Built BY Control Engineers FOR Control EngineersDatasheet Userguide
What is the ICS-Defender NAT/RA Security Appliance?
The ICS-Defender NAT/RA is the entry level ICS-Defender security appliance for plant floor engineers. It provides the security necessary for common but very often insecure, applications like Network Address Translation (NAT) and Remote Access (RA). It protects your plant from unauthorized plant personnel and cyber criminals from accessing your programmable controllers and other plant floor devices.
It includes a set of features not found in any competitive device:
- A stateful firewall to ensure that only traffic you authorize can access your control network
- All the NAT services you’ll ever need: 1:1 NAT, 1:many NAT, port forwarding and outbound NAT
- A VPN server and client for all the Remote Access services you’ll ever use
- A captive portal for authenticating every user accessing your control system from either a local database or your active directory
- An easy-to-use graphical user interface – no complicated CLI (Command Line Interface) required
- A configurable dashboard and various historical and real-time graphs
- Troubleshooting tools like Ping, Traceroute, PCAPS and more
- 1-Click easy firewall rule creation from firewall logs
- Historical and real time graphing of network activity
- Asset detection and monitoring (compatible with Rockwell AssetCentre®)
- IP20 DIN (other options available)
- Reporting and monitoring to understand what the security platform is seeing on the network
The Unknown Risk to NAT and Remote Access
Many control engineers construct a production system from a number of identical machines with identical Ethernet sub-networks. The device addresses are identical on every subnet. That’s not a problem unless you want to expose data from one of those devices on the main network. In that case, you‘ll need to translate the internal address on the subnet to some other address accessible on the main network. One of the many uses of the ICS-Defender NAT/RA is to securely perform that address translation.
Another of the many uses for the ICS-Defender NAT/RA is to provide the single-entry point to a control network for remote (or local) users. Using the Defender’s VPN server and captive portal, access can be restricted to only those users you authorize with an encrypted and secure VPN for the remote users. And once access is granted, unlike other VPN systems, users are unable to just roam free you’re your control network. The ICS-Defender NAT/RA restricts access to the devices you authorize.
Network Address Translation (NAT) “translates” one IP address into a different IP address. For example, let’s assume we have a motor drive with energy data on each of three packaging machines with identical internal addresses. The address of each of the three motor drives is 192.168.100.10. A NAT device for that network could be configured to translate that .10 address into an address like 10.10.2.10 where the third octet, the ‘2’, indicates the second machine in the line. In general, a sophisticated NAT device could translate all the devices on that machine to 10.10.x.y addresses where the x is the machine number and y is the fourth octet of the original address. It’s a good way for the control engineer to make some or all of the devices on a machine available for external access and restrict access to all other devices.
Other Versions of ICS-Defender
The ICS-Defender LITE/DPI license provides everything in the ICS-Defender NAT/RA plus an EtherNet/IP (CIP) Deep Packet Inspection (DPI) engine to restrict specific the CIP messages from accessing EtherNet/IP devices to authorized CIP operations. The LITE/DPI includes:
- The DPI engine supporting EtherNet/IP and Modbus TCP
- Network asset detection
- Support for the Rockwell FactoryTalk® AssetCentre
The ICS-Defender PRO license provides everything in the LITE/DPI license plus high availability and redundancy features, scheduled policy rules, and other valuable features. The PRO includes:
- Extended firewall support to include multiple WAN support and scheduled rules to restrict traffic to specific days and hours
- Configuration of the ICS-Defender as a primary or secondary in high availability applications
- A host of valuable applications like: a DHCP client and server, NTP server, Dynamic DNS, FTP and TFTP
- APC UPS Control
The Defender series of products from Dynics provides a powerful layer of protection to the control engineer; protecting everything from machine to tools to standalone computers to full scale control systems.The Dynics Defense-in-Depth strategy provides safe and secure remote access, controls how suppliers access your networks and equipment, blocks unauthorized operations (using a Deep Packet Inspection engine), hides internal addresses from external users (Network Address Translation) and block unwanted messages from unauthorized devices such as USB flash drives, tethered phones, wireless devices and laptops.