Allow single or multiple specific IP adresses through the ewon

mjkl · March 6, 2019, 2:02pm

Our client builds machines with an ewon flexy inside for remote access for maintenance. As such end-users are not allowed access to the talk2m account and therefore the vpn as that would allow them access to all the machines our client has in the field.

However, Our clients’ clients are all requesting more and more data from the machines to improve their production process. downloading this data from the machine by hand quickly becomes a tiring process and therefore we’d like to implement a more automated solution.

The situation now is as follows:

We have an industrial pc in the machine network running an OPC UA server and an FTP server. A generic PC is connected to the WAN side of the EWON through the internal company network.

The setup that has our clients preference is one where we allow traffic through the proxy to the FTP and/ore UPC UA server from only a single ip adress inside the company network. , AKA a whitelist. I am aware that this is vulnerable to IP spoofing, but as there should be additional defenses between the company network and the internet this probably is a reduced risk.

Is there any way to set this up? Or are their any other ways to achieve this?

Is it maybe possible to split access to a single machine vpn off so the clients’ client can only access that specific vpn or multiple in case he owns multiple?

In the latter it is very important the clients’ client has no chance of gaining access to a different ewon as they are competing businesses and one of them gaining access to the others machines would be very bad.

It has my personal preference to open the ports for both servers through the proxy and secure by means of login and password and/or trusted certificates. However the client finds it too expensive or to much of a hassle to set this up.

I would really love to hear some opinions or pointers on this subject!

Zach_HMS · March 6, 2019, 2:17pm

Hi,

From what you have described this should be able to be done in a talk2m pro account. If the reason your client does not want them to have access to talk2m is so they cannot access other device this can be controlled on a talk2m pro account by using groups, pools, and roles. this is described in the following document starting on page 6.

-Zach

kyle_HMS · March 6, 2019, 5:01pm

To answer your other question, the Cosy itself cannot do IP whitelisting. You would have to manage that with your internal networking equipment or firewall. You may want to check out this document to look at the eCatcher firewall options: http://onlinehelp.ewon.biz/ecatcher/6.0/pro/en/index.html?ewon_devices_firewall.htm

The OPC UA server should have certificate authentication, are you just looking for another layer of defense in this case?

Like Zach said, as far as preventing access to certain devices, this can be set up using the document above to configure your account.

mjkl · March 7, 2019, 3:00pm

Many thanks already for the answers. We will take the suggestions to our client. However, I’m afraid he wants to go for an option without releasing VPN access.

The OPC UA server should indeed have certificate authentication. However, Access to the PLC (in the same network) is unprotected. So as soon as we turn WAN protection Off it becomes vulnerable to the outside. Moreover, I’m suspecting the client will want to use OPC UA without certificate authentication.

I was hoping there was an option in the ewon where we could only turn on specific ports to the outside and block other traffic. However, thusfar I have not found a solution for this.

kyle_HMS · March 7, 2019, 3:09pm

If they are trying to access this OPC UA and FTP server from the WAN and not the VPN, they can just set up NAT 1:1 for that one server with authentication for both and the other devices on the LAN will not be accessible.

mjkl · March 7, 2019, 7:37pm

I’ve set that up. However NAT1:1 requires to set WANItfProt : 2 meaning allow all traffic. We don’t want to allow all traffic.

The following article suggests when these settings are turned off that every device (albeit with some workaround) is accessible as long as the ewon is used as a gateway.

As our PLC’s and potentially our OPC server are unprotected this would leave them vulnerable without another layer of protection.

kyle_HMS · March 7, 2019, 7:40pm

This allows traffic from the WAN to the LAN, but there still needs to be a route which does not exist unless you specifically set up NAT 1:1 for a device.

mjkl · March 11, 2019, 3:44pm

The article I provided suggests that (for a cosy 141 at least) it’s possible to route traffic through the ewon without setting up a port proxy or nat 1:1. Is this possible because it’s a cosy or does the same apply to a flexy?

Or am I missing some settings that allows this?

kyle_HMS · March 11, 2019, 4:59pm

It’s possible if you set up a static route on the device and will work on Flexy or Cosy.

mjkl · March 18, 2019, 7:42pm

So something malicious, which tries to reach random addresses behind all the addresses it can reach, would also be able to get through?

kyle_HMS · March 18, 2019, 7:49pm

If your internal plant network has been compromised by something like this than the devices behind a Cosy with that configuration may also be vulnerable so if that is a concern you may not want to allow that traffic, and leave the default settings.

kyle_HMS · March 18, 2019, 7:57pm

However, this risk would be mitigated if the services behind the Cosy were properly configured. “…security is integrated into all aspects of the design and implementation of OPC UA Servers and Clients”