1. Individual authentication necessary

Default settings permit access to the router without authentication. However, it is not possible to commission the router without configuring an authentication. Activating a profile (a configuration) is only possible, if one of the following conditions is met:

  • A user has been added

  • Authentication at the HTTPS web server with client certificates is activated and a CA certificate is stored for this

  • Authentication against a RADIUS server is activated

The following options for access and authentication are available:

Access/authentication User name/password Certificates RADIUS

Web interface

REST interface (REST API)

CLI (command line)

Remote Management

2. User management

No user is added in default settings. It is possible to add several users with full (read/write) or limited (read, status) rights. In addition, it is possible to implement user management on a RADIUS server. These users will then have respective access to web interface, REST interface and command line (CLI).

3. Protected access to the router

Access to the router is possible via the following interfaces:

  • Web Interface
    Only access via HTTPS (encrypted) is possible in default settings. Starting with icom OS version 5.2, a redesigned user interface is available in addition to the classic web interface. Access to the classic web interface can be deactivated from version 6.1. Access via HTTP (not encrypted, not recommended) is deactivated. An auto logout function provides for an automated logout on inactivity (default setting 15 minutes).

  • REST interface
    Only access via HTTPS (encrypted) is possible in default settings. Access via HTTP (not encrypted, not recommended) is deactivated.

  • Command line (CLI)
    In default settings, no access to the command line is permitted. Access via Telnet (not encrypted, not recommended) and SSH (encrypted) must be activated explicitly.

4. Protection against brute force attacks

Following an unsuccessful login attempt to the web interface of the router, the next login attempt will be delayed by three seconds.

5. Automatic update of firmware and configuration

The automatic update is not activated in default settings. Optionally, the user can provide the router with updated firmware and new configurations using an auto update: server and respond quickly in case of urgent IT security risks. It is recommended to keep the firmware always up-to-date using this function. INSYS icom offers a simple solution for updating the firmware of your routers with Router Management.

6. Tamper-proof firmware

The router will check uploaded firmware files and only install firmware signed by INSYS. This Configuration Guide demonstrates how sign and encrypt your update packets to avoid that compromised packets are uploaded to the router.

7. Segmenting into several local IP networks

The router allows to set up different local networks that are separated from each other or provided with precise communication rules in order to separate remote access options from the application network for example.

8. Redundant WAN connections

The router allows to set up router WAN connections using WAN chains. Several WAN chains with different WAN connections (Ethernet, DSL, cellular radio) can be created; those WAN connections will continuously be checked. In case a connection will be lost, another WAN connection will be established automatically to ensure an anew availability of the router.

9. Virtual Private Networks (VPNs)

The router permits to set up virtual private network, so-called VPNs These are encrypted connections via data networks. Objective is the tap- and tamper-proof communication between VPN partners from different local networks (LANs) via insecure or public networks (Internet). They use encryption and authentication for connection establishment and transmit data encrypted. The assignment of permissions causes closed user groups. VPN connections are possible via OpenVPN, IPsec, GRE and DMVPN. Information regarding secure VPN connections are available in the IT-Grundschutz-Kompendium (basic IT protection compendium) of the BSI.

INSYS icom offers an own VPN service with the icom Connectivity Suite that provides a simple and secure connection of your devices - also in China.

10. Individual selection of trusted CA certificates

The router permits the individual selection of CA certificates for verifying the certificate of the remote terminal for the:

  • SMTP server for e-mail dispatch

  • server of the remote management platform

  • server for automated updates

The following options are available for selecting the trusted CA certificates:

  • trust all CA certificates of the pre-installed CA bundle of cURL and all CA certificates manually installed on the router

  • trust all CA certificates of the pre-installed CA bundle of cURL

  • trust all CA certificates manually installed on the router

  • trust a single CA certificate manually installed on the router

11. IP filters (Firewall)

IP filter permit to block unwanted data communication. This follows the white list principle, i.e. all connections are blocked unless they are explicitly permitted here. To allow communication, permitted data packets must be explicitly specified using filter rules. The exception rules can be specified very detailed and permit only certain data packets broken down to packet direction, IP version, protocol, incoming/outgoing interface, source IP address, source port:, destination IP address and destination port. In default settings, the IP filters for IPv4 are deactivated and the IP filters for IPv6 are activated. The IPv4 filters must also be activated for a secure operation. Then, the IP filters will block all data packets that are not permitted explicitly.

12. MAC filters

In default settings, the MAC filters are deactivated. Activated MAC filters block the IP connections to other devices in the Ethernet following the white list principle, i.e. all connections are blocked unless they are explicitly permitted here. MAC filter rules apply to both, IPv4 and IPv6 traffic. In order to permit communication, the MAC address of the device that is permitted to communicate must be specified. It must be taken into account here, that the actually unique MAC address of a device can also be modified with moderate effort (depending on the device). This makes it possible that a different device may penetrate the MAC filters if the permitted MAC address has been assigned to it.

13. Message dispatch upon certain events

For an early detection of possible IT security risks, messages can be dispatched via e-mail, SMS, SNMP trap or MCIP, if a certain (IT security-relevant) event occurs. Examples for such an event contain:

  • Configuration has been changed The configuration has been changed or activated.

  • Link of an Ethernet port has been changed: The link condition has changed, i.e. a device has been disconnected (or switched off) or a third-party device has been connected.

  • System has been restarted: Both, a hardware reset (e.g. power failure) and a software reset (e.g. reset via web interface) are assessed as a restart.

  • Login attempt detected: A successful or failed login attempt at the web interface or CLI has been detected.

A full list can also be found in the Online Help of the router in the HelpDocumentation menu.

14. Router functions in default settings

All router functions relevant to IT security are listed here again with their settings in delivery condition (default settings).

14.1. Router functions in default settings

Function port

Access to web/REST interface via HTTPS

443

Access to classic web interface via HTTPS

443

Automatic session timeout after 15 minutes

DNS relay

53

DHCP server for IPv4 in IP net 1

67, 68

IP filter (Firewall) for IPv6

SLAAC

Network segmenting - Port 1: configuration network; the other ports are assigned to different deactivated networks depending on the router type

14.2. Functions deactivated in default settings

Function port

Authentication via user

Authentication via RADIUS- server

Access to web/REST interface via HTTP

80

Client authentication via certificate

Access to command line (CLI) via Telnet

23

Access to command line (CLI) via SSH

22

Debug access via SSH

22

Server for auto update

443

Dynamic DNS

53

VLAN

DHCP client

67, 68

DHCP server for IPv4 in IP net 2-5 as wel as for IPv6

67, 68

DHCP relay

67, 68

IPv6 Router Advertiser

NTP server

123

MCIP server

SNMP agent

RSTP

IP filter (Firewall) for IPv4

MAC filter

Dynamic routing

VPN connections

WAN connections

SCEP

Exclusive acceptance of signed update packages

The information does not claim completeness and correctness since the functions are subject to changes from time to time.