Comnet RL1000GW-AC-ESFP-S24-CNA, RL1000GW-AC-ESFP-S24, RL1000GW-AC-ESFP-S22-CNA, RL1000GW-AC-ESFP-S22, RL1000GW-AC-ESFP-S24-CEU Specsheet

Small Form Factor Substation-Rated Secure Ethernet Layer 3 Router/Gateway with

Optional 2G/3G/4G LTE Cellular Radio Link, and 100/1000 Mbps SFP Uplink Port

RL1000GW

EXCLUSIVE

DIN RAIL FIREWALLFLEXIBILIT Y

ComNet product series RL1000GW are substation-rated and industrially hardened layer 3 router/
gateways, with a unique and highly robust packet processing SCADA-aware security firewall
for the most mission-critical and demanding cyber-security applications. The RL1000GW
is intended for deployment in environments where high levels of electromagnetic noise
and interference (EMI) and severe voltage transients and surges are routinely encountered,
such as electrical utility substations and switchyards, heavy manufacturing facilities, track­side electronic equipment, and other difficult out-of-plant installations. Layer 3 routing
functionality allows for the participation and foundation of a core network infrastructure.
The compact-sized DIN-rail mountable RL1000GW is ideally suited to those installations and
applications where space may be limited. These features make the RL1000GW an effective
platform for deploying a secure communications and networking gateway for remote
electrical utility sites, and other critical infrastructure applications.

-40º TO +85ºCSUBSTATION LAYER 3

FEATURES

› Fully compliant with the requirements of IEC 61850-3 and

IEEE 1613 Class 2, for use in electrical utility substations; and
NEMA TS-1/TS-2 for Traffic Signal Control Equipment

› For NERC-CIP-5 and NERC-CIP-014 compliance, or any network

application demanding effective cyber-security protection

› Small Size: Perfect for installations where space may be

extremely limited

› Optional internal 2G/3G/4G LTE GPRS/UMTS cellular radio

modem with 2 SIM card slots, for maximum network reliability
and availability

› Serial interface supports 2 ports of RS-232 or 1 port each of

RS-232 and 4-wire RS-485 serial data, with serial gateway and
serial tunneling

› Optional 100/1000 Mbps SFP uplink port, for high-speed

connection to the user’s network

› Highly advanced and sophisticated security suite: Per Port

Deep Packet Inspection (DPI) SCADA-aware firewall supports
DNP-3, ModBus, IEC 104/101, and IEC 61850 protocols for
NERC-CIP-5 compliance

› Network Learning allows the user to easily create secure and

highly effective SCADA firewall rules

› IEEE 802.1X Port-based network access control

› L-2/3/4 ACL for incoming traffic, and layer 2/layer 3 VPN

with IPsec

UPLINK

11

› User APA (Authentication Proxy Access) controls remote

access and communications to end-point/edge of network
devices by all users, with extreme granularity across the
users, time, physical Ethernet or serial data ports, TCP ports,
and SCADA protocols. It also provides PCAP for the entire
allowed maintenance or access session.

› IPsec VPN with X.509 certificates, for use over any cellular or

fiber-optic network

› Ethernet layer 3 IP routing with integrated VPN

› Fault/event notification provided through Syslog and SNMP

traps

› Environmentally hardened for deployment in difficult

unconditioned out-of-plant installations: Extended ambient
operating temperature range of -40˚ C to +85˚ C. Conformal
coating is optionally available for humidity with condensation
or airborne particulate matter environments

› Rugged metal housing. DIN-rail mountable, & rated for IP-30

ingress protection

› Internal/self-contained universal power supply: Available in

operating voltage ranges from 9 to 60 VDC.

› No fans or forced-air cooling; cooling via natural convection

eliminates unreliable and troublesome fans/moving parts,
with no periodic maintenance requirements

* Small Form-Factor Pluggable Module. Sold separately.

LIFETIME WARRANTY WWW.COMNET.NET TECH SUPPORT: 1.888.678.9427

RL1000GW

Small Form Factor Substation-Rated Secure Ethernet Layer 2 Switch/Layer 3 Router,

with Optional 2G/3G/4G LTE Cellular Radio Link, and 100/1000 Mbps SFP Uplink Port

PRODUCT DESCRIPTION

Seamless & Reliable Connection to Any Network

The RL1000GW provides connectivity to any copper, fiber optic, or cellular radio-based Ethernet network. Fiber optic
networks are supported by the use of the optional 100/1000FX SFP uplink port. The optional highly resilient 2G/3G/4G LTE
cellular radio uplink with 2 SIM card slots for network redundancy, is ideal where fiber optic infrastructure is not available,
and may be used as a back-up link for those applications where interruption of service is not tolerable.

Extremely Effective Network Security, For the Most Mission-Critical Applications

Service Gateway

The RL1000GW service gateway includes a highly robust application layer, and provides legacy support, a Deep Packet
Inspection (DPI) application-aware SCADA firewall, serial tunnelling, protocol gateway, and extremely effective encryption
technologies. The service gateway offers a uniquely capable feature set which may serve as the hardware foundation to a
secure industrial controls network, and includes Protocol Gateway, VPN, and IPsec features.

Protocol Gateway

Gateway functionality between a DNP3 TCP client (master) and a DNP3 Serial RTU, IED, PLC, or other compatible device is
supported. This same functionality is supported across MODBUS TCP to MODBUS RTU, and IEC 61850 101/104 TCP to IEC
61850 101/104 RTU. This level of protocol conversion allows legacy protocols to be secured by enterprise and industry best
practice level encryption across a TCP IP-based network.

VPN

VPN tunnels are included for secure inter-site connectivity with IPsec, DM-VPN, and VPN GRE tunnels with key management
certificates. The supported VPN modes allow both layer-2 and layer-3 services, to best suit the user’s application-specific
cyber-protection needs.

IPSec

Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and/
or encrypting each IP packet of a communication session. IPsec-VPN as well as IPsec encryption are supported over other VPN
technologies. By implementing this level of industry-accepted encryption, data may traverse the network in a guaranteed delivery
method, as well as providing a cohesive and secure methodology for network communication across legacy and modern networks.

Identity Management and Authentication Proxy Access (APA)

NERC-CIP-5 defines the important requirement for network security protection of remote and unattended facilities. The
capability of identifying the user and creating specific network privileges per identified and authenticated user prior to
granting the user access to the network therefore becomes critical

The Authentication Proxy Access (APA) is a highly sophisticated security feature, which allows the network operator to
manage the substation or any other facility maintenance process. This feature gives full control of the maintenance process to
the operator by granting the capability to create dynamic policies to specific tasks within an explicitly defined time window.
Following this time window, operators receive reporting on activities performed during the task. This audit trail comes in the
form of an overview log, and a full packet capture (PCAP) of the session.

Before a user is allowed access to the network, they must log in to ComNet’s internal authentication process with their unique user
name and password. Upon validation of the user profile, specific access is granted to predefined devices and functions, and each
operation is logged. Multi-factor authentication is available when combined with the Cyber-Physical Integration feature.

X.509 Certificate Exchange for VPN Connections

VPN tunnels for secure inter-site connectivity with IPsec VPN, GRE Tunnels, and DMVPN technologies are fully supported. In
addition to IPsec encryption, X.509 key management certificates are provided. This certificate support allows for a secure signed
key exchange between a Certificate Authority, and two secure nodes. Having a third-party authority as a signing participant offers
end-to-end security that may be managed and reissued from a trusted central source within the user’s network.

LIFETIME WARRANTY WWW.COMNET.NET TECH SUPPORT: 1.888.678.9427

RL1000GW

Small Form Factor Substation-Rated Secure Ethernet Layer 2 Switch/Layer 3 Router,

with Optional 2G/3G/4G LTE Cellular Radio Link, and 100/1000 Mbps SFP Uplink Port

PRODUCT DESCRIPTION (Cont’d)

Cyber-Physical Integration

Integrated within the enhanced-security RL1000GW, is a physical identity server system, allowing the use of external
authentication hardware, such as magnetic card readers, biometric identification sensors, facial recognition cameras, etc., to
create a two-factor authentication to the APA feature. This provides an additional level of validation of the user and his/her
credentials, prior to granting the user network access. Once the authentication is validated and approved, a set of defined
policies allow the authenticated technician to perform their task.

Enhanced SCADA-Aware Firewall

A whitelist-based firewall is provided for every Ethernet and serial data port, so full firewall protection is available at all remote
sites within the network. Every SCADA protocol packet (IEC 61850, DNP3 RTU/TCP, ModBus RTU/TCP, and IEC 101/104) is
scanned and validated by the firewall engine for its source and destination, as well as its protocol and packet content.

The structure of the distributed firewall allows the creation of a unique firewall at each access point to the network. This is
critical for securing against insider cyber-attacks, compromised field devices, man-in-the-middle attacks, and a myriad of
alternate attack vectors, by providing a secure baseline.

Two firewall states are included: Monitoring, and enforcing. The monitoring state provides an alarm at the control center for
any network violation, without blocking the network traffic. The enforcing state is extremely effective for blocking suspicious
traffic, while also triggering a violation alarm at the control center.

DPI (Deep Packet Inspection) SCADA Protocols Firewall

ComNet’s distributed DPI firewall ensures that the operator will have full control over the network, even when faced with a
sophisticated attempt at breaching the network. Monitoring SCADA commands, this highly robust whitelist-based firewall
analyses SCADA network traffic, and is provided for every Ethernet and serial data port, so full firewall protection is available at
all remote sites within the network, as well as all IEDs, RTUs, PLCs, or any other device connected to the network. Every SCADA
protocol packet (IEC 61850, DNP3 RTU/TCP, ModBus RTU/TCP, and IEC 101/104) is scanned and validated by the firewall
engine for its source and destination, as well as its protocol and its specific packet

Any detected abnormal traffic behavioral patterns are blocked, any affected subnets are isolated, and alerts are automatically
generated.

Ease of Installation and Network Integration

High levels of cyber-security experience are not required to successfully deploy the RL1000GW. It is fully supported by
ComNet’s Reliance Product Configuration Utility and CLI, allowing the secure switch/router to be easily configured, and to
diagnose network and security functions.

Configuration of the secure firewall is also simple. Once connected to the user’s network, the RL1000GW immediately
begins to collect and analyse information across the network, including from other connected devices, traffic behavior, etc.
Recommended firewall rules are then suggested to the user; the implementation of these rules is optional, and they can be
easily edited using the Configuration Utility.

OAM (IEEE 802.3-2005 & IEEE 802.1ag) and QoS are also supported. Strict priority, Weighted Round Robin (WRR), ingress
policing, and egress traffic shaping are included for traffic management.

Serial Data Interface

The 2-port serial interface is available for applications including terminal server with protocol gateway and serial tunnelling
functionality, and provides direct connectivity to legacy RS-232 or 4-wire RS-485 serial data IEDs, RTUs, PLCs, and other devices.

PRODUCT OPTIONS

Cellular Radio Option

An internal 2G/3G/4G LTE GPRS/UMTS cellular radio modem, with 2 SIM card slots for maximum network reliability and
availability. All world-wide cellular radio frequency bands are supported.

100/1000 Mbps SFP Uplink Option

Provides one high-speed 100/1000 Mbps SFP uplink port for direct connection to fiber, via ComNet-furnished SFPs

LIFETIME WARRANTY WWW.COMNET.NET TECH SUPPORT: 1.888.678.9427