MOXA AIG-302 Series Industrial IoT Gateways Instructions

Instructions for MOXA models including: AIG-302 Series Industrial IoT Gateways, AIG-302 Series, Industrial IoT Gateways, IoT Gateways, Gateways

The Security Hardening Guide for the AIG-302 Series

Moxa Moxa Inc.

The Security Hardening Guide for the AIG-302 Series

Jun 4, 2024 — Go to Security > Firewall and check the allow list. Application. Resource ... You can View, Create, Edit, Deactivate, and Delete user accounts. In the ...

AIG-302 系列 - 可编程 IIoT 网关 | MOXA

Скачать

MOXA AIG-302-T-EU-AZU-LX | Встраиваемые компьютеры На DIN-рейку

File Info : application/pdf, 17 Pages, 1.06MB

moxa-the-security-hardening-guide-for-the-aig-302-series-tech-note-v1 01

The Security Hardening Guide for the AIG-302 Series
Moxa Technical Support Team support@moxa.com

Contents

1 Introduction .............................................................................................................. 2

2 General System Information ..................................................................................... 2

2.1 Basic Information About the Device................................................................ 2 2.2 Physical Security Measures............................................................................. 2 2.3 Anti-tamper Features...................................................................................... 2

2.4 Usage Limitations ........................................................................................... 2 2.5 Network Security ............................................................................................ 2 3 Configuration and Hardening Information................................................................. 3

3.1 TCP/UDP Port Status and Suggested Settings ................................................ 3 3.2 Forcing a Password Change After First Login .................................................. 3 3.3 Security Dashboard......................................................................................... 4
3.3.1 Account Settings................................................................................ 6 3.3.2 Application Networking ..................................................................... 7 3.3.3 Application Resource Usage............................................................... 8

3.3.4 Product Certificate Deployment ......................................................... 9

3.3.5 Service Setting ................................................................................ 11

3.3.6 System Status Check ....................................................................... 13

3.4 Account Management.................................................................................... 14 3.4.1 Accounts .......................................................................................... 14

3.4.2 3.4.3

Roles ............................................................................................... 15 Password Policy............................................................................... 17

Released on Jun 4, 2024

About Moxa Moxa is a leading provider of edge connectivity, industrial computing, and network infrastructure solutions for enabling connectivity for the Industrial Internet of Things. With 35 years of industry experience, Moxa has connected more than 82 million devices worldwide and has a distribution and service network that reaches customers in more than 80 countries. Moxa delivers lasting business value by empowering industry with reliable networks and sincere service for industrial communications infrastructures. Information about Moxa's solutions is available at www.moxa.com.

How to Contact Moxa

Tel: 1-714-528-6777 Fax: 1-714-528-6778

Moxa Tech Note

The Security Hardening Guide for the AIG-302 Series

1 Introduction
This document provides guidelines on how to configure and secure the AIG-302 Series. You should consider the recommendations in this document as best practices for securing the AIG-302 in most applications. It is highly recommended that you review and test the configurations thoroughly before implementing them in your production system to ensure that your applications are not negatively impacted.

2 General System Information

2.1

Basic Information About the Device

Model AIG-302

Operating System Linux Debian 11

Firmware v1.0

2.2

Physical Security Measures
The AIG-302 should be safeguarded with physical security measures such as CCTV surveillance, security guards, protective barriers, locks, access control, and perimeter intrusion detection. The appropriate type of physical security should be determined based on the environment and the level of risk of physical attacks.

2.3

Anti-tamper Features
· The AIG-302 is equipped with anti-tamper labels on its enclosures, enabling the administrator to detect any tampering with the device.
· Additionally, security screws are used on the enclosures as a physical tamperresistance measure, enhancing the difficulty of accessing the internal components in the event of a physical security breach.

2.4

Usage Limitations
The AIG-302 should not be utilized to control mission-critical components. Failure to maintain control of such a device could pose threats to human safety, the environment, or lead to significant financial losses.

2.5

Network Security
· If the AIG-302 needs to be connected to an untrusted network (e.g., Internet) through Ethernet or Wi-Fi, we recommend avoiding direct connections to the network. Set up a firewall between the Ethernet and Wi-Fi connections of the AIG-302 and the untrusted network.
· For security-critical applications, it is highly recommended to use a private APN for cellular networks.

Page 2 of 17

Moxa Tech Note

The Security Hardening Guide for the AIG-302 Series

3 Configuration and Hardening Information

3.1

TCP/UDP Port Status and Suggested Settings

For security reasons, consider disabling unused services and use a higher security level for data-communication services. Refer to the table below for recommended settings.

Process Name

Suggested

Port

Type

Description

Settings

Number

SSH Server Enable

TCP 22

SSH console

HTTP Service
HTTPS Service

Disable Enable

Discovery Service

Disable

Modbus Disable
TCP Server

DHCP Server

Disable

TCP 80

Web console

TCP 8443 UDP 5353 TCP 502 UDP 67, 68

Secured web console
For communicating with Moxa utilities
For Modbus communication
For assigning a system IP to DHCP clients

Security Remark
Encrypted data channel with trusted certificate Disable HTTP service for transmissions involving plain text Encrypted data channel with trusted certificate
Disable the service if it is not in use
Disable service if it is not in use
Disable service if it is not in use

3.2

Forcing a Password Change After First Login
For security reasons, account and password protection is enabled by default. Users must provide the correct user account and password to unlock the device to gain access to the web console of the gateway.
The default account and password are admin and admin@123 (both in lowercase letters), respectively.

Page 3 of 17

Moxa Tech Note

The Security Hardening Guide for the AIG-302 Series

After the first login, we force a password change to comply with general security policies and practices and to enhance the security of your device.

3.3

Security Dashboard
Once device provisioning is completed, you can log in into the AIG web console, go to Security Dashboard, and press Scan to check the security status of the device.

You can utilize the Security Dashboard results to fix security issues to enhance the security of your AIG gateway as per the following guidelines:

Category
Account Settings
Application Networking
Application Resource Usage
Product Certificate Deployment

Security Check Criteria Password should be changed within the preset interval. An account should only have one active session at any given time. An account should not have abnormal connections (E.g., more than one session per account from different source IPs). System should not have open network ports. IoT Edge modules should not utilize system disk's configurable space. IoT Edge modules should not utilize system disk's non-configurable space.
IoT Edge modules should not be granted direct privileges.
Production certificate should be configured as an Azure IoT Edge downstream certificate.

Threat Mitigation/handling Go to Account Management > Accounts to change the password.
Go to Security > Session Management monitor and manage concurrent sessions.
Go to Security > Firewall and check the allow list.
Ensure the IoT Edge modules are deployed in the system storage paths /var/run/ and /tmp/.
To grant permissions to the IoT Edge modules, go to Cloud Connectivity > Azure IoT Edge > Module Permission, create a service account, and grant the required permissions to the IoT Edge module. For enhanced security robustness, we recommend using your own certificate instead of the default

Page 4 of 17

Moxa Tech Note

The Security Hardening Guide for the AIG-302 Series

Category Security Check Criteria

Threat Mitigation/handling

one. Go to Cloud Connectivity > Azure IoT Edge > Downstream Certificate to upload a certificate.

Azure IoT Edge should not use a connection string for provisioning.

For enhanced security robustness, we recommend using a TPM or a X.509 certificate.

All certificates should not expire within the next three months.
All certificates should have expired.

Go to Security > Certificate Center to check the status of each certificate. If you find that a certificate will expire soon or has already expired, go to Cloud Connectivity > Azure IoT Edge/Azure IoT Device/MQTT Client or Security > HTTPS to check and replace the certificates.

Discovery Service should not be enabled.

Go to Maintenance > Service to disable Discovery Service.

Go to Maintenance > Service to SSH Service should not be enabled.
disable the Debug Mode.

Service Settings

Serial Console Service should not be Go to Security > Service to

enabled.

disable local console.

Account Lock Service should be enabled.

Go to Security > Login Lockout to enable the Login Failure Lockout option.

System Use Notification Service should be enabled.

Go to Security > System Use Notification to enable System Use Notification Service.

Product software package should be

System

up to date.

Status Check

System backup should be

performed at least once a year.

Go to Maintenance > Software Upgrade and click Check for Upgrade to retrieve the latest upgrade pack information.
Go to Maintenance > Backup & Restore and click Manage to back up the system.

Page 5 of 17

Moxa Tech Note

The Security Hardening Guide for the AIG-302 Series

3.3.1 Account Settings
· Security Check Criteria: Password should be changed within the preset interval. Go to Account Management > Accounts to change the password. We recommend changing the password within the preset interval.

To configure a preset interval for changing the password, go to Account Managements > Password Policy > Reminder Threshold.
· Security Check Criteria: An account should have only one active session at any given time.
Go to Security > Session Management to identify and manage accounts with more than one session. We recommend deleting connections that you are unaware of, especially in cases where an account has more than one active session.

· An account should not have abnormal connections.
Go to Security > Session Management to identify and manage abnormal sessions, such as more than one session per account from different source IPs. We recommend deleting the connections of which you are not aware.

Page 6 of 17

Moxa Tech Note

The Security Hardening Guide for the AIG-302 Series

3.3.2 Application Networking
Security Check Criteria: System should not have open network ports.
Understanding which network ports are open is crucial for improving security, preventing vulnerabilities, safeguarding data, staying compliant, and optimizing system resources. We advise minimizing open network ports to reduce cybersecurity risks. To check for open ports in the system, navigate to Security > Firewall. If there are open ports that are not in use, we strongly recommend disabling them. For the essential open ports, we recommend adding rules to limit access.

Page 7 of 17

Moxa Tech Note

The Security Hardening Guide for the AIG-302 Series

3.3.3 Application Resource Usage
· Security Check Criteria: IoT Edge modules should not utilize system disk's configurable space.
Our recommendation is for the IoT Edge modules to be deployed only in specific system storage directories/paths such as /var/run/ and /tmp/.
· Security Check Criteria: IoT Edge modules should not utilize system disk's nonconfigurable space.
Our recommendation is for the IoT Edge modules to be deployed only in specific system storage directories/paths such as /var/run/ and /tmp/.
· Security Check Criteria: IoT Edge modules should not granted direct privileges.
Granting permissions to IoT Edge modules in a controlled manner is important for cybersecurity because it reduces the risk of unauthorized access, protects sensitive data, and ensures that each module has access only to what it needs to function properly. To grant permissions to IoT Edges, go to Cloud Connectivity > Azure IoT Edge > Module Permission, create a service account, and grant permission to the IoT Edge module.

Page 8 of 17

Moxa Tech Note

The Security Hardening Guide for the AIG-302 Series

3.3.4 Product Certificate Deployment
· Security Check Criteria: Production Certificate should be configured as an Azure IoT Edge downstream certificate.
For enhanced security robustness, we recommend using your own certificate instead of the default one. Go to Cloud Connectivity > Azure IoT Edge > Downstream Certificate to upload a certificate.

· Security Check Criteria: Azure IoT Edge should not use connection string for provisioning.
We recommend an attestation method, which uses a TPM or a X.509 certificate, instead of a manual confirmation using a connection string. You can configure this at Cloud Connectivity > Provisioning Settings > DPS.

Page 9 of 17

Moxa Tech Note

The Security Hardening Guide for the AIG-302 Series

· Security Check Criteria: All certificates should not expire within the next three months.
You can check the status of all the certificates being used by the AIG at Security > Certificate Center. We recommend regular inspection of the status of the certificates and importing new certificates to replace the ones that are about to expire.

· Security Check Criteria: All certificates should not have expired.
You can check the status of all the certificates being used by the AIG at Security > Certificate Center. We recommend regular inspection of the status of the certificates and importing new certificates to replace the ones that are about to expire.

Page 10 of 17

Moxa Tech Note

The Security Hardening Guide for the AIG-302 Series

3.3.5 Service Setting
· Security Check Criteria: Discovery Service should not be enabled. We recommend disabling the Discovery Service in the commissioning stage. Go to Maintenance > Service to disable the service.

· Security Check Criteria: SSH Service should not be enabled.
We recommend disabling the SSH Service in the commissioning stage. Go to Maintenance > Service to disable Debug Mode.

· Security Check Criteria: Serial Console Service should not be enabled.
We recommend disabling Serial Console Service in commissioning stage. Go to Maintenance > Service to disable the Local Console.

Page 11 of 17

Moxa Tech Note

The Security Hardening Guide for the AIG-302 Series

· Security Check Criteria: Account Lock Service should be enabled.
To thwart brute-force attacks, we recommend activating the Account Lock Service. When AIG detects multiple failed login attempts surpassing the set threshold, it will automatically lock the account for the specified duration. Go to Security > Login Lockout to enable and configure parameters for this service.

· Security Check Criteria: System Use Notification Service should be enabled.
It is important to display system usage notifications prior to the login page so users know the rules and risks involved in using the system. This helps meet legal requirements, reduces risks, and holds users accountable for their actions.
Go to Security > System Usage Notification to enable this function.

Page 12 of 17

Moxa Tech Note

The Security Hardening Guide for the AIG-302 Series

3.3.6 System Status Check
· Security Check Criteria: Product software package should be up to date.
The importance of security cannot be overstated when it comes to keeping your product software up to date. Regular updates help patch vulnerabilities, reduce the risk of cyberattacks, and protect sensitive data, safeguarding your system and users from potential security threats. Go to Maintenance > Software Upgrades to retrieve up-to-date software for your AIG.

· Security Check Criteria: System backup should be performed at least once a year.
Performing a system backup annually is important to protect your data in case of system failures, cyberattacks, or disasters. It ensures you can quickly recover your information, stay compliant with regulations, and maintain business continuity. Go to Maintenance > Backup & Restore to back up your system.

Page 13 of 17

Moxa Tech Note

The Security Hardening Guide for the AIG-302 Series

3.4

Account Management
You can maintain user accounts and assign a role with specific permissions to each account. These functions allow you to track and control the access to the device.

3.4.1 Accounts
You can View, Create, Edit, Deactivate, and Delete user accounts. In the main menu, go to Account Management > Accounts to manage user accounts.

Creating a New User Account
Click + Create to create a new user account. In the dialogue box that is displayed, fill in the fields and click SAVE.

Note

To comply with security policy and best practices, specify a strong password that is at least eight characters long, consisting of at least one number and at least one special character.

Password Policy

Valid Password

Page 14 of 17

Moxa Tech Note

The Security Hardening Guide for the AIG-302 Series

Managing Existing User Accounts To manage an account, click on the pop-up menu icon for the account.

Function Edit Deactivate
Delete

Description Change the role, email, or password of an existing account Does not allow the user to log in to the device Delete the user account (NOTE: This operation is irreversible.)

Note

You cannot Deactivate or Delete the last remaining account with an Administrator role. This is to prevent an unauthorized account from fully managing the system. When the system detects only one active account when selecting the Administrator role, all items in the pop-up menu are grayed out.

3.4.2 Roles
You can View, Create, Edit, and Delete user roles for your AIG device here.

Click + Create to set up a new user role. Specify a unique name for the role and assign the appropriate permissions and click Save to create the role in the system.

Page 15 of 17

Moxa Tech Note

The Security Hardening Guide for the AIG-302 Series

You can edit the settings or delete an existing role by clicking on the pop-up menu icon next to the role.
When the role has been set up, it is available for selection by accounts.

Page 16 of 17

Moxa Tech Note
3.4.3 Password Policy

The Security Hardening Guide for the AIG-302 Series

Parameter Min. Password Length Password Strength Policy Password Change Reminders

Value 8 to 256
10 to 360 days

Description The minimum password length To define how the AIG checks the password strength
Notify user to change the password

Page 17 of 17

References

Moxa Adobe PDF Library 24.2.23