Some of the algorithms available are dated and are no longer regarded as reliable. This is why they are not to be recommended. Due to downwards compatibility, they can continue to be selected and used in mGuard .
The mGuard generally offers the option to use different encryption and hash algorithms.
Some of the algorithms available are dated and are no longer regarded as reliable. This is why they are not to be recommended. Due to downwards compatibility, they can continue to be selected and used in mGuard . |
In the following areas of the mGuard , the user must ensure that secure encryption and hash algorithms are used:
–IPsec VPN connections
–OpenVPN connections
–Shell Access (SSH)
–HTTPS Web Access (TLS/SSL)
–Encrypted State Synchronization of redundancy pairs
The secure use of encryption is explained in the following sections.
Further information can be found in the technical directive of the Federal office for information security: “BSI TR-02102 Cryptographic procedure: recommendations and key lengths”.
Using secure encryption and hash algorithms
Phoenix Contact recommends using encryption and hash algorithms according to the following table.
The following generally applies: the longer the key length (in bits), which is used in the encryption algorithm (specified by the appended number), the more secure it is.
Encryption |
Algorithm |
Use |
|
AES-256 AES-192 AES-128 |
Recommended |
|
||
|
||
|
3DES Blowfish |
Do not use, if possible |
|
||
|
DES |
Do not use |
Hash/checksum |
Hash function |
Use |
|
SHA-512 SHA-384 SHA-256 |
Recommended |
|
||
|
||
|
SHA-1 |
Do not use, if possible |
|
MD5 |
Do not use |
Use of secure SSH clients
Establishing encrypted SSH connections to the mGuard is initiated by the SSH client used. If the SSH client uses dated and thus insecure encryption algorithms, these are generally accepted by the mGuard .
Always use Current SSH clients (e.g. putty), to avoid use of weak encryption algorithms. |
Use of secure web browsers
Establishing encrypted HTTPS connections (TLS/SSL) to the mGuard is initiated by the web browser used. If the web browser uses dated and thus insecure encryption algorithms, these are generally accepted by the mGuard .
Always use Current web browsers to avoid use of weak encryption algorithms. |
Creation of secure X.509 certificates
X.509 certificates are generated using various software tools.
Always use Current program versions of the software tools to avoid use of weak encryption algorithms when creating X.509 certificates. The MD5 hash algorithm should not be used and SHA-1 not used as far as possible. |
When creating X.509 certificates, use key lengths of at least 2048 bits. |
2.2ISA 62443-4-2 compliant use of the mGuard device
In order to operate the mGuard device in an environment compliant with Security Level SL 2-2-3-2-3-3-3-3-3-3 according to ISA 62443-4-2 Draft D4E1 dated January 12,2017, the conditions described below must be complied with:
1.The use of factory-set passwords (default passwords) is prohibited. This applies to the users root and admin.
2.Use a RADIUS server for user authentication. This concerns a user's logon to the mGuard device via web interface or SSH.
Configure the mGuard device to allow RADIUS authentication as the only way to verify passwords (see "Use RADIUS authentication for shell access" on page 62 and "Enable RADIUS authentication" on page 77).
3.To configure the mGuard devices, use the management software mGuard device manager (mdm / FL MGUARD DM).
Local configuration of the devices may only be performed by unique users with the "Netadmin" user role. The access rights of these users must be restricted individually as far as possible.
The Netadmin user is created and managed in mdm. Use the mdm to restrict the user's rights (see mdm User Manual, available at phoenixcontact.net/products or help.mguard.com).
4.The use of SNMP is prohibited! There is no unique user ID in this protocol.
5.Only use encrypted ECS files to back up mGuard configuration profiles. The use of unencrypted ECS files or ATV configuration profiles is prohibited (see "Configuration Profiles" on page 93).
6.Configure and use an external syslog server that triggers an alarm at least in the following cases:
–failed login to the mGuard device (via all interfaces)
–failed firmware update on the mGuard device due to corrupted update files
7.Operate the mGuard device only in a control cabinet whose door is connected to a service I/O of the mGuard device via a contact (switch or button). Configure the mGuard device in such a way that an alarm (e. g. by e-mail or SMS) is triggered each time the control cabinet door is opened (see "Trap" on page 105 and "Management >> Service I/O" on page 119).
The device is configured via a graphic user interface in the web browser.
Always use Current web browsers to avoid use of weak encryption algorithms. |
Current versions of the following web browsers are supported:
–Mozilla Firefox
–Google Chrome
–Microsoft Internet Explorer
–Apple Safari
Limitation of login attempts
In the event of a Denial of Service attack, services are intentionally made unable to function. To prevent this type of attack, the mGuard is provided with a choke for different network requests.
This feature is used to count all the connections going out from one IP address and using a specific protocol. When a specific number of connections is counted without a valid login, the choke becomes effective. If no invalid connection attempt is made for 30 seconds, the choke is reset. Each new request without valid login from this IP address resets the timer by 30 seconds.
The number of connection attempts that need to fail until the choke becomes effective depends on the protocol.
–10 when using HTTPS
–6 when using SSH, SNMP, COM server
root |
User role without restrictions |
admin |
Administrator |
netadmin |
Administrator for the network only |
audit |
Auditor/tester |
mobile |
Sending text messages |
The predefined users (root, admin, netadmin, audit, and mobile) have different permissions.
–The root user has unrestricted access to the mGuard .
–The admin user also has unrestricted functional access to the mGuard , however the number of simultaneous SSH sessions is limited.
–Permissions are explicitly assigned to the netadmin user via the mGuard device manager (FL MGUARD DM) . This user only has read access to the other functions. Passwords and private keys cannot be read by this user.
–The audit user only has read access to all functions. By default, the audit user role can only be activated via the mGuard device manager (FL MGUARD DM) , in the same way as netadmin.
–The mobile user can send text messages with the mGuard using a CGI script. Further functions cannot be accessed by the mobile user (see "CGI interface" on page 453).
2.5Input help during configuration (system messages)
With firmware 8.0 or later, modified or invalid entries are highlighted in color on the web interface.
System messages which explain why an entry is invalid, for example, are also displayed.
In order to support this, JavaScript must be enabled in the web browser used. |
Figure 2-1: Example system message
–Modified entries are highlighted in green on the relevant page and in the associated menu item until the changes are applied or reset. In the case of tables, it is only indicated that a table row has been modified or removed; the modified value is not indicated.
–Invalid entries are highlighted in red on the relevant page and tab and in the associated menu item.
The modified or invalid entries remain highlighted even when you close a menu.
When necessary, information relating to the system is displayed at the top of the screen.
You can click on the desired configuration via the menu on the left-hand side, e.g., “Management, Licensing”.
The page is then displayed in the main window – usually in the form of one or more tab pages – where settings can be made. If the page is organized into several tab pages, you can switch between them using the tabs at the top.
Working with tab pages
–You can make the desired entries on the corresponding tab page (see also "Working with sortable tables" on page 30).
–You can return to the previously accessed page by clicking on the “Back” button located at the bottom right of the page, if available.
Modifying values
If you modify the value of a variable on the
web interface, the change will not be applied until you click on the 
Save
icon. The variable name for the modified variable is then displayed in
green.
In order to make it easier to trace the changes, the full menu path for the modified variable is also displayed in green: Menu >> Submenu >> Tab page >> Section >> Variable.
Entry of impermissible values
If you enter an impermissible value (e.g., an
impermissible number in an IP address) and click on the 
Save icon, the
relevant variable name is displayed in red and an error message is usually
displayed.
In order to make it easier to trace the error, the full menu path for the modified variable is also displayed in red: Menu >> Submenu >> Tab page >> Section >> Variable.
Entry of a timeout
A timeout can be entered in three ways:
–In seconds [ss]
–In minutes and seconds [mm:ss]
–In hours, minutes, and seconds [hh:mm:ss]
The three possible values are each separated by a colon. If only one value is entered, it will be interpreted as seconds, two values as minutes and seconds, three values as hours, minutes and seconds. The values for minutes and seconds may be greater than 59. After the values have been applied, they will always be shown as [hh:mm:ss] regardless of the format they were entered in (if you enter 90:120 for example, it will be shown as 1:32:00).
Global icons
The following icons are located at the top of every page:
Logout 
|
To log out after configuration access to the mGuard . If the user does not log out, he/she is logged out automatically if there has been no further activity and the time period specified by the configuration has elapsed. Access can only be restored by logging in again. |
Reset 
|
Reset to the original values. If you have entered values on one or more configuration pages and have not yet activated them (by clicking on Save), you can reset the modified values to the original values by clicking on Reset. |
Save 
|
To apply the settings on the device, you must click on Save. Please note that changes made elsewhere (highlighted in green) will also be applied. |
Session 
|
Displays the time remaining until the logged in user will be logged out of the web interface. Clicking on the time display resets the timeout time to the configured output value (see "Management >> Web Settings >> General" on page 72). |
Online help 
|
Link to the online help for the installed firmware version. The online help can only be accessed when an Internet connection is established and the firewall is set accordingly. Clicking on the icon opens the corresponding section of the mGuard firmware user manual for the page contents in a new tab/window of the web browser. The mGuard firmware user manual is also available in a PDF version and can be downloaded on the corresponding product pages at phoenixcontact.net/products or help.mguard.com. |
Many settings are saved as data records. Accordingly, the adjustable parameters and their values are presented in the form of table rows. If multiple firewall rules are defined, these are queried starting from the top of the list of entries until an appropriate rule is found. Therefore, note the order of the entries, if necessary. The order can be changed by moving table rows up or down.
–Insert rows to create a new data record with settings (e.g., the firewall settings for a specific connection)
–Move rows (i.e., re-sort them)
–Delete rows to delete the entire data record
Inserting rows
1.Click
on the 
Insert
Row icon in the row below which a new row is to be inserted.
2.A new row is inserted below the selected row.
The inserted row is displayed in green until the change has been applied.
Moving rows
1.Move the mouse pointer over the row number (seq.) of the row that you wish to move.
The mouse pointer changes to a cross 
.
2.Left-click in the desired row and hold down the mouse button.
The row is deleted from the existing sequence.
3.With the mouse, move the selected row to the desired position.
A border around the target row shows where the row will be inserted.
4.Release the mouse button.
5.The row is moved to the position marked with a box.
Deleting rows
1.Click
on the 
Delete
Row icon in the row that you wish to delete.
2.Then
click on the 
Save icon
to apply the change.
2.7CIDR (Classless Inter-Domain Routing)
IP netmasks and CIDR are methods of notation that combine several IP addresses to create a single address area. An area comprising consecutive addresses is handled like a network.
To specify an area of IP addresses for the mGuard , e.g., when configuring the firewall, it may be necessary to specify the address area in CIDR format. In the table below, the left-hand column shows the IP netmask, while the right-hand column shows the corresponding CIDR format.
IP netmask |
Binary |
CIDR |
Example: 192.168.1.0/255.255.255.0 corresponds to CIDR: 192.168.1.0/24
The following diagram shows how IP addresses can be distributed in a local network with subnetworks, which network addresses result from this, and how the details regarding additional internal routes may look for the mGuard .
Network A |
Computer |
A1 |
A2 |
A3 |
A4 |
A5 |
IP address |
192.168.11.3 |
192.168.11.4 |
192.168.11.5 |
192.168.11.6 |
192.168.11.7 |
|
Network mask |
255.255.255.0 |
255.255.255.0 |
255.255.255.0 |
255.255.255.0 |
255.255.255.0 |
|
Network B |
Computer |
B1 |
B2 |
B3 |
B4 |
Additional
|
IP address |
192.168.15.2 |
192.168.15.3 |
192.168.15.4 |
192.168.15.5 |
||
Network mask |
255.255.255.0 |
255.255.255.0 |
255.255.255.0 |
255.255.255.0 |
||
Network C |
Computer |
C |
C2 |
C3 |
C4 |
|
IP address |
192.168.27.1 |
192.168.27.2 |
192.168.27.3 |
192.168.27.4 |
||
Network mask |
255.255.255.0 |
255.255.255.0 |
255.255.255.0 |
255.255.255.0 |
2.9LED status indicator and blinking behavior
With the help of built-in LED diodes, mGuard devices indicate different system states. This can be status, alarm or error messages.
Detailed information on the LEDs can be found in the Appendix (see "LED status indicator and blinking behavior" on page 455).
