Comnet RLGE2FE16R-S-AC-28P-S22-CH+, RLGE2FE16R-S-AC-28P-S22, RLGE2FE16R-S-AC-28P, RLGE2FE16R-S-AC-28P-S22-CEU, RLGE2FE16R-S-AC-28P-S22-CGU Specsheet
...
Substation-Rated, Enhanced Security SCADA-Aware Ethernet Layer 2 Managed
Switch/Layer 3 Router With Optional 2G/3G & 4G LTE Cellular Radio Link,
Enhanced Network Security, Terminal Server, PoE+, and 100FX SFP Ports
RLGE2FE16R
EXCLUSIVE |
SUBSTATION |
DIN RAIL |
FLEXIBILITY -40º TO +85ºC |
LAYER 3 |
FIREWALL |
UPLINKS |
16 |
2 |
ComNet product series RLGE2FE16R are substation-rated and industrially hardened layer 2 managed switches/layer 3 routers, with a unique and highly robust packet processing SCADA-aware security firewall for the most missioncritical and demanding cyber-security applications. The RLGE2FE16R is intended for deployment in environments where high levels of electromagnetic noise and interference (EMI) and severe voltage transients and surges are routinely encountered, such as electrical utility substations and switchyards, heavy manufacturing facilities, track-side electronic equipment, and other difficult out-of-plant installations. Layer 3 routing functionality allows for the participation and foundation of a core network infrastructure.
The RLGE2FE16R is an ideal platform for deploying a secure communications and networking gateway for remote electrical utility sites, and other critical infrastructure applications.
FEATURES
››Fully compliant with the requirements of IEC 61850-3 and IEEE 1613 Class 2, for use in electrical utility substations; and NEMA TS-1/TS-2 for Traffic Signal Control Equipment
››For NERC-CIP-5 and NERC-CIP-014 compliance, or any network application demanding effective cyber-security protection
››Up to (16) 10/100 Mbps Ethernet RJ-45 communications ports, with (2) 100/1000 Mbps SFP uplink ports. Available with optional (8) 100 Mbps SFP ports for network aggregation applications, or where it is desirable to provide optical connectivity directly to the switch/router or in electrically noisy environments.
››Optional internal 2G/3G/4G LTE GPRS/UMTS cellular radio modem with 2 SIM card slots, for maximum network reliability and availability
››Optional serial interface supports 4 ports of RS-232 serial data, with serial gateway and serial tunneling
››Optional PoE+: 30 watts per port, 8 ports max.
››Highly advanced and sophisticated security suite: Per Port Deep Packet Inspection (DPI) SCADA-aware firewall supports DNP-3, ModBus, IEC 104/101, and IEC 61850 protocols for NERC-CIP-5 compliance
››Network Learning allows the user to easily create secure and highly effective SCADA firewall rules
››Supports IEEE 1588v2 Precision Timing Protocol, Transparent Clock (TC), 10/100 Mbps communications ports only. (Gigabit uplink ports to be supported in future firmware release.)
››IEEE 802.1X Port-based network access control
››L-2/3/4 ACL for incoming traffic, and layer 2/layer 3 VPN with IPsec
››The user APA (Authentication Proxy Access) controls remote access and communications to end-point/edge of network devices by all users, with extreme granularity across the users, time, physical Ethernet or serial data ports, TCP ports, and SCADA protocols. It also provides PCAP for the entire allowed maintenance or access session.
››IPsec VPN with X.509 certificates, for use over any cellular or fiber-optic network
››Ethernet layer 2 switching & layer 3 IP routing with integrated VPN and link protection per ITU-T G.8032
››Fault/event notification provided through Syslog and SNMP traps
››Environmentally hardened for deployment in difficult unconditioned out-of-plant installations: Extended ambient operating temperature range of -40˚ C to +85˚ C, for use in virtually any environment. Conformal coating is optionally available for humidity with condensation or airborne particulate matter environments.
››Rugged metal housing. DIN-rail mountable & rated for IP-30 ingress protection
››Internal/self-contained universal power supply: Available in operating voltage ranges from 9 to 270 VDC, or 90 to 250 VAC.
››Redundant power supply input capability significantly reduces the possibility of a single-point-of-failure, for the highest possible system and network reliability (DC-powered units only)
››No fans or forced-air cooling; cooling via natural convection eliminates unreliable and troublesome fans/moving parts, with no periodic maintenance requirements
* Small Form-Factor Pluggable Module. Sold separately.
LIFETIME WARRANTY WWW.COMNET.NET TECH SUPPORT: 1.888.678.9427
RLGE2FE16R |
Substation-Rated, Enhanced Security SCADA-Aware Ethernet Layer 2 Managed |
|
Switch/Layer 3 Router With Optional 2G/3G & 4G LTE Cellular Radio Link, |
|
Enhanced Network Security, Terminal Server, PoE+, and 100FX SFP Ports |
PRODUCT DESCRIPTION |
|
Seamless & Reliable Connection to Any Network
The RLGE2FE16R provides connectivity to any copper, fiber optic, or cellular radio-based Ethernet network. Fiber optic networks are supported by the use of two 100/1000FX SFP uplink ports. The optional highly resilient 2G/3G/4G LTE cellular radio uplink with 2 SIM card slots for network redundancy, is ideal where fiber optic infrastructure is not available, and may be used as a back-up link for those applications where interruption of service is not tolerable. The 8 optional 100 Mbps SFP communications ports provide a simple to implement aggregation capability to the user’s network.
Extremely Effective Network Security
The RLGE2FE16R is available with two different levels of network security software: Standard Security; or Enhanced Security, for the most mission-critical applications.
Standard Security Software Package Version:
Service Gateway
The RLGE2FE16R service gateway includes a highly robust application layer, and provides legacy support, an enterprise-class firewall, serial tunnelling, protocol gateway, and extremely effective encryption technologies. The service gateway offers a uniquely capable feature set which may serve as the hardware foundation to a secure industrial controls network, and includes Protocol Gateway, VPN, and IPsec features.
Protocol Gateway
Gateway functionality between a DNP3 TCP client (master) and a DNP3 Serial RTU, IED, PLC, or other compatible device is supported. This same functionality is supported across MODBUS TCP to MODBUS RTU, and IEC 61850 101/104 TCP to IEC 61850 101/104 RTU. This level of protocol conversion allows legacy protocols to be secured by enterprise and industry best practice level encryption across a TCP IP-based network.
VPN
VPN tunnels are included for secure inter-site connectivity with IPsec, DM-VPN, and VPN GRE tunnels with key management certificates. The supported VPN modes allow both layer-2 and layer-3 services, to best suit the user’s application-specific cyberprotection needs.
IPSec
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and/ or encrypting each IP packet of a communication session. IPsec-VPN as well as IPsec encryption are supported over other VPN technologies. By implementing this level of industry-accepted encryption, data may traverse the network in a guaranteed delivery method, as well as providing a cohesive and secure methodology for network communication across legacy and modern networks.
Enhanced Security Software Version:
Includes all of the security features of the Standard Security version, plus:
Identity Management and Authentication Proxy Access (APA)
NERC-CIP-5 defines the important requirement for network security protection of remote and unattended facilities. The capability of identifying the user and creating specific network privileges per identified and authenticated user prior to granting the user access to the network therefore becomes critical
The Authentication Proxy Access (APA) is a highly sophisticated security feature, which allows the network operator to manage the substation or any other facility maintenance process. This feature gives full control of the maintenance process to the operator by granting the capability to create dynamic policies to specific tasks within an explicitly defined time window. Following this time window, operators receive reporting on activities performed during the task. This audit trail comes in the form of an overview log, and a full packet capture (PCAP) of the session.
Before a user is allowed access to the network, they must log in to ComNet’s internal authentication process with their unique user name and password. Upon validation of the user profile, specific access is granted to predefined devices and functions, and each operation is logged. Multi-factor authentication is available when combined with the Cyber-Physical Integration feature.
LIFETIME WARRANTY WWW.COMNET.NET TECH SUPPORT: 1.888.678.9427
RLGE2FE16R |
Substation-Rated, Enhanced Security SCADA-Aware Ethernet Layer 2 Managed |
|
Switch/Layer 3 Router With Optional 2G/3G & 4G LTE Cellular Radio Link, |
|
Enhanced Network Security, Terminal Server, PoE+, and 100FX SFP Ports |
PRODUCT DESCRIPTION (Cont’d) |
|
Event logger |
|
The event logger feature allows the operator to receive events and logs from any number of remote OT devices. It supports multiple formats (Syslog, SNMP, & HTTP), and is also capable of polling event tables from IP, access control, and serial data devices. The events are received and sent outbound in Syslog format, with additional fields appended, completing a unified Event Log Aggregator (e.g. location, source sub-system, and severity). Following this aggregation, the Event Logger stores normalized events locally, and forwards formatted events upstream to a central SIEM tool, providing encrypted, reliable, and guaranteed logging in accordance with NERC-CIP-5 standards.
X.509 Certificate Exchange for VPN Connections
VPN tunnels for secure inter-site connectivity with IPsec VPN, GRE Tunnels, and DMVPN technologies are fully supported. In addition to IPsec encryption, X.509 key management certificates are provided. This certificate support allows for a secure signed key exchange between a Certificate Authority, and two secure nodes. Having a third-party authority as a signing participant offers end-to-end security that may be managed and reissued from a trusted central source within the user’s network.
Cyber-Physical Integration
Integrated within the enhanced-security RLGE2FE16R, is a physical identity server system, allowing the use of external authentication hardware, such as magnetic card readers, biometric identification sensors, facial recognition cameras, etc., to create a two-factor authentication to the APA feature. This provides an additional level of validation of the user and his/her credentials, prior to granting the user network access. Once the authentication is validated and approved, a set of defined policies allow the authenticated technician to perform their task.
The cyber-physical integration also allows the Event Logger feature to poll and deliver events from physical access control assets and devices. These assets include but are not limited to access control panels and access control head-end systems and databases.
Enhanced SCADA-Aware Firewall
A whitelist-based firewall is provided for every Ethernet and serial data port, so full firewall protection is available at all remote sites within the network. Every SCADA protocol packet (IEC 61850, DNP3 RTU/TCP, ModBus RTU/TCP, and IEC 101/104) is scanned and validated by the firewall engine for its source and destination, as well as its protocol and packet content.
The structure of the distributed firewall allows the creation of a unique firewall at each access point to the network. This is critical for securing against insider cyber-attacks, compromised field devices, man-in-the-middle attacks, and a myriad of alternate attack vectors, by providing a secure baseline.
Two firewall states are included: Monitoring, and enforcing. The monitoring state provides an alarm at the control center for any network violation, without blocking the network traffic. The enforcing state is extremely effective for blocking suspicious traffic, while also triggering a violation alarm at the control center.
DPI (Deep Packet Inspection) SCADA Protocols Firewall
ComNet’s distributed DPI firewall ensures that the operator will have full control over the network, even when faced with a sophisticated attempt at breaching the network. Monitoring SCADA commands, this highly robust whitelist-based firewall analyses SCADA network traffic, and is provided for every Ethernet and serial data port, so full firewall protection is available at all remote sites within the network, as well as all IEDs, RTUs, PLCs, or any other device connected to the network. Every SCADA protocol packet (IEC 61850, DNP3 RTU/TCP, ModBus RTU/TCP, and IEC 101/104) is scanned and validated by the firewall engine for its source and destination, as well as its protocol and its specific packet
Any detected abnormal traffic behavioral patterns are blocked, any affected subnets are isolated, and alerts are automatically generated.
Ease of Installation and Network Integration
High levels of cyber-security experience are not required to successfully deploy the RLGE2FE16R. It is fully supported by ComNet’s Reliance Product Configuration Utility and CLI, allowing the secure switch/router to be easily configured, and to diagnose network and security functions.
Configuration of the secure firewall is also simple. Once connected to the user’s network, the RLGE2FE16R immediately begins to collect and analyse information across the network, including from other connected devices, traffic behavior, etc.
LIFETIME WARRANTY WWW.COMNET.NET TECH SUPPORT: 1.888.678.9427
Loading...