SEL-3620 Ethernet Security Gateway
16Pages

SEL-3620 Ethernet Security Gateway Major Features and Benefits The SEL-3620 is a router, virtual private network (VPN) endpoint, and firewall device that can perform security proxy services for serial and Ethernet-based intelligent electronic devices (IEDs). The SEL-3620 helps create a user audit trail through strong, centralized, user-based authentication and authorization to modern and legacy IEDs. The SEL-3620 secures your control system communications with a stateful deny-by-default firewall, strong cryptographic protocols, and logs for system awareness. The SEL-3620 also manages protected IED passwords, ensuring that passwords are changed regularly and conform to complexity rules for stronger security. The integrated security proxy also provides user-based single sign-on access to Ethernet and serial devices. ➤ Secure Architecture and Malware Protection. Maximize reliability with integrated exe-GUARD® whitelist antivirus and other malware protections, eliminating costly patch management and signature updates. ➤ Centralized User-Based Access to Protected IEDs. Provide strong, centralized access control and user accountability to all protected devices with Lightweight Directory Access Protocol (LDAP) or Remote Authentication Dial-In User Service (RADIUS). Simplify compliance with accurate logging. ➤ Automated Management of IED Passwords. Migrate away from shared passwords and accounts with the SEL-3620 acting as a password manager for protected devices. ➤ Security Proxy Services. Connect securely with identity based access controls to command line interfaces. ➤ Detailed Connection Reports. Receive detailed connection reports that make user activity audits a snap. ➤ Secure Ethernet Communications. Use Internet Protocol Security (IPsec), Secure Shell (SSH), and Transport Layer Security (TLS) to provide confidential communications and maintain message integrity among devices. ➤ Stateful Deny-by-Default Firewall. Prevent unauthorized traffic from entering or exiting your private network. Log all successful or blocked connections to the firewall, and receive alerts indicating the presence of unauthorized network communication attempts. ➤ Syslog. Log events for speedy alerts, consistency, compatibility, and centralized collection. For slow communications links, the SEL-3620 can throttle the number of outgoing syslog messages. ➤ Integrated Port Switch. Map one or more of the serial ports to any other serial ports, or to Ethernet TCP or UDP connections. ➤ Modbus Protocol Conversion. Convert Modbus TCP to Modbus RTU and Modbus RTU to Modbus TCP. ➤ Script Engine. Perform any sequence of command-driven tasks with a single push of a button, and restrict users to specific scripted tasks. Schweitzer Engineering Laboratories, Inc.

X.509 Certificates. Ensure strong authentication with third party validation of incoming connection requests over the IPsec VPN, Active Directory connection, or Web management interface. Online Certificate Status Protocol. Use OCSP to verify validity of X.509 certificates. Time Synchronization. Synchronize events and user activity across your system with IRIG or NTP. Virtual Local Area Networks (VLANs). Segregate traffic and improve network organization and performance. Ease of Use. Simplify configuration and maintenance with a secure web interface that allows for convenient setup and...

User-based accounts increase log granularity and make password management easy and effective. The SEL-3620 includes support for centralized authentication and authorization to simplify management of user accounts, passwords, and user privileges for all your protected devices from an active directory server. Centralized User Management The port switch integrated in the SEL-3620 allows users to create mappings for serial-to-serial, serial-to-Ethernet, Ethernet-to-serial, and Ethernet-to-Ethernet communications. Through use of these mappings you can use such different modes of communications...

Corporate Office Substation SEL-3620 SEL2411 SEL-421 Point-to-Point Serial Over Ethernet Network Figure 6 shows the SEL-3620 in a point-to-point application in which bit- and byte-based serial devices can communicate with each other across an Ethernet network. The SEL-3620 supports IPsec and SSH for encrypted and authenticated communications. This provides an easy transition from existing costly analog serial lines to Ethernet transport networks without having to upgrade remote terminal units (RTU) or communication front ends (CFE). SEL-3620 Protects Serial Over Ethernet User-Based Access...

IEDs. The combination of the script engine with this password knowledge gives the SEL-3620 the ability to manage your passwords, enforce strong passwords, and provide audit reports of password changes. Password Change Report 03/9/2011 SEL-351: Synchronize all your devices with the SEL-3620, regardless of whether these devices understand NTP or IRIG. The SEL-3620 synchronizes to and sources both IRIG-B and NTP. Time Distribution Functional Description Cryptographic Message Protection IPsec VPN initiation requires that three tasks be performed: the two peers must authenticate each other, the...

Device Authentication The SEL-3620 can use either X.509 certificates or preshared keys for authentication of another party over a network. The X.509 certificate confirms that the party at the opposite end of the tunnel is an entity with whom the SEL-3620 has approval to communicate. The SEL-3620 accepts both self-signed X.509 certificates and X.509 certificates that have been signed by a Certificate Authority (CA). The SEL-3620 uses OCSP to check the status of X.509 certificates. When the SEL-3620 receives a connection request along with a certificate signed by a CA, it will poll an OCSP...

Multiple Access Methods Users have multiple methods of accessing IEDs to provide flexibility for various types of software. SSH and Telnet provide a command line interface to protected devices through the SEL-3620. You can also map specific TCP and UDP ports to physical serial ports. Syslog The SEL-3620 uses the syslog format to log events. These logs contain several fields that indicate event severity, event origin, the type of event that occurred, and details regarding the cause of the event. Additionally, the event message contains such event tracking information as the entity that...