For some crucially essential tasks it is required to ensure the secured data transfer from serial devices over an Ethernet network. That is true, for example, for banking sector, telecommunication sphere, remote access and control systems.
To solve these tasks, MOXA company has launched a series of NPort 6000 converters from RS-232/422/485 to Ethernet.
The main feature of NPort 6000 series is the opportunity to encrypt traffic using SSL v2 encryption protocol and to protect the access to the device itself.
Operation mode of NPort 6000 with traffic encryption.
This article describes only those operation modes that support data encryption.
Secure Real COM mode (or virtual COM port mode with data encryption).
Secure Real COM mode ensures the secured data exchange between a PC and an NPort in an Ethernet network using SSL v2 protocol. In other aspects, the work of this mode is similar to that of Real COM mode.
Starting from the firmware of v.1.14 and higher, the level of security provided by NPort 6000 corresponds to the requirements of IEC 62443-4-2, level 2 industrial standard, i.e.: there is support of the more secure encryption protocols, access control, advanced encryption complexity, etc.
Let us consider how data without encryption is transferred:
A hacker can intercept a TCP/IP packet and access the data.
Once the encryption is on, all data is encrypted and no one can read it using network analysis software.
To start the work, it is required to enable the support of encryption in both the driver settings on a PC (tick the box near Enable Data Encryption), and the NPort settings (selecting Yes in Secure field).
The process of encryption keys exchange is given in the figure:
Secure TCP Server mode
Similarly to Secure Real COM mode, both the PC software, and the NPort software must support the encryption. In Secure Real COM mode, the encryption function is already build in the driver, whereas, in Secure TCP Server mode, it is required to add this function manually to the software that is used for communication with the NPort.
In other aspects, the work of this mode is completely identical to that of TCP Server mode.
There are two ways of adding the encryption support function to a PC (in this case, the PC that is used as a TCP Client)
- Use MOXA SSDK examples with functions that should be applied for NPort connection.
- Use OpenSSL commands in the code of your program to establish the communication with NPort.
NPort will be a TCP Server, so to switch on Secure TCP Server mode, just enable Secure function in the NPort settings then save and reboot the device.
Secure TCP Client mode
It is a secure version of TCP Client mode.
The concept is similar to that of Secure TCP Server mode.
Software acting as a TCP Server must support the encryption functions. There are two way of adding them to a program:
- Use MOXA SSDK examples with functions that should be applied for NPort connection.
- Use OpenSSL commands in the code of your program to establish the communication with NPort.
NPort will be a TCP Client, so to switch on Secure TCP Client mode, just enable Secure function in the NPort settings then save and reboot the device.
Secure Pair Connection mode
The mode is applied to extend the distance of transmission over serial communication line via Ethernet. In Secure Pair Connection mode, the encrypted data is transferred.
NPort 6000 access protection
Secure authorization
To protect NPort 6000 from unauthorized access, in addition to a password you can you special TACACS+ or RADIUS protocols.
To enable these functions, you just need to specify the server IP address and the password.
You also need to create the same user accounts as those on the server.
Now you can enable access to NPort 6000 via TACACS+ or RADIUS server.
You can also disable the insecure access to the console.
When setting a password for NPort 6000, you can set the password check for various symbols and enable protection against the password search.
Secure monitoring
NPort 6000 series supports SNMP protocol, which allows you to monitor the equipment activity, and SNMP Trap function, which sends information about event changes to the server. SNMP protocol data can be encrypted according to DES CBC, the password can be encrypted according to MD5 or SHA.
