Moxa Mgate 5000 Series Industrial Device Servers User Guide

The Security Hardening Guide for the MGate 5000 Serie
Moxa Technical Support Team
[email protected]

About Moxa
Moxa is a leading provider of edge connectivity, industrial computing, and network infrastructure solutions for enabling connectivity for the Industrial Internet of Things (IIoT).  With over 30 years of industry experience, Moxa has connected more than 71 million devices worldwide and has a distribution and service network that reaches customers in more than 80 countries. Moxa delivers lasting business value by empowering industries with reliable networks and sincere service. Information about Moxa’s solutions is available at www.moxa.com

Introduction

This document provides guidelines on how to configure and secure the MGate 5000 Series. The recommended steps in this document should be considered best practices for security in most applications. It is highly recommended that you review and test the configurations thoroughly before implementing them in your production system in order to ensure that your application is not negatively impacted.

General System Information

2.1 Basic Information AbBasic Information About the Device

The MGate 5000 Series is a protocol gateway specifically designed to allow industrial devices to be directly accessed from a network. Thus, legacy Fieldbus devices can be transformed into different protocols, which can be monitored and controlled from any network location or even the Internet.
To harden the security of the operating system, the following open-source HTTPS libraries are included and periodically reviewed for cybersecurity enhancement.

• Linux models: OpenSSL v1.1.1b
• Moxa Operating System models: embed TLS v2.7.

2.2 Deployment of the Device
You should deploy the MGate 5000 Series behind a secure firewall network that has sufficient security features in place to ensure that networks are safe from internal and external threats.
Make sure that the physical protection of the MGate devices and/or the system meets the security needs of your application. Depending on the environment and the threat of the situation, the form of protection can vary significantly.

Configuration and Hardening Information

For security reasons, account and password protection are enabled by default, so you must provide the correct account and password to unlock the device before entering the web console of the gateway.
The default account and password are admin and moxa (both in lowercase letters), respectively. Once you are successfully logged in, a pop-up notification will remind you to change the password to ensure a higher level of security.

3.1 TCP/UDP Ports and Recommended Services
Please refer to the table below for all the ports, protocols, and services that are used to communicate between the MGate 5000 Series and other devices

For security reasons, you should consider disabling unused services. After initial setup, use services with stronger security for data communication. Refer to the table below for the suggested settings.

For console services, we recommend the following:

To enable or disable these services, log in to the HTTP/HTTPS console and select System Management  Misc. Settings  Console Settings
To disable the SNMP agent service, log in to the HTTP/HTTPS console and select System Management  SNMP Agent, then select Disable for SNMP.

To disable the NTP service, log in to the HTTP/HTTPS console, select Basic Settings, and keep the Time server setting empty. This will disable the NTP service.

Note      For each instruction above, click the Submit button to save your changes, then restart the MGate device so the new settings will take effect.

3.2 HTTPS and SSL Certificates
HTTPS is an encrypted communication channel. As TLS v1.1 or lower has severe vulnerabilities that can easily be hacked, MGate devices use TLS v1.2 for HTTPS to ensure
data transmissions are secured. Make sure your browser has TLS v1.2 enabled.

In order to use the HTTPS console without a certificate warning appearing, you need to import a trusted certificate issued by a third-party certificate authority.
Log in to the HTTP/HTTPS console and select System Management Certificate. You can generate an up-to-date valid certificate by importing a third-party trusted SSL certificate or generating the “MGate self-signed” certificate.

3.2.1 Behavior of the SSL Certificate on an MGate Device
MGate devices can auto-generate a self-signed SSL certificate. It is recommended that you import SSL certificates that are either certified by a trusted third-party Certificate Authority (CA) or by an organization’s CA.
The length of the MGate device’s self-signed private keys is 1,024 bits, which should be compatible with most applications. Some applications may need a longer key, such as  2,048 bits, which would require importing a third-party certificate. Please note that longer keys will mean browsing the web console will be slower due to the increased complexity of encrypting and decrypting communicated data.

3.2.2 MGate Self-signed Certificate
If a certificate has expired, you can regenerate the MGate self-signed certificate with the following steps.
Step 1: Delete the current SSL certificate issued by the MGate device.
Step 2: Enable the NTP server and set up the time zone and local time.
Step 3: After restarting the device, the MGate self-signed certificate will be regenerated with a new expiration date.

3.2.3 Importing a Third-party Trusted SSL Certificate
Importing the third-party trusted SSL certificate can improve security. To generate the SSL certificate through a third party, follow these steps:
Step 1: Create a certification authority (Root CA), such as Microsoft AD Certificate Service
(https://mizitechinfo.wordpress.com/2014/07/19/step-by-stepinstalling-certificate-authority-on-windows-server-2012-r2/)
Step 2: Find a tool to issue a certificate signing request (CSR) file. You can get one from a third-party CA company such as DigiCert (https://www.digicert.com/easycsr/openssl.htm.
Step 3: Submit the CSR file to a public certification authority to get a signed certificate.
Step 4: Import the certificate to the MGate device. Please note that MGate devices only accept certificates using a “.pem” format.
Note The maximum supported key length for MGate devices is 2,048 bits.

Here are some well-known third-party CA (Certificate Authority) companies for your
reference (https://en.wikipedia.org/wiki/Certificate_authority):

• IdenTrust (https://www.identrust.com/)
• DigiCert (https://www.digicert.com/)
• Comodo Cybersecurity (https://www.comodo.com/)
• GoDaddy (https://www.godaddy.com/)
  • Verisign (https://www.verisign.com/)

3.3 Account Management
The MGate 5000 Series provides two different user levels, admin and user, with a maximum of 16 accounts. With an administrator account, you can access and modify all settings through the web console. With the user account, you can only view settings.
The default administrator account is admin, with the default password moxa. To manage accounts, log in to the web console and select System Management Misc. Settings   Account Management. To change the password of an existing account, double-click the name of the account. You can change the password on the page that opens. 

To add a new account, log in to the HTTP/HTTPS console and select System Management Misc. Settings Account Management. Click the Add button, then fill in the  Account name, User level, New password, and Retype password to generate a new account.

Note We suggest you manage your device with another “administrator level” account instead of using the default “admin” account, as it is commonly used by embedded systems. Once the new administrator-level account has been created, it is suggested that the original “admin” account should be monitored for security reasons to prevent brute-force attacks.
To improve security, the login password policy and account login failure lockout can be configured. To configure them, log in to the HTTP/HTTPS console and select System 
Management Misc. Settings Login Password Policy.

You should adjust the password policy to require more complex passwords. For example, set the Minimum length to 16, enable all password complexity strength checks, and enable the Password lifetime options. Also, to avoid a brute-force attack, it’s suggested that you enable the Account login failure lockout feature.
For some system security requirements, a warning message may need to be displayed to all users attempting to log in to the device. To add a login message, log in to the HTTP/HTTPS console and select System Management Misc. Settings Notification Message, and enter a Login Message to use. 

3.4 Accessible IP List
The MGate 5000 Series can limit access to specific host IP addresses to prevent unauthorized access to the gateway. If a host’s IP address is in the accessible IP list, then the host will be allowed to access the MGate 5000 Series. To configure this, log in to the HTTP/HTTPS console and select System Management Accessible IP List. The different restrictions are listed in the table below (the checkbox Apply additional restrictions can only be activated if Activate the accessible IP list is activated)

Activate the accessible IP list	Apply additional restrictions	IP is in the list and Active is checked	IP is not in the list OR Active is not checked
	–	All protocol communication and services* are allowed for the IP.	Protocol communication is not allowed, but services* are still allowed for the IP.
		All protocol communication and services* are allowed for the IP.	All services* are not allowed for the IP.

*HTTP, HTTPS, TELNET, SSL, SNMP, SMTP, DNS, NTP, DSU
You may add a specific address or range of addresses by using a combination of an IP address and a netmask as follows:

• To allow access to a specific IP address: Enter the IP address in the corresponding field, then enter 255.255.255.255 for the netmask.
• To allow access to hosts on a specific subnet: For both the IP address and netmask, use 0 for the last digit (e.g., “192.168.1.0” and “255.255.255.0”).
• To allow access to all IP addresses: Make sure that Enable the checkbox for the accessible IP list is not checked.

Additional configuration examples are shown in the following table:

WARNING
Ensure that the IP address of the PC you are using to access the web console is in the Accessible IP List. If your PC’s IP address is not listed in the Accessible IP list, your PC  will not be able to access the gate.

3.5 Logging and Auditing
These are the events that will be recorded by the MGate 5000 Series. The SD card access failure event and protocol events vary for the different MGate 5000 models.

To configure this setting, log in to the HTTP/HTTPS console and select System Management System Log Settings. Then, enable the Local Log for recording on the gate 5000 device and/or Syslog for keeping records on a server. You should enable system log settings to record all important system events to monitor device status and check for security issues.

To view events in the system log, log in to the HTTP/HTTPS console and select System Monitoring System Log.

3.6 DoS Defense
You can enable and configure a number of features to enable DoS Defense in order to protect against denial-of-service (DoS) attacks.
Note This function is not supported in the MGate 5217 Series.

Patching/Upgrades

4.1 Patch Management Plan
For patch management, Moxa generally releases version enhancements with thorough release notes annually.

4.2 Firmware Upgrades
The process for upgrading firmware is as follows:

1. Download the latest firmware for your MGate device from the Moxa website:
   MGate 5101 Series:
   https://www.moxa.com/en/products/industrial-edge-connectivity/protocolgateways/modbus-tcp-gateways/mgate-5101-pbm-mn-series#resources
   MGate 5102 Series:
   https://www.moxa.com/en/products/industrial-edge-connectivity/protocolgateways/profinet-gateways/mgate-5102-pbm-pn-series
   MGate 5103 Series:
   https://www.moxa.com/en/products/industrial-edge-connectivity/protocolgateways/modbus-tcp-gateways/mgate-5103-series#resources
   MGate 5105 Series:
   https://www.moxa.com/en/products/industrial-edge-connectivity/protocolgateways/modbus-tcp-gateways/mgate-5105-mb-eip-series#resources
   MGate 5109 Series:
   https://www.moxa.com/en/products/industrial-edge-connectivity/protocolgateways/modbus-tcp-gateways/mgate-5109-series#resources
   MGate 5111 Series:
   https://www.moxa.com/en/products/industrial-edge-connectivity/protocolgateways/modbus-tcp-gateways/mgate-5111-series#resources
   MGate 5114 Series:
   https://www.moxa.com/en/products/industrial-edge-connectivity/protocolgateways/modbus-tcp-gateways/mgate-5114-series#resources
   MGate 5118 Series:
   https://www.moxa.com/en/products/industrial-edge-connectivity/protocolgateways/modbus-tcp-gateways/mgate-5118-series#resources
   MGate W5108/W5208 Series:
    https://www.moxa.com/en/products/industrial-edge-connectivity/protocol- gateways/modbus-tcp-gateways/mgate-w5108-w5208-series#resources
   MGate 5217I Series:
   https://www.moxa.com/en/products/industrial-edge-connectivity/protocolgateways/modbus-tcp-gateways/mgate-5217-series#resources
2. Moxa’s website provides the SHA-512 hash value for you to double-check if the firmware is identical to the one on the website.
3. Log in to the HTTP/HTTPS console and select System Management Maintenance Firmware Upgrade. Click the Choose File button to select the proper firmware and click Submit to upgrade the firmware.
4. If you want to upgrade the firmware for multiple units, then download the utility Device Search Utility (DSU) or MXconfig for a GUI interface, or the Moxa CLI Configuration Tool for a CLI interface.

Security Information and Vulnerability Feedback

As the adoption of the Industrial IoT (IIoT) continues to grow rapidly, security has become one of our top priorities. The Moxa Cyber Security Response Team (CSRT) takes a  proactive approach to protect our products from security vulnerabilities and help our customers better manage security risks. You can find the latest Moxa security information here: https://www.moxa.com/en/support/product-support/security-advisory

References

• Moxa - Your Trusted Partner in Automation
• Certificate authority - Wikipedia
• Step by Step : Installing Certificate Authority on Windows Server 2012 R2 | Just a random "Microsoft Server / Client Tech" info..
• Cybersecurity Breaches Stop Here | Comodo Cybersecurity
• SSL Digital Certificate Authority | Encryption & Authentication | DigiCert.com
• Domain Names, Websites, Hosting & Online Marketing Tools GoDaddy
• IdenTrust – Part of HID Global
• Security Advisories
• Verisign is a global provider of domain name registry services and internet infrastructure - Verisign