Issue 10 / 2011 IT Infrastructure Industrial Firewall, 3G and VPN Router
Secure communication well coordinated Ethernet is a worldwide communication standard for electronic networks. There it is one shared language for all components. A breakthrough, which creates unimagined potential, but of course also bears a lot of risks. Communicate specifically, control communication channels and prevent undesired access. Within the enterprise, as well as remotely via the Internet. Security for industrial networks, made in Germany.
IT Infrastructure IF1000 and IRF2000 Series Industrial VPN Router and Firewall with UMTS/3G option IRF2000 series Industrial Firewall and VPN Router IF1000 series
IF1000 and IRF2000 series product benefits IT network IT network IT network Industrialsuited and easy to use IT security in automation The IF1000 and IRF2000 series design stands for robust machine hardware Robust magnesium diecast case and simple controls Service LEDs or comprehensive display for comservice missioning and diagnosis Connections for key switches are available for control of the VPN channel or for physiproduction cal network separation Production Alarm outputs may be used for network Production Filter function monitoring or for status signalling Filter function Administration Administration Physical disconnection Uplink! Physical disconnection Uplink! Cut signal Cut signal Event Log Event Log Alarm signal Alarm signal CUT & STOP 100% security in critical phases CUT & STOP physically disconnects the LAN IN / WAN port from the network CUT & STOP can be triggered per software, or by a control input or key switch This way, the machine can quickly be disconnected from the network in critical situations, or the other way round, intentionally be connected to the network for remote maintenance IF1000 series Product benefits Display and keypad important information at a glance The basic configuration can directly be viewed and changed on the firewall without having to connect a notebook Five flexible 100 MBit/s interfaces permit the routing of 5 different IP subnets or one switch with up to 5 ports, depending on the configuration Direct connection of an RS232 modem (GPRS, ISDN, analogue) Redundant power supply for highreliability applications
IT Infrastructure IF1000 and IRF2000 series product benefits HIGH LIGHT > IRF2000 series with UMTS/3G option Remote maintenance Internet Remote maintenance approval Alarms and key switches Integration in automation concepts The IF1000 and IRF2000 series have 24 V DC inputs and outputs The user can simply use a key switch to initiate a remote maintenance either by temporary suspension of the CUT & STOP command or directly via the VPN key input PLCs can manage the entire range of the router's functions via various software APIs IRF2000 series Product benefits Two high speed 1 GBit/s interfaces provide filter functions with maximum speed in the GBit Ethernet Integrated quad band UMTS/HSPA 2G/3G option permits wireless Internet access globally USB 2.0 port to connect printer, modems or storage Slim housing design for minimum space requirement in the cabinet Tophat rail or VESA 75 installation SIM card Configure plug & play The entire firewall configuration can be stored on a SIM card which you can purchase as an option The firewall automatically reads the SIM card contents at every boot The device is quickly and cost efficiently replaced without using any specialists
IF1000 and IRF2000 series product benefits Secure NOW! Security at the push of a button Automatic rule generation from the current online traffic currently passing through the firewall No IT knowhow required in order for basic protection of the machine Rules generated automatically can be edited and adapted Creating rules manually Filtering on layer 2 and layer 3 Predefined filter rules and rulesets, e.g. for POP3, ModbusTCP or Profinet Creation of precisely tailored rules and filters by using the web interface Establishment of MAC and IP groups in order to simplify the creation of shared rules for different subscribers IDA light administration tool Central administration adstec provides a central administration tool for management of larger numbers of firewalls within a network, which is used for central administration. Automatic detection in corporate networks Centralised IP assignment Allocation to groups and firewall rules can be copied per drag & drop Centralised firmware updating IDA light is permanently included in the scope of delivery without any additional costs VLAN tagging and prioritisation Strictly in the right order Machine protocols have preference Real time Ethernet applications can easily be used in combination with VLANs Alarming and event log Always informed what s going on Simple integration, also for acoustic alarm devices Activities can automatically be triggered by the control system Password protected event log with local or remote data retrieval An email alerting system and a syslog link are additionally implemented
IT Infrastructure IF1000 and IRF2000 series product benefits HIGH LIGHT BigLinX The Remote Service Cloud A VPN server with web portal is integrated in BigLinX Central management of all incoming VPN connections Individual assignment of virtual remote maintenance environments to machines BigLinX Advantages for the supplier Considerable reduction of onsite costs Efficient deployment planning Preconfigured firewall ex factory System information is provided automatically for service purposes Virtual machines provide preconfigured remote maintenance environments Highest security via SmartCard Security BigLinX Advantages for the end customer Higher system availability Cost reduction for service and maintenance Extremely straightforward operation Initiation of service enquiry by the customer only, e.g. via key switch No elaborate IT integration to machines required The service technician receives the service enquiry via the firewall and can start remote maintenance of the machine via the BigLinX portal from anywhere in the world BigLinX The Remote Service Cloud Distinctive and unique features»rendezvous server«for machine and service personnel SmartCard security for highest possible security Minimal administration effort Easy administration of user authorisations Direct VPN tunnel from technician to machine Virtual machines (VMs) map virtual workstations Scalable additional services can be added to the booking Only the services actually rendered are charged Secure VPN connections Machine data management User management Virtual machines Protocol Administration Reporting and Messaging ERP interfaces
IF1000 and IRF2000 series product benefits remote maintenance CF Inhouse service Databases Intranet subscribers Corporate firewall Data Filter 1:1 NAT for ERP link up Service ERP link up Flexible remote maintenance via the Internet Increased expert availability decreased travel expenses Remote maintenance with the IF1000 and IRF2000 series means a high level of security for both the operating and the manufacturing company Based on the foureyesprinciple, the operator as well as the manufacturer are in full control of access to the machine Secure and standardised VPN protocols in connection with certificates and the comprehensive firewall functionality offer maximum protection The IF1000 and IRF2000 series are brilliantly suited for integration in provider networks Worldwide VPN networks can be established and maintained in an easy and flexible way Production data and manufacturer remote maintenance Simple rollout Fast and without any administrative costs Administration costs involved in the individual configuration and documentation for the firewalls in typical remote maintenance solutions, in which several systems are distributed all over the world, should not be underestimated The IF1000 and IRF2000 series provide for all options up to a completely automatic configuration of individual devices by means of automatic certificate enrolment (SCEP) and dynamic IP addresses for VPN adapters
IT Infrastructure IF1000 and IRF2000 series product benefits remote maintenance Flexible VPN support The feature for individualised solutions Support for all wellestablished methods for connecting machines via the Internet (IPsec/OVPN/L2TP) OpenVPN connections can be allocated to individual ports in a flexible way, or be tunnelled via existing proxy servers 1:1 NAT for simple establishment of complex networks, since each machine can be operated using the same IP without any conflicts Remote maintenance from everywhere Global network The use of existing concepts for connecting the field engineers with the company network can be continued The service technician/engineer first connects with the home network, as usual, and then gets into the corresponding machine network via the home network Multiuser Rights for parametrisation are determinable The integrated rights management system admits rights configuration for parametrisation (of devices) on user level Certificates, encryption and passwords Security comes first Each VPN tunnel can be strongly encrypted, and is additionally secured by certificates or by a password Tunnel establishment can be combined with a key switch in order to introduce the foureyesprinciple in remote maintenance this ensures that unsupervised access is excluded Different tunnels can be provided with different access rights each subscriber gets only access to their part of the system
10 IF1000 and IRF2000 series technical data Device data IF1000 IRF2000 Hardware Ethernet connections LAN IN: RJ45 (incl. PoE) LAN OUT: 4 x RJ45, 100BaseTx LAN: RJ45 (1000 BaseTx) WAN: RJ45 (1000 BaseTx) Power supply 2 x 24 V DC connection (power and backup) PoE (Power over Ethernet) 24 V input for activation of the CUT & STOP function, e.g. with a PLC or per key switch 24V output Alarm output for PLC or display 1 x 24 V DC (6..36 V) 2 x 24 V input (CUT+ VPN key) 2 x 24 V output (ALARM + VPN up) Display Active monochrome display with 128 x 64 pixels, can be password protected or entirely disabled Smart Card Reader BigLinX access or to save the configuration USB 2.0 Port Case Magnesium diecast case Printer, Storage, Modems Installation Tophat rail or wall mount Tophat rail or VESA 75 General Operating system Embedded Linux Control and access Web interface, IDA light or BigLinX Display Languages German and English Environmental temperature 0 C to +60 C 20 C to +70 C Humidity 10 to 85% without condensation 5 to 90% without condensation Protection class IP 20 Dimensions (W x H x D) 203 x 156 x 41,5 mm 165 x 134,5 x 35 mm without antenna Modem and DSL Modem Connection of an AT compatible modem via standard RS232 DSub9 connector Connection of an AT compatible modem via standard USB/ serial converter Configuration as a dialup point or for dialling in via PPP CHAP, PAP, Dialondemand with traffic authentication methods are supported DSL DSL modem can be connected via any port PPPoE Access data can be configured DynDNS Supports automatic registration UMTS/3G VPN OpenVPN Integrated quad band UMTS/ HSPA module as option Layer 2 and 3 VPN, also supports tunnelling via HTTPProxy IPsec/L2TP Server Provides a dialup point for standard Windows VPN connections IPsec standard Encryption with 1:1 NAT support and data filter Simultaneous connections 64 at max. Encryption algorithms DES56, 3DES168, AES128, AES192, AES256 Authentication methods PSK, X.509v3 Firewall Cut & Alarm Physical disconnection of the LAN IN port controlled by the hardware allows the disconnection of a route of cables by using filter rules if access is made via VPN or modem by using filter rules, as well as the initiation of a VPN connection establishment.
IT Infrastructure IF1000 and IRF2000 series technical data 11 203 41,5 134,5 156 IF1000 35 165 41,5 35 IRF2000 IF1000 IRF2000 Filter wizard Predefined filter rulesets are used, automatic rule creation Max. number of rules Only restricted by memory size Layer 2/3 filter function VPN rules Stateful Inspection Miscellaneous 1:1 NAT/network mapping In extended routing mode, up to four identical IP subnets can be connected and mapped to a corresponding global address range, even in combination with VPNs. SNMP SNMPv1, v2, v3 read/write Routing Statisch, RIPv2 and OSPF Multiuser Rights for parametrisation are determinable NTP client, 3 servers can be configured DHCP server/dhcp relay VLAN support Bandwidth management STP (spanning tree protocol) Modbus TCP, with predefined registers Client monitoring (ICMP) Certificate enrolment Automatic distribution and validity date renewal of device certificates for VPN authentication by using SCEP Options Software BigLinX Remote maintenance for VPN router and service Hardware NVRAM 128 KB NVRAM for failproof storage of the event log (IF1110) SIM card The entire configuration is stored on adstec memory cards. This allows simple device replacement. The device reads the configuration automatically. Access card for BigLinX remote maintenance portal BigLinX Smartcard UMTS/3G Integrated UMTS/HSPA/3G Modem option (IRF2210) Peak Downlink 7.2 Mbps Peak Uplink 5.8 Mbps WCDMA 850/1900/2100 MHz GSM/GPRS/EDGE 850/900/1800/1900 MHz FCC, IC, CE, GCF, PTCRB, ATick,AT&T, Telstra, NTT, DoCoMo, Softbank, Bell
The content of this product range brochure was created with utmost care. However, we shall not be held liable for the accuracy, completeness and topicality of any data and figures contained in this publication. The contents are subject to technical modification and figures may differ from reality. All product names are trademarks and registered trademarks, and as such are the property of the respective company owning trademark rights, in each case. adstec GmbH Automation, Daten und Systemtechnik Raiffeisenstraße 14 70771 LeinfeldenEchterdingen Telefon +49 711 45894600 Telefax +49 711 45894992 sales@adstec.de www.adstec.de DZHAND930101/D IT Infrastructure Firewall Prospekt E 102011 Product portfolio Tablet PCs IT Infrastructure Terminals Industrial PCs