How it Works
Moxa
Loading...
MGate 5118
Security Hardening Guide
19 pgs797.96 Kb0
Table of contents
Loading...

Moxa MGate 5101, MGate 5102, MGate 5103, MGate 5105, MGate 5109 Security Hardening Guide

...
Copyright © 2021 Moxa Inc.
Released on March 26, 2021
About Moxa
Moxa is a leading provider of edge connectivity, industrial computing, and network infrastructure solutions for enabling connectivity for the Industrial Internet of Things (IIoT). With over 30 years of industry experience, Moxa has connected more than 57 m customers in more than 70 countries. Moxa delivers lasting business value by empowering industries with reliable networks and sincere service. Information about Moxa’s solutions is available at www.moxa.com.
How to Contact Moxa
Tel : +886-2-8919-1230
The Security Hardening Guide for the MGate 5000 Series
Moxa Technical Support Team
support@moxa.com
Contents
1. Introduction .................................................................................... 2
2. General System Information ........................................................... 3
2.1. Basic Information About the Device ............................................................ 3
2.2. Deployment of the Device ......................................................................... 4
3. Configuration and Hardening Information ...................................... 4
3.1. TCP/UDP Ports and Recommended Services ................................................. 5
3.2. HTTPS and SSL Certificates ....................................................................... 8
3.3. Account Management ..............................................................................11
3.4. Accessible IP List .....................................................................................14
3.5. Logging and Auditing ...............................................................................15
3.6. DoS Defense ..........................................................................................17
4. Patching/Upgrades ....................................................................... 18
4.1. Patch Management Plan ...........................................................................18
4.2. Firmware Upgrades .................................................................................18
5. Security Information and Vulnerability Feedback ......................... 19
illion devices worldwide and has a distribution and service network that reaches
Moxa Tech Note
The Security Hardening Guide for the MGate
5000 Series
Copyright © 2021 Moxa Inc.
Page 2 of 19

1. Introduction

This document provides guidelines on how to configure and secure the MGate 5000 Series.
The recommended steps in this document should be considered as best practices for security
in most applications. It is highly recommended that you review and test the configurations
thoroughly before implementing them in your production system in order to ensure that your
application is not negatively impacted.
Moxa Tech Note
The Security Hardening Guide for the MGate
5000 Series
Copyright © 2021 Moxa Inc.
Page 3 of 19

2. General System InformationBasic Information About the

Device
Model Function
MGate 5101 Series PROFIBUS-to-Modbus TCP Gateway Linux Version v2.2
MGate 5102 Series PROFIBUS-to-PROFINET Gateway Linux Version v2.3
MGate 5103 Series
MGate 5105 Series
MGate 5109 Series
MGate 5111 Series
MGate 5114 Series
MGate 5118 Series
MGate W5108/W5208
Series
Modbus RTU/ASCII/EtherNet/IP-to-PROFINET
Gateway
Modbus RTU/ASCII/TCP-to-EtherNet/IP
Gateway
Modbus RTU/ASCII/TCP-to-DNP3 serial/TCP
Gateway
Modbus/PROFINET/EtherNet/IP-to-PROFIBUS
Gateway
Modbus RTU/ASCII/TCP/IEC101-to-IEC104
Gateway
CAN-J1939-to-
Modbus/PROFINET/EtherNet/IP Gateway
IEEE 802.11 a/b/g/n wireless Modbus/DNP3
Gateway
Operating
System
Linux Version v2.2
Linux Version v4.3
Linux Version v2.3
Linux Version v1.3
Linux Version v1.3
Linux Version v2.2
Linux Version v2.4
Firmware
Version
The MGate 5000 Series is a protocol gateway specifically designed to allow industrial
devices to be directly accessed from a network. Thus, legacy fieldbus devices can be
transformed into different protocols, which can be monitored and controlled from any
network location or even the Internet.
To harden the security of this proprietary operating system, the open source HTTPS
library, openSSL v1.1.1b, is also included and periodically reviewed for cybersecurity
enhancement.
Moxa Tech Note
The Security Hardening Guide for the MGate
5000 Series
Copyright © 2021 Moxa Inc.
Page 4 of 19
2.2. Deployment of the Device
You should deploy the MGate 5000 Series
behind a secure firewall network that has
sufficient security features in place to
ensure that networks are safe from
internal and external threats.
Make sure that the physical protection of
the MGate devices and/or the system
meets the security needs of your
application. Depending on the
environment and the threat situation, the
form of protection can vary significantly.

3. Configuration and Hardening Information

For security reasons, account and password protection is enabled by default, so you must
provide the correct account and password to unlock the device before entering the web
console of the gateway.
The default account and password are admin and moxa (both in lowercase letters),
respectively. Once you are successfully logged in, a pop-up notification will remind you to
change the password to ensure a higher level of security.
Moxa Tech Note
The Security Hardening Guide for the MGate
5000 Series
Copyright © 2021 Moxa Inc.
Page 5 of 19

3.1. TCP/UDP Ports and Recommended Services

Please refer to the table below for all the ports, protocols, and services that are used to
communicate between the MGate 5000 Series and other devices.
Service Name Option
DSCI
(Moxa Command)
DNS client Enable/Disable Disable UDP 53
SNMP agent Enable/Disable Enable UDP 161 SNMP handling routine
HTTP server Enable/Disable Enable TCP 80 Web console
HTTPS server Enable/Disable Enable TCP 443 Secured web console
Telnet server Enable/Disable Disable TCP 23 Telnet console
DHCP client Enable/Disable Disable UDP 68
Syslog client Enable/Disable Disable UDP 514
Email client Enable/Disable Disable TCP 25
SNMP trap client Enable/Disable Disable UDP 162
NTP client Enable/Disable Disable UDP 123
Modbus TCP
client/server
EtherNet/IP Enable/Disable Enable
PROFINET Enable/Disable Enable UDP 34963
DNP3 Enable/Disable Enable
IEC-104 Enable/Disable Enable TCP 2404
Enable/Disable Enable
Enable/Disable Enable TCP
Default
Setting
Type
TCP 4900
UDP 4800
TCP,
UDP
TCP,
UDP
Port
Number
502,
7502
2222,
44818
20000
Description
For Moxa utility communication
Processing DNS and WINS
(Client) data
The DHCP client needs to acquire
the system IP address from the
server
Sending the system logs to the
remote syslog server
Sending system/config event
notifications
Sending system/config event
notifications
Network time protocol to
synchronize system time from
the server
502 for Modbus communication;
7502 for priority Modbus
communication
2222 for EtherNet/IP implicit
messaging
44818 for EtherNet/IP explicit
messaging
34963 for PROFINET protocol
communication
20000 for DNP3 protocol
communication
2404 for IEC-104 protocol
communication
Moxa Tech Note
The Security Hardening Guide for the MGate
5000 Series
Copyright © 2021 Moxa Inc.
Page 6 of 19
For security reasons, you should consider disabling unused services. After initial setup,
use services with stronger security for data communication. Refer to the table below for
the suggested settings.
Service Name
DSCI
(Moxa Command)
DNS client Disable UDP 53 Disable this service as it is not commonly used
SNMP agent Disable UDP 161
HTTP server Disable TCP 80
HTTPS server Enable TCP 443
Telnet server Disable TCP 23 Disable this service as it is not commonly used
DHCP client Disable UDP 68 Assign an IP address manually for the device
Syslog client Enable UDP 514
Email client Enable TCP 25
SNMP trap client Enable UDP 162 A service for sending important system events
NTP client Disable UDP 123 Disable this service as it is not commonly used
Modbus TCP
client/server
EtherNet/IP Enable TCP,
PROFINET Enable UDP 34963 34963 for PROFINET protocol communication
DNP3 Enable TCP,
IEC-104 Enable TCP 2404 2404 for IEC-104 protocol communication
Suggested
Setting
Disable
Enable TCP 502,
Port
Type
Number
TCP 4900
UDP 4800
7502
2222,
UDP
44818
20000 20000 for DNP3 protocol communication
UDP
Security Remark
Disable this service as it is not commonly used
Managing the MGate via HTTPS console will be
more secure
Disable HTTP to prevent plain text
transmission
Encrypted data channel with trusted certificate
for MGate configuration
A service for sending important system events
for a diagnosis of the MGate’s status
A service for sending important system events
for a diagnosis of the MGate’s status
for a diagnosis of the MGate’s status
Make sure you add your Modbus devices’ IP
addresses to the “Accessible IP list”
2222 for EtherNet/IP implicit messaging;
44818 for EtherNet/IP explicit messaging
Loading...
+ 13 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use