Security functions of the routers

Default settings permit access to the router without authentication. However, it is not possible to commission the router without configuring an authentication. Activating a profile (a configuration) is only possible, if one of the following conditions is met:

The following options for access and authentication are available:

No user is added in default settings. It is possible to add several users with full (read/write) or limited (read, status) rights. In addition, it is possible to implement user management on a RADIUS server. These users will then have respective access to web interface, REST interface and command line (CLI).

Access to the router is possible via the following interfaces:

Following an unsuccessful login attempt to the web interface of the router, the next login attempt will be delayed by three seconds.

INSYS icom offers a simple solution for updating the firmware of your routers with Router Management to respond quickly in case of urgent IT security risks. It is recommended to keep the firmware always up-to-date using this function.

Optionally, the user can provide the router with updated firmware and new configurations using an own auto update server.

The router will check uploaded firmware files and only install firmware signed by INSYS. This Configuration Guide demonstrates how sign and encrypt your update packets to avoid that compromised packets are uploaded to the router.

The router allows to set up different local networks that are separated from each other or provided with precise communication rules in order to separate remote access options from the application network for example.

The router allows to set up router WAN connections using WAN chains. Several WAN chains with different WAN connections (Ethernet, DSL, cellular radio) can be created; those WAN connections will continuously be checked. In case a connection will be lost, another WAN connection will be established automatically to ensure an anew availability of the router.

The router permits to set up virtual private network, so-called VPNs These are encrypted connections via data networks. Objective is the tap- and tamper-proof communication between VPN partners from different local networks (LANs) via insecure or public networks (Internet). They use encryption and authentication for connection establishment and transmit data encrypted. The assignment of permissions causes closed user groups. VPN connections are possible via OpenVPN, IPsec, GRE and DMVPN. Information regarding secure VPN connections are available in the IT-Grundschutz-Kompendium (basic IT protection compendium) of the BSI.

INSYS icom offers an own VPN service with the icom Connectivity Suite that provides a simple and secure connection of your devices - also in China.

The router permits the individual selection of CA certificates for verifying the certificate of the remote terminal for the:

The following options are available for selecting the trusted CA certificates:

IP filter permit to block unwanted data communication. This follows the white list principle, i.e. all connections are blocked unless they are explicitly permitted here. To allow communication, permitted data packets must be explicitly specified using filter rules. The exception rules can be specified very detailed and permit only certain data packets broken down to packet direction, IP version, protocol, incoming/outgoing interface, source IP address, source port:, destination IP address and destination port. In default settings, the IP filters for IPv4 are deactivated and the IP filters for IPv6 are activated) The IPv4 filters must also be activated for a secure operation. Then, the IP filters will block all data packets that are not permitted explicitly.

In default settings, the MAC filters are deactivated. Activated MAC filters block the IP connections to other devices in the Ethernet following the white list principle, i.e. all connections are blocked unless they are explicitly permitted here. MAC filter rules apply to both, IPv4 and IPv6 traffic. In order to permit communication, the MAC address of the device that is permitted to communicate must be specified. It must be taken into account here, that the actually unique MAC address of a device can also be modified with moderate effort (depending on the device). This makes it possible that a different device may penetrate the MAC filters if the permitted MAC address has been assigned to it.

For an early detection of possible IT security risks, messages can be dispatched via e-mail, SMS, SNMP trap or MCIP, if a certain (IT security-relevant) event occurs. Examples for such an event contain:

The router logs all events in connection with its operation. These can also be transmitted to a syslog server for regular external evaluation and monitoring of security-relevant events.

The volatile profile mode enables a router to always go into operation in a defined initial state after a restart and to receive its specific configuration via an update server or router management. In this mode, all changes to the configuration (including profiles and ASCII configuration files) are lost when the router is restarted and the router restarts in the state it was in when it was changed to volatile mode. This means that, if configured accordingly, all cryptographic material will be lost if the router is disconnected from the power supply, as it is only stored in volatile memory. Cryptographic secrets will then only be uploaded from the server to the router during operation. There are only secrets for Bootstrap on the device.

The certificate manager is a central site for administrating the various certificates and keys that are used for authentication and encryption of connections. It permits the regular update of certificates and keys and the protection of the certificate structure through CRL lists (certificate revocation lists).

EST (Enrolment over Secure Transport) is a protocol for the simple and more scalable enrolment and renewal of certificates and the retrieval of certificate revocation lists (CRLs) in large-scale network environments with PKI (public key infrastructure). The required certificates and certificate revocation lists are obtained and renewed automatically with this. The necessary private key is generated by the device itself and remains on it.

Safe decommissioning permits to delete all data on the device, not only the allocation table as is the case when resetting to default settings. This will also delete the complete firmware from the router. Only a rudimentary rescue system will remain on the router, which can be accessed via the address http://192.68.1.1 and enables the router to be restored.

All router functions relevant to IT security are listed here again with their settings in delivery condition (default settings).