Built by Control Engineers for Control EngineersDatasheet Userguide
What is the ICS Defender NAT/RA?
The ICS-Defender NAT/RA is the entry level ICS-Defender security appliance for control engineers needing simple Network Address Translation (NAT) and Remote Access (RA). It includes a set of features not found in any competitive device:
- All the NAT services you’ll ever need: 1:1 NAT, 1:many NAT, Port Forwarding and outbound NAT
- A Captive Portal for authenticating every user accessing your control system from either a local database or your active directory
- A VPN server and Client for all the Remote Access services you’ll ever use
- A Stateful Firewall to ensure that only traffic you authorize will access your control network
- An easy-to-use graphical user interface – no complicated CLI (Command Line Interface) required
- A configurable dashboard and various historical and real-time graphs
- Troubleshooting tools like Ping, Traceroute, PCAPS and more
- 1-Click easy firewall rule creation from firewall logs
- Historical and Real Time Graphing of network activity
- Asset Detection and Monitoring (compatible with Rockwell AssetCentre®)
- IP20 DIN (other options available)
- Reporting and Monitoring to understand what the security platform is seeing on the network
Why You might need the ICS Defender NAT/RA
Many control engineers construct a production system from a number of identical machines with identical Ethernet sub-networks. The device addresses are identical on every subnet. That’s not a problem unless you want to expose data from one of those devices on the main network. In that case, you ‘ll need to translate the internal address on the subnet to some other address accessible on the main network. One of the many uses of the ICS Defender NAT/RA is to perform that address translation.
Another of the many uses for the ICS Defender NAT/RA is to provide the single-entry point to a control network for remote (or local) users. Using the Defender’s VPN Server and Captive Portal, access can be restricted to only those users you authorize with an encrypted and secure VPN for the remote users. And once access is granted, unlike other VPN systems, users are unable to just roam free you’re your control network. The Defender NAT/RA restricts the to the devices you authorize.
What is Network Address Translation?
Network Address Translation (NAT) “translates” one IP Address into a different IP address. For example, let’s assume we have a motor drive with energy data on each of three packaging machines with identical internal addresses. The address of each of the three motor drives is 192.168.100.10. A NAT device for that network could be configured to translate that .10 address into an address like 10.10.2.10 where the third octet, the ‘2’, indicates the second machine in the line. In general, a sophisticated NAT device could translate all the devices on that machine to 10.10.x.y addresses where the x is the machine number and y is the fourth octet of the original address. It’s a good way for the control engineer to make some or all of the devices on a machine available for external access and restrict access to all other devices.
Other Versions of ICS Defender
The ICS-Defender LITE/DPI license provides everything in the Defender NAT/RA plus an EtherNet/IP (CIP) Deep Packet Inspection (DPI) engine to restrict specific the CIP messages from accessing EtherNet/IP devices to authorized CIP operations. It LITE/DPI includes:
- The Deep Pack Inspection engine supporting EtherNet/IP and Modbus TCP
- Network Asset Detection
- Support for the Rockwell FactoryTalk® AssetCentre
The ICS-Defender PRO license provides everything in the LITE/DPI license plus high availability and redundancy features, scheduled policy rules and other valuable features. The PRO includes:
- Extended firewall support to include multiple WAN support and scheduled rules to restrict traffic to specific days and hours
- Configuration of the Defender as a primary or secondary in high availability applications
- A host of valuable applications like: a DHCP Client and Server, NTP Server, Dynamic DNS, FTP and TFTP
- APC UPS Control
About ICS Defender
The Defender series of products from Dynics provides a powerful layer of protection to the control engineer; protecting everything from machine to tools to standalone computers to full scale control systems. The Dynics Defense-in-Depth strategy provides safe and secure remote access, controls how suppliers access your networks and equipment, blocks unauthorized operations (using a Deep Packet Inspection engine), hides internal addresses from external users (Network Address Translation) and block unwanted messages from unauthorized devices such as USB flash drives, tethered phones, wireless devices and laptops.
RTA’S COMPLETE SATISFACTION GUARANTEE
Every RTA gateway comes with a 30 DAY 100% SATISFACTION GUARANTEE. If an application falls through, you find an alternative, or if you just wanted to try out a gateway -if for any reason you are not 100% satisfied, you can return the unit for a refund of the purchase price.
In addition, every RTA gateway comes with a 5 YEAR BETTER THAN INSURANCE WARRANTY.You will never have to blame the dog for eating your gateway. We don’t care if you let out the magic black smoke confusing AC with DC power or if you run the unit over with a forklift. Even if you break it, we will fix it or replace it at no cost for 5 years after purchase. That’s the RTA way.