VPN server checks whether a VPN client is entered into the CRL for the authentication in case this client issues a connection request  Blacklisting
• INSYS Connectivity Service

Is generated by the assignment of permissions (group membership, permissions for the communication between the members of the group and between the groups). Members that do not belong to the closed user group, cannot establish connections to members of the group. Closed user groups allow to establish secure (company) networks (Intranet) with highest demands regarding security.

INSYS Security Inside

• INSYS Connectivity Service

Intuitive configuration

Operation must be resumed quickly upon hardware failures. It must be possible to restore a backup of the complete configuration on the replacement device.

INSYS Security Inside

• Backup of the complete configuration including all keys and certificates into an encrypted BIN file.
• Devices of INSYS icom will recognize when restoring that this is a file with a configuration, regardless of the file name.

INSYS Connectivity Service

Certificate revocation list

Information (data) will be protected against unauthorised access (read, write) by encrypting it.

Virtual private networks (VPN) use encryption (symmetric, asymmetric) for connection establishment and data transmission.  VPN

INSYS Security Inside

• OpenVPN, IPsec, PPTP
• INSYS Connectivity Service

Closed user group

(Distributed) Denial of Service

Access points for remote maintenance in a DMZ cause that service providers connect to the DMZ first and then get the required access to the control network from there.

The DMZ isolates the networks (LAN, WAN) from each other using firewalls. Objectives are:

1. protection against unauthorised access from outside
2. controlled connection establishment from the LAN into public networks/services

Depending on the security concept, a DMZ consists of a device or two devices of different manufacturers since a known weak point would be sufficient to break both firewalls and compromise the network.

Devices and services of INSYS icom aid you

• with network segmentation

There is no absolute security, but INSYS icom offers devices and services that minimise the risk and damage potential of both, untargeted malware and specific targeted, high-quality attacks.

We are a well-proven technology partner for industrial data communication and M2M solutions since 1992. In-house experts develop in Regensburg, Bavaria. Our reliable products are "Made in Germany" and our customers like to use them world-wide.

INSYS Security Inside

• The preferred use of OpenSource ensures perfect transparency and traceability.
• 100 % availability of sources and resources.

Attacks (distributed over several offenders). These disturb the network/Internet connection of central controls or remote devices via overload and shall cause a functional failure.

Offenders have a lot of technical options: from rental botnets to so-called fake base stations; the latter are imitated base stations which try to cause the attacked systems to connect to a wrong GSM network.

INSYS Security Inside

• Redundant connections

Demilitarised zone

Cryptography

VPN

An active firewall blocks all data packets generally. To allow communication, permitted data packets must be explicitly specified using rules. Principle: block everything, allow necessary; cf.  Whitelisting.

Firewalls are mostly situated at the coupling point between private and public network as well as at the coupling point of network segments (LANs) in case of network segmentation. The main tasks are:

• protecting a secure network from attacks from an insecure network

• preventing unauthorised access to private networks (LANs) 

• enabling authorised access to public networks (WANs) 

• limiting the use of services or protocols

• protecting network segments mutually (cell protection)

INSYS Security Inside

The firewalls of the INSYS icom routers allow to create rules as per various aspects:

• Data direction
• Protocol
• IP version
• Sender IP
• Destination IP
• Destination port
• Dial-In user name

see also MAC filter

Linux distributions contain many various services and libraries. INSYS icom selects each used component individually and checks it very painstakingly. This is how the own hardened Linux operating system of INSYS icom-evolves.

INSYS Security Inside

• Only necessary services are being installed
• The availability of the sources is ensured
• Transparency and verifiability by using free software.

VPN service of INSYS icom with highest security and scalability with the following security features: Connection with the "right" communication partner, tamper-proof and tap-proof data transmission.

The 2-step connection establishment is pretty easy:

1. Create devices online 
2. Device quick start.

The INSYS Connectivity Service saves a VPN server in the own network, can be configured comfortably from everywhere and is available round the clock. The easily operated portal of the INSYS Connectivity Service is used to create devices, specify user groups and assign permissions - up to the IP address and control of connection establishment.

The INSYS icom routers are configured automatically during the quick start. You connect to the portal for this and the download there the automatically generated certificates and VPN settings via a secure connection. Certificates for PCs and third-party devices can be downloaded manually.

Another benefits are

• the facile management of your network devices for you or your IT department
• the invariable outgoing connections (incoming connections are often forbidden) 
• the independence from external IT service providers.  

Product information

INSYS Security Inside

• Creation and storage of the certificates and keys in a secure environment by the service

• Secure transmission of the keys to the VPN clients

• Rights revocation for obsolete or compromised VPN participants (blacklisting) using a Certificate Revocation List (CRL)

• VPN clients limited to outgoing connections

• Closed user groups

• Controlling the connection establishment

• Direct routing up to the individual control (PLC), web cam, etc.

Something is user-friendly if it can be operated very easy suiting to the user and his tasks. The DIN EN ISO 9241 speaks about "usability" in the sense of "human-focussed design".

The objective of INSYS icom is: "Keep it simple and secure"

INSYS Security Inside

• The web interface is the central user interface for the configuration of all INSYS icom devices
• The structure of the web interface is identical for many device generations
• The configuration using the intuitively operated web interface is possible quickly and trouble-free after a brief instruction/training.
• If the operation of the web interfaces is familiar, all INSYS icom devices can be configured unerring.
• Usually, the default settings must only be amended by customer-specific data, like e.g. the PIN of the SIM card, for a correct function.

INSYS Security Inside

• INSYS Connectivity Service

This achieves a physical access protection; only authorised persons can operate the switch with their key. This controls a signal at a digital input of the INSYS icom routers for connection establishment and closure.

INSYS Security Inside

• Dial-Out connection
• OpenVPN-Tunnel
• PPTP tunnel
• IPsec tunnel
• Serial Ethernet connection

Without key switch OFF, the connection will be terminated again either by the remote terminal or after expiry of the configured time (idle time, maximum connection time, time).

Grants only devices with authorised MAC addresses access to the network. MAC filters are usually part of a firewall of routers and can also only be effective locally (LAN).

MAC addresses can be changed (MAC spoofing) and are no absolutely safe method for identifying network devices.

Status or fault messages are generated and dispatched based on events. Such messages are a kind of condition monitoring and inform responsible persons or automated control centers about normal processes or faults.

INSYS Security Inside

• Monitoring of numerous events like e.g. system start, VPN tunnel established, digital input closed or pulsed, Dial-Out or Dial-In connection established, SIM card switched or IP address obtained via DHCP

• Dispatch as SMS, e-mail or SNMP trap with individual message text

• The content of a status page of the web interface and/or a log file can be attahced to an e-mail.

see also  Monitoring log files

Instead of a delayed evaluation of log files, INSYS icom routers monitor significant events (abnormal connections or unauthorised connection attempts) and send a message immediately.

INSYS Security Inside

Immediate message dispatch (SMS, e-mail, SNMP trap) on:

• Ethernet link (connection established)
• Ethernet link lost (link lost)
• Incorrect web interface login

see also  Status and fault messages

The respective manufacturers and external service providers have external accesses for maintenance and programming in particular in the industrial field. Secure authentication methods and a firewall provide security amongst others.

If remote maintenance accesses are not or insufficient limited, further systems or, due to flat network hierarchies, networks can be accessed via a maintenance access for a certain system. If unintended or unauthorised accesses to these systems are possible, life and physical condition of the operators may be threatened (security problem). 

An acceptably granular segmentation of the networks is necesary therefore to minimise the "range" of remote maintenance accesses.

Devices and services of INSYS icom aid you

• with segmenting your LANs with inexpensive  routers

Standard office IT components

Serves for the positive identification of a person. Is usually generated by the authorised person itself in the IT field and combined with permissions that an unauthorised person does not have; cf. military password for friend or foe identification. Example: Login with user name and password.

A threat potential for the unauthosrised use of remote maintenance accesses are devices:

• without password 
• with default password (initial state)
• with default password (after reset to default settings)

as per BSI (German Federal Office for Information Security).

INSYS Security Inside

• User name and password can be selected freely

• INSYS icom products have no back door

• Additional physical protection by key switch function

Tip

Amend acceptance protocols by the article that devices with default passwords (initial state, default settings) are not considered as accepted.

Only the interaction of technical, physical and organisational measures as well as their regular check and update provides maximum security.

This is based on clear guidelines and processes for internal and external personnel, e.g. for handling data carriers, e-mail, social networks, passwords, firewall rules, back doors, software installations up to mandatory advanced training programs and security checks.

Security and Risk Management as Integral and continuous process 

Even if remote accesses are routed via a firewall that grants and monitors the access to the target system, unused Ethernet ports must be disabled.

Used Ethernet ports must be monitored that it is possible to detect if a network cable is disconnected or connected without authority. 

INSYS Security Inside

• Managed switch, configurable local and remote via web-interface
• Monitoring of active Ethernet ports and message dispatch (SMS, e-mail, SNMP trap) upon Ethernet link (established, lost)
• Disabling unused Ethernet ports via web interface.

Symmetric encryption method which requires that participants know the previously agreed keys prior to communication. PSK can only be used in a practicable way if a secret key exchange is possible quickly and secure, like in WLANS of private households for example. 

INSYS Security Inside

• Secure authentication with certificates  VPN
• INSYS Connectivity Service

Pre-shared key

Use of several devices that operate in parallel. One device operates active and the other operates in stand-by and takes on the tasks of the defective device in case of a failure. 

Devices and services of INSYS icom aid you

• with backing up the configuration for a quick restoration of the original configuration on a replacement device incl. all certificates  

INSYS icom implements further important aspects:

• Trustworthiness and reliability of the manufacturers

• Robustness of the products

• Long-term availability regarding replacement devices, updates and support Devices and services "Made in Germany"

(D) DoS attacks rarely affect different infrastructures (fixed line network and cellular connections) at the same time.

A cellular connection will be provided in parallel to a fixed line connection as solution. This allows to maintain a backup connection as long as the fixed line connection is attacked - the inverse solution also reduces the risk and avoids a total failure.

Devices and services of INSYS icom aid you

• LAN/WAN router for cellular network, DSL or telephone network
  Product Overview

A manual update at the site is often very complex and expensive for remote stations. Offenders would have a walk-over by exploiting weak points of outdated systems. Remote updates via secure connections eliminate these defects. 

INSYS Security Inside

INSYS icom routers can look for the following updates independently on a secure server in the LAN or WAN, download them via HTTP or FTP and install them.

• Firmware
• Configuration (ASCII and binary)
• INSYS sandbox (image)
• Extension applications (image)

Network segmentation

Services that are not installed or not started cannot be attacked and are no security risk.

INSYS Security Inside

• Only selected and necessary services are installed on devices of INSYS icom.
• Services are only started on devices of INSYS icom, if they need to be used.

More and more standard information technology is being used in automation and control networks (commercial off-the-shelf, COTS), like Windows PCs, databases, software-based PLC. This makes these networks interesting for attack scenarios known from the Internet, since potential offenders have know-how and attack tools freely available in the Internet. 

Devices and services of INSYS icom aid you

• with segmenting your LANs with inexpensive routers
• with protecting exposed areas with firewalls
• with secure connections with the INSYS Connectivity Service VPN service

VPNs are encrypted connections via data networks. Objective is the tap- and tamper-proof communication between VPN partners from different local networks (LANs) via insecure or public networks (Internet). They use encryption and authentication for connection establishment and transmit data encrypted (cryptography). The assignment of permissions causes closed user groups. Well-known examples are IPsec and OpenVPN. 

INSYS Security Inside

• OpenVPN, IPsec and PPTP in all router products:
  MoRoS, MLR, EBW, QLM, SDSL, IMON

see also VPN service  INSYS Connectivity Service

Virtual private networks

The web interface is the central user interface for configuring all INSYS icom devices. Its structure is consistently identical since many device generations for an intuitive, quick and trouble-free use.

Our objective: "Keep it simple and secure"

Access to web interface can be disabled

Intuitive configuration

Web proxies provide access to a web service that is accessible in the VPN via the http protocol. This al-lows to access many http-capable devices (e.g. IP cameras) from almost any PC or smartphone with Internet access. Data transmission is carried out encrypted via https.

INSYS Security Inside 

• The INSYS Connectivity Service allows to set up web proxies

Authorised users, IP or MAC addresses, IP versions, routes, PINs, protocols, etc. are entered in positive lists. Principle: Everything is forbidden which is not allowed! Opposite principle of blacklisting.

INSYS Security Inside

• Login with user name and password
• Authentication for VPN and Dial-In
• Protocol for authentication
• Routes, where data packets are directed to
• Dialling filters that establish WAN connections to which destination (IP, port)
• Permitted files for keys, certificates or configurations
• IP forwarding
• Port forwarding