1. Authentication

Default settings permit access to the router without authentication. However, it is not possible to commission the router without configuring an authentication. Activating a profile (a configuration) is only possible, if one of the following conditions is met:

  • A user has been added

  • Authentication at the HTTPS web server with client certificates is activated and a CA certificate is stored for this

  • Authentication against a RADIUS server is activated

The following options for access and authentication are available:

Access/authentication User name/password Certificate RADIUS

Graphic user interface

REST interface (REST API)

CLI (command line)

Remote Management

2. User management

No user is added in default settings. It is possible to add several users with full (read/write) or limited (read, status) rights. In addition, it is possible to implement user management on a RADIUS server. These users will then have respective access to web interface, REST interface and command line (CLI).

User group Rights

Read/Write

Settings can be read and modified

Read

Settings can only be read

Status

Only status information can be viewed

3. Protected access options to the router

Access to the router is possible via the following interfaces:

  • Graphic user interface (web interface)
    Only access via HTTPS (encrypted) is possible in default settings. Starting with icom OS version 5.2, a redesigned user interface is available in addition to the classic web interface. Access to the classic web interface can be deactivated from version 6.1. Access via HTTP (not encrypted, not recommended) is deactivated. An auto logout function provides for an automated logout on inactivity (default setting 15 minutes).

  • REST interface
    Only access via HTTPS (encrypted) is possible in default settings. Access via HTTP (not encrypted, not recommended) is deactivated.

  • Command line (CLI)
    In default settings, no access to the command line is permitted. Access via Telnet (not encrypted, not recommended) and SSH (encrypted) must be activated explicitly.

4. Protection against brute force attacks

Following an unsuccessful login attempt to the web interface of the router, the next login attempt will be delayed by three seconds.

5. Automatic update of firmware and configuration

INSYS icom offers a simple solution for updating the firmware of your routers with Router Management to respond quickly in case of urgent IT security risks. It is recommended to keep the firmware always up-to-date using this function.

Optionally, the user can provide the router with updated firmware and new configurations using an own auto update server.

6. Signing firmware and configuration files

The router will check uploaded firmware files and only install firmware signed by INSYS. This Configuration Guide demonstrates how sign and encrypt your update packets to avoid that compromised packets are uploaded to the router.

7. Segmenting into several local IP networks

The router allows to set up different local networks that are separated from each other or provided with precise communication rules in order to separate remote access options from the application network for example.

8. Redundant WAN connections

The router allows to set up router WAN connections using WAN chains. Several WAN chains with different WAN connections (Ethernet, DSL, cellular radio) can be created; those WAN connections will continuously be checked. In case a connection will be lost, another WAN connection will be established automatically to ensure an anew availability of the router.

9. Virtual Private Networks (VPNs)

The router permits to set up virtual private network, so-called VPNs These are encrypted connections via data networks. Objective is the tap- and tamper-proof communication between VPN partners from different local networks (LANs) via insecure or public networks (Internet). They use encryption and authentication for connection establishment and transmit data encrypted. The assignment of permissions causes closed user groups. VPN connections are possible via OpenVPN, IPsec, GRE and DMVPN. Information regarding secure VPN connections are available in the IT-Grundschutz-Kompendium (basic IT protection compendium) of the BSI.

INSYS icom offers an own VPN service with the icom Connectivity Suite that provides a simple and secure connection of your devices - also in China.

10. Individual selection of trusted CA certificates

The router permits the individual selection of CA certificates for verifying the certificate of the remote terminal for the:

  • SMTP server for e-mail dispatch

  • server of the remote management platform

  • server for automated updates

The following options are available for selecting the trusted CA certificates:

  • trust all CA certificates of the pre-installed CA bundle of cURL and all CA certificates manually installed on the router

  • trust all CA certificates of the pre-installed CA bundle of cURL

  • trust all CA certificates manually installed on the router

  • trust a single CA certificate manually installed on the router

11. IP filters (Firewall)

IP filter permit to block unwanted data communication. This follows the white list principle, i.e. all connections are blocked unless they are explicitly permitted here. To allow communication, permitted data packets must be explicitly specified using filter rules. The exception rules can be specified very detailed and permit only certain data packets broken down to packet direction, IP version, protocol, incoming/outgoing interface, source IP address, source port:, destination IP address and destination port. In default settings, the IP filters for IPv4 are deactivated and the IP filters for IPv6 are activated) The IPv4 filters must also be activated for a secure operation. Then, the IP filters will block all data packets that are not permitted explicitly.

12. MAC filters

In default settings, the MAC filters are deactivated. Activated MAC filters block the IP connections to other devices in the Ethernet following the white list principle, i.e. all connections are blocked unless they are explicitly permitted here. MAC filter rules apply to both, IPv4 and IPv6 traffic. In order to permit communication, the MAC address of the device that is permitted to communicate must be specified. It must be taken into account here, that the actually unique MAC address of a device can also be modified with moderate effort (depending on the device). This makes it possible that a different device may penetrate the MAC filters if the permitted MAC address has been assigned to it.

13. Monitoring and message dispatch upon certain events

For an early detection of possible IT security risks, messages can be dispatched via e-mail, SMS, SNMP trap or MCIP, if a certain (IT security-relevant) event occurs. Examples for such an event contain:

  • Configuration has been changed The configuration has been changed or activated.

  • Link of an Ethernet port has been changed: The link condition has changed, i.e. a device has been disconnected (or switched off) or a third-party device has been connected.

  • System has been restarted: Both, a hardware reset (e.g. power failure) and a software reset (e.g. reset via web interface) are assessed as a restart.

  • Login attempt detected: A successful or failed login attempt at the web interface or CLI has been detected.

14. Logging

The router logs all events in connection with its operation. These can also be transmitted to a syslog server for regular external evaluation and monitoring of security-relevant events.

15. Volatile profile mode

The volatile profile mode enables a router to always go into operation in a defined initial state after a restart and to receive its specific configuration via an update server or router management. In this mode, all changes to the configuration (including profiles and ASCII configuration files) are lost when the router is restarted and the router restarts in the state it was in when it was changed to volatile mode. This means that, if configured accordingly, all cryptographic material will be lost if the router is disconnected from the power supply, as it is only stored in volatile memory. Cryptographic secrets will then only be uploaded from the server to the router during operation. There are only secrets for Bootstrap on the device.

16. Certificate manager

The certificate manager is a central site for administrating the various certificates and keys that are used for authentication and encryption of connections. It permits the regular update of certificates and keys and the protection of the certificate structure through CRL lists (certificate revocation lists).

EST (Enrolment over Secure Transport) is a protocol for the simple and more scalable enrolment and renewal of certificates and the retrieval of certificate revocation lists (CRLs) in large-scale network environments with PKI (public key infrastructure). The required certificates and certificate revocation lists are obtained and renewed automatically with this. The necessary private key is generated by the device itself and remains on it.

17. Safe decommissioning

Safe decommissioning permits to delete all data on the device, not only the allocation table as is the case when resetting to default settings. This will also delete the complete firmware from the router. Only a rudimentary rescue system will remain on the router, which can be accessed via the address http://192.68.1.1 and enables the router to be restored.

18. Router functions in default settings

All router functions relevant to IT security are listed here again with their settings in delivery condition (default settings).

18.1. Router functions in default settings

Function port

Access to web/REST interface via HTTPS

443

Access to classic web interface via HTTPS

443

Automatic session timeout after 15 minutes

DNS relay

53

DHCP server for IPv4 in IP net 1

67, 68

IP filter (Firewall) for IPv6

SLAAC

Network segmenting - Port 1: configuration network; the other ports are assigned to different deactivated networks depending on the router type

18.2. Functions deactivated in default settings

Function port

Authentication via user

Authentication via RADIUS- server

Access to web/REST interface via HTTP

80

Client authentication via certificate

Access to command line (CLI) via Telnet

23

Access to command line (CLI) via SSH

22

Debug access via SSH

22

Server for auto update

443

Dynamic DNS

53

VLAN

DHCP client

67, 68

DHCP server for IPv4 in IP net 2-5 as wel as for IPv6

67, 68

DHCP relay

67, 68

IPv6 Router Advertiser

NTP server

123

MCIP server

SNMP agent

RSTP

IP filter (Firewall) for IPv4

MAC filter

Dynamic routing

VPN connections

WAN connections

EST (Enrolment over Secure Transport)

Exclusive acceptance of signed update packages

The information does not claim completeness and correctness since the functions are subject to changes from time to time.