This document demonstrates the necessary steps for configuring a router of INSYS icom such that is in compliance with the accelerated security certification of the German Federal Office for Information Security (BSI).
1. Preparing the router
The router must be connected to a power supply, its Internet connection must be set up and it must be connected to a configuration PC for configuration. Then, you will have access to the web Interface of the router and are able to start with the secure configuration. Download the Installation and User Manual for your router and inform yourself about the Technical Data, connection values and connections of the router.
-
Connect the router to the power supply (12 - 24 V DC).
-
Connect the router to the network that is used to establish the Internet connection.
-
Cellular radio: Insert the SIM card into the SIM 1 slot and connect the cellular antenna to the LTE 1 antenna connection.
-
Ethernet: Connect the Ethernet connection to the network port of the router (MRX/MRO: ETH 5, ECR/SCR: ETH 2).
-
-
Connect the router with the connection PC via the ETH 1 interface.
A DHCP client must be active on the configuration PC. Otherwise, activate the DHCP client or configure a static IP address in the network range 192.168.1.0/24 (not the default address of the router 192.168.1.1!). |
-
Open the web interface of the router in a browser: https://192.168.1.1/ui/index.html [1]
Ensure the following prior to configuration:
-
In order to exclude security vulnerabilities, the router must be reset to default settings (check all options in the Administration → Reset menu in the Reset device section and make a reset).
-
The accelerated security certification of the German Federal Office for Information Security (BSI) is based on the router firmware 6.1 (refer to Status → Dashboard). Update the router to the latest certified version of the firmware (available under Download, for a manual update, refer to Administration → Firmware).
The following configuration steps are necessary for a secure operation of the router:
-
Authentication
-
Internet connection
-
Network connection
-
System time
A part of these configurations and further configurations can be accomplished using the startup wizard conveniently and quickly. However, this makes configurations in the background that might affect the required security level of your application. A manual configuration is recommended in this case.
2. Configuring the authentication
In order to secure access to the router, it it is necessary to use a secure authentication.
-
Click on the splash screen under Manual Configuration on To the manual configuration.
-
Click in the Administration → User menu on in the empty row of the user table.
-
Enter the desired User name.
-
Enter a secure Password (refer to note below).
-
Select the readwrite group.
-
Click on SUBMIT .
The security depends on the complexity of the password used.
Use the password offered by the router or - a sufficiently long and hard to guess password - under consideration of the general recommendations for secure passwords. Use individual passwords for each router/user in case of multiple routers/users in an application. Restrict the users to the necessary rights using user groups in case of multiple users (this security measure has not been evaluated within the scope of the Accelerated Security Certification by the Bundesamt für Sicherheit in der Informationstechnik (Federal Office for Information Security)). |
3. Configuring the Internet/WAN connection
Depending on the router/application, the Internet/WAN connection will be established via cellular radio, Ethernet, WLAN (Wi-Fi), DSL or glass fiber.
3.1. Cellular radio connection
-
Click in the Network → Interfaces menu in the LTE section on in the row of the LTE modem (SIM card slot) that is used for the connection.
-
Enter the necessary access data (if required PIN, user name, password and Access Point Name) (some parameters are only accessible in extended view).
-
Click on SUBMIT .
3.2. Ethernet connection
-
Click in the Network → Interfaces menu in the IP networks section on in the row of the IP network net3.
-
Configure the Internet connection via Ethernet:
-
Description: WAN
-
Mode: WAN - start only in WAN chain
-
-
Click on in the Static IP addresses section and assign an address in the network used for the Internet/WAN connection to the router.
-
Click on SUBMIT .
In case you cannot assign a static IP address to the router, enable the option Option Start DHCPv4 client. |
4. Configuring the WAN chain for establishing the Internet/WAN connection
-
Add in the Network → WAN / Internet menu a new WAN chain ().
-
Enter as Description Internet connection.
-
Click in the Interfaces in WAN chain section on and add an interface to the WAN chain:
-
Interface: Select above configured interface, over which the Internet connection is to be established
-
Connection check type: none [2]
-
-
Click on SUBMIT .
5. Configuring the default route for the Internet/WAN connection
-
Add in the Network → Routing menu in the Static routes section a new route () and configure it:
-
Description: Default route
-
Set after start of: Select above configured interface, over which the Internet connection is to be established
-
Type of the route: Default route
-
Gateway: Select use dynamically received IP address or define another default gateway
-
-
Click on SUBMIT .
6. Configuring the NAT rule for the Internet/WAN connection
-
Add in the Network → Firewall / NAT menu in the Source NAT section a new rule () and configure it:
-
Description: Masquerade rule
-
Type: Masquerade
-
Protocol: Select the protocol that is necessary for your application
-
Output interface: Select above configured interface, over which the Internet connection is to be established
-
Restrict the rule further by permitting only those addresses that are necessary for your application
-
-
Click on SUBMIT .
7. Configuring the Firewall rules for the Internet/WAN connection
-
Click in the Network → Firewall / NAT menu on the IP filter settings section and check the checkbox IP-Filter for IPv4 activated.
-
Click on SUBMIT .
-
Add in the IP filter section a new filter rule () and configure it:
-
Description: Traffic between the local nets
-
Packet direction: FORWARD
-
IP version: Select all IP versions used for communication
-
Protocol: Select the communication protocol used for communication
-
Input interface: Select all internal interfaces that are permitted to communicate with each other
-
Output interface: Select all internal interfaces that are permitted to communicate with each other
-
Restrict the rule further by permitting only those addresses that are necessary for your application
-
-
Click on SUBMIT .
-
Add in the IP filter section a new filter rule () and configure it:
-
Description: Traffic from local net into the WAN
-
Packet direction: FORWARD
-
IP version: Select all IP versions used for communication
-
Protocol: Select the communication protocol used for communication
-
Input interface: Select all internal interfaces that are permitted to communicate with the WAN
-
Output interface: Select above configured interface, over which the Internet connection is to be established
-
Restrict the rule further by permitting only those addresses that are necessary for your application
-
-
Click on SUBMIT .
8. Configuring the network connection
In default settings, three of the five available local IP networks are intended for certain purposes (whereby the assignment can be changed at any time):
-
IP net 1: Configuration
-
IP net 2: Local network
-
IP net 3: WAN (Internet connection)
The number of available network ports differs depending on the router. A local IP network can be assigned to each network port.
-
Click in the Network → Interfaces menu in the IP networks section on in the row of the IP network net2, check the checkbox active, enter the static IP address that the router has in your local application network and make further settings if required.
-
Click on SUBMIT .
-
Click in the Ports → Ethernet menu on the port, with which the router is connected to the local network, and assign the local network net2 to it.
-
Click on SUBMIT .
-
In case the Internet connection is established via Ethernet, click in the Ports → Ethernet menu on the port, with which the router is connected to the network that is used to make the Internet connection, and assign the WAN network to it.
-
Click on SUBMIT .
9. Setting up the automatic synchronisation of the system time
A correct system time of the router is especially important to be able to verify the validity of certificates. The router permits a synchronisation of its system time with an NTP server. It will be configured such that a synchronisation will be performed as soon as the router goes online. In order to enable a synchronisation also with activated IP filters, a firewall rule will be created that permits this.
-
Click in the Administration → Time / Date menu on the System clock section and set the system clock using on the the available methods.
-
Click on SUBMIT .
-
Click in the Administration → Time / Date menu on the Clock synchronisation section, select your Time zone and enter under Time server the address of the desired NTP server (the NTP server of the PTB is default).
-
Click on SUBMIT .
-
Add in the Events → Events menu a new event () and configure it:
-
Description: WAN interface up → start NTP update
-
Event: Interface state has changed
-
Interface: Select the WAN interface over which the router communicates with the Internet (e.g. lte2 for cellular routers)
-
State changed to: online
-
Action: Synchronise clocck via NTP
-
-
Click on SUBMIT .
-
Add in the Network → Firewall / NAT menu in the IP filter section a new filter rule () and configure it:
-
Description: NTP queries sent by the router
-
Packet direction: OUTPUT
-
IP version: Select all IP versions used for communication
-
Protocol: UDP
-
Output interface: Select the WAN interface over which the router communicates with the Internet (e.g. lte2 for cellular routers)
-
Destination port: 123
-
-
Click on SUBMIT .
This makes the router perform a synchronisation of its system time with the NTP server every time it goes online.
10. Setting up the OpenVPN connection
An OpenVPN connection exists between an OpenVPN client and an OpenVPN server. The OpenVPN server defines the configuration parameters of the connection that have to be configured at the client. The following example lists the most important parameters for a router as OpenVPN client (router menu Network → Interfaces, enable extended view):
-
Mode: Client
-
VPN server address: according to server configuration
-
Alternative VPN server address: only required as alternative if present
-
Tunnelling over port (local): 1194 (default)
-
Tunnelling over port (remote): according to server configuration
-
Protocol: according to server configuration
-
In order to configure the certificate-based authentication, upload CA certificate, (client) Certificate and Private key under Administration → Certificates and select them here; the certificates and keys correspond to the server configuration and will be provided by the server administrator
-
User name: only if additionally required by server configuration
-
Password: only if additionally required by server configuration
-
Key for tls-crypt: only upload and configure if used accordingly by the server
-
Key for tls-auth and Use direction: only upload and configure if used accordingly by the server; adjust use direction to server (none or complementary (0/1 or 1/0))
-
Encryption algorithmu and Hash algorithm: in order to comply with the requirements in the Technical Directives TR-02102-1 and TR-02102-2 of the BSI (German Federal Office for Information Security), only the following encryption and hash procedures supported by the router must be used for the OpenVPN connection:
Encryption algorithm |
---|
AES 128 Bit CBC |
AES 192 Bit CBC |
AES 256 Bit CBC |
AES 128 Bit GCM |
AES 192 Bit GCM |
AES 256 Bit GCM |
Hash algorithm |
---|
SHA-256 |
SHA-384 |
SHA-512 |
The use of the following (commonly considered obsolete or insecure), different or no encryption and hash algorithms, places the router in a state that is not covered by Accelerated Security Certification and may be insecure (also marked as “not recommended” in the web Interface).
Encryption algorithm | Hash algorithm |
---|---|
Blowfish 128 Bit |
SHA-1 |
DES 64 Bit |
SHA-224 |
DES EDE 128 Bit |
|
DES EDE3 192 Bit |
|
DESX 192 Bit |
|
CAST5 128 Bit |
|
IDEA 128 Bit |
|
RC2 128 Bit |
|
RC2 40 Bit |
|
RC2 64 Bit |
-
Check certificate type of remote terminal:
-
Set default route (redirect-gateway): (default)
-
Do not bind to local address and port: (default)
-
Remote terminal is allowed to change its IP address (float): (default)
-
Activate LZO compression: according to server configuration (but has to be avoided since a compression of the data channel might expose a security vulnerability)
-
Log level: as required, not security-relevant
-
Interval of key renegotiation: 3600 (default)
-
Ping interval: 30 (default)
-
Ping restart interval: 60 (default)
-
Fragment packets: as required, not security-relevant
-
Maximal wait time to establish connection: 60 (default)
Make sure that the OpenVPN server only uses the secure protocols TLS 1.2 or TLS 1.3 and the two Diffie-Hellman groups secp256r1 or secp384r1 to encrypt data transmission.
11. Further protection of the router
-
Disable access to the classic web interface in order to restrict access to the router to the essential access options:
-
Click in the Administration → Config access menu in the Web/REST interface section on
-
Disable the checkbox Activate classic UI
-
Click on SUBMIT
-
-
Disable all services and functions that are not necessary for your application (Overviw of all services and functions and their status in default settings).
-
Disable in the Network → Firewall / NAT menu in the IP filter section all firewall rules that are not necessary for your application. Restrict all necessary rules to the necessary IP versions, protocols, interfaces, addresses and ports.
-
Do not used outdated protocols that do not meet the latest security requirements any more, such as PPTP for example.
-
Activate the signature check to prevent the upload of compromised packets to the router:
-
Click for this in the Administration → Automatic update menu in the Allow only signed update packets on the Enable feature slider
-
Observe the warning notes!
-
Click on ENABLE SIGNATURE CHECK
-
12. Safe decommissioning
After using the router in a safety-critical application, delete all data on it. If you only reset the device to default settings, the data will not be completely deleted, but only the allocation table, so that the data could be recovered with appropriate effort and tools if there is physical access to the router. Therefore, a router reset to default settings, must not be sold or passed on.
For this reason, use the function for Safe decommissioning of the router. This will also delete the complete firmware from the router. Only a rudimentary rescue system will remain on the router, which can be accessed via the address http://192.68.1.1 and enables the router to be restored.
-
Click for this in the Administration → Reset menu on the Enable safe decommissioning slider and then on the NOW SAFELY TAKE DECOMMISSIONING button